Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Privacy Software The Almighty Buck Technology

Voice Phishing Scams Are Getting More Clever (krebsonsecurity.com) 201

Security researcher Brian Krebs highlights several clever methods scammers are using to obtain your personal information. In one example, someone used a fully-automated voice to try and scam "a cybersecurity professional with more than 30 years of experience" by greeting him with a four-note AT&T jingle, "followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment."

"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him.
Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.
This discussion has been archived. No new comments can be posted.

Voice Phishing Scams Are Getting More Clever

Comments Filter:
  • Whoa. (Score:5, Insightful)

    by msauve ( 701917 ) on Sunday October 07, 2018 @06:39PM (#57442712)
    If they're calling you, they don't have any reason to ask you to provide any confidential info to verify you are who they called. If they ask, get a name and extension, and call them back via a published number.
    • Re:Whoa. (Score:5, Insightful)

      by PPH ( 736903 ) on Sunday October 07, 2018 @06:52PM (#57442762)

      If they ask, get a name and extension,

      Always this. They can spoof the legitimate bank customer service number. So don't assume the caller ID is correct. Always tell them that you will call them back at a convenient time.

      • Re:Whoa. (Score:5, Interesting)

        by ShanghaiBill ( 739463 ) on Sunday October 07, 2018 @07:33PM (#57442876)

        They can spoof the legitimate bank customer service number.

        But only because the telecom companies let them, and the government has done nothing to ban the practice.

        Spoofing should be illegal unless the company doing the spoofing owns both numbers.

        That this is mostly an American+Canadian problem. The practice is illegal in most other countries.

        • by mark-t ( 151149 )

          The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.

          The only fix for this would completely break backw

          • The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.

            The only fix for this would completely break backwards compatibility and would in general make it all but impossible to make long distance calls.

            I see, So whay didn't I get any of this crap back in say - the 1980s?

            And are you seriously suggesting that it is impossible to make certain that the number that pops up is the number that is calling?

            Such a complex system that a call announcing system was developed that is not capable of ever working. Someone should be fired over developing that never working device.

            • by dissy ( 172727 )

              I see, So whay didn't I get any of this crap back in say - the 1980s?

              You did, it was just rarely abused and not cheap or easy to gain access to.

              Any company owning a PBX system trunked to the phone exchange, was the owner of the device (the PBX) being asked by your exchange, what the caller ID should be.

              The staff that programmed the PBX defined the caller ID rules, and as is common practice, would have defined all "internal only" extensions to return a different phone number, likely the companies main number or reception desk.

              A PBX wasn't cheap, nor was the trunk fees to conn

          • The only fix for this would completely break backwards compatibility

            Nonsense. An obvious solution would be to ban all American companies from 3P spoofing, and ban them from connecting to foreign networks that allow it. Give them six months to implement it.

            During those six months, any country that wants to continue to connect to America's phone system (i.e. all expect North Korea) would scramble to fix their own phone systems. Most would need to do nothing, since 3P spoofing is ALREADY ILLEGAL. In India, 3P spoofing is already illegal for domestic calls, but allowed for

          • Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller

            But how does a call get too a phone number then? If I dial phone number 1234, how does my carrier know what final exchange that number is located at? And if they do, why are they accepting a phone number dialing out from a different exchange that doesn't match the info for me placing a call to 1234? I'm sure there is some technical reason for it, but It still seems screwy to me.

            • by mark-t ( 151149 )
              It doesn't know what final exchange the number is at, it only knows what exchange it will have to talk directly to in order to route to that number... there may be an unknown number of exchanges inbetween you and the target number. If the caller fakes their number, for example for a single line for a large company to forward the 1-800 number for the company instead of the in-house line that the caller may be calling from (and for which there would be no direct phone access to from the outside), the next e
            • by msauve ( 701917 )
              Ever since number portability, there's no longer a definite geographic relationship between areas, exchanges, etc.
          • The telcos know the originating company. If it's a company that agrees to not allow spoofed caller id your carrier could pass along the caller id, if not your carrier could set the caller ID to LIKELY FRAUD CALL. If not preventing spoofing, it would certainly discourage it and put the recipient on alert for a likely fraud.

            The problem is that the telco have almost no incentive to cut down on fraud calls. They get paid the same for a fraud call as a legit one, so why not carry them all?

        • by tlhIngan ( 30335 )

          But only because the telecom companies let them, and the government has done nothing to ban the practice.

          Spoofing should be illegal unless the company doing the spoofing owns both numbers.

          That this is mostly an American+Canadian problem. The practice is illegal in most other countries.

          Spoofing may not be illegal, but scamming still is. And "other countries' have plenty of scams still. In fact, there are the old "microsoft tech support scam", the "refund scam" which is especially popular in the UK and plenty

        • and the government has done nothing to ban the practice.

          This statement is wrong. The government has done something (Truth in Caller ID Act [wikipedia.org]) but it is not enough. The caller (either a real person or robot) clearly and fraudulently intend to obtain importation personal data from the person being called. The problem with the law is that it is not clear enough and no one really enforces it.

        • by dcw3 ( 649211 )

          Spoofing should be illegal unless the company doing the spoofing owns both numbers.

          Wikipedia says it already is...

          United States[edit]

          In the United States, telemarketers are required to transmit caller ID.[16] This requirement went into effect on January 29, 2004.[17] Courts have ruled that caller ID is admissible.[18] Providers are required by FCC rules to offer "per-call" blocking of caller ID to their customers. Legislation in the United States in 2007 made caller ID spoofing illegal for fraudulent purposes.

        • Scamming people is illegal.
          Caller ID spoofing of this type is illegal under the Truth in Calling Act.

          Unfortunately the criminals don't follow the law. That's a concept some people forget often.

    • "you'd fall for it, too"

      No, I wouldn't. I might not be very knowledgeable in how banks work, but I know one thing for sure: personal card info is personal. Nobody from the bank will ever ask you for your PIN number or the three digits on the back of your card. Nobody, ever. If they ever do, change the bank because they are not handling your personal data professionally.

      I don't know how things are in the USA, but in my country all banks allow you to change your PIN at the card issuer's ATMs, the card is mail

    • I've been waging bit of a personal war against local utilities for the last year over robocalls and phoning up asking for identifications. I want it banned. The average user , the people is IT professionals are meant to protect have no chance of identifying a well done scam if the legitimate phonecalls are indistinguishable from the fraudulent ones, and it's damn irresponsible for these companies to continue to use these tactics when they put everyone at risk. It costs peanuts to rent a handful of lines, an

    • Comment removed based on user account deletion
    • And call back from a different 'phone. At least in the UK a scammer can hold the line open so that your next call comes to them too.
    • by thsths ( 31372 )

      Yes, that is true.

      Unfortunately, my bank has a nasty habit of doing exactly this. And no, you cannot call them back, because it is usually a call from back office (and they only call, they do not usually take calls).

      I think that banks has long trained customers to fall for this scam.

  • by fahrbot-bot ( 874524 ) on Sunday October 07, 2018 @06:46PM (#57442740)

    So "alarm bells" went off in his head four times and he kept giving out his information? He should have said he would call his bank branch directly or the 800 number listed on the back of his card and hung up.

    The "bank" called him, at his phone number, so he doesn't need to confirm anything - the bank needs to confirm themselves. Both of my banks say they will never ask for personal information if they contact me, not only for my safety but because -- spoiler alert -- they already have my information. (I, however, need to provide my information if I call them to prove that I am me.) In addition, why would they ask him to confirm information that won't be changed?

    Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

    Caller ID can be spoofed. Never trust it.

    "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

    No. Just no.

    • by MachineShedFred ( 621896 ) on Sunday October 07, 2018 @06:56PM (#57442776) Journal

      More than that, when they asked for his PIN, twice, he should have hung up then and there. Banks never have, and never will ask for your PIN. It is always set either by yourself at a bank branch keying it into a terminal, or when you activate the card by dialing the number on the card sent to you at the time of activation.

      The other stuff is semi-legit if you include all practices that banks have used since the beginning of time, but many of them are not in use anymore. Example: mother's maiden name is easily gained information in the age of The Book of Faces.

      • If, as they claimed, they asked for his PIN so it could remain the same on the new card... why wouldn't they already have it on file?

        • by olsmeister ( 1488789 ) on Sunday October 07, 2018 @07:53PM (#57442918)
          There is just so much about the story that doesn't make sense in hindsight, but the advantage that the scammers have is that they've called you, given you some alarming news, and are offering to fix it for you. People probably are so upset hearing that their card is being improperly used that they aren't slowing down to think about what is being asked them.
          The news needs to be spread far and wide that you always just thank them for the information and inform them you'll be calling their fraud line.
          • My fraud line called ME, and said "did you make these charges"? No. They denied them, and issued me a new card. No other verify needed.

          • Comment removed based on user account deletion
          • Its been spread far and wide for years. The first time I received one of these calls was in the mid-90s claiming to be from the IRS. I was a little slow to realize it back then, but after they started asking me information I decided to call the IRS myself. Of course it wasn't actually the IRS.

            Even back then I had heard of these scams.

            Now it's not uncommon for me to get a call or text about suspicious activity on my credit card - about once a year. I NEVER call the number back. I call the main number a

        • by dryeo ( 100693 )

          I'd be surprised, but not too surprised, if banks had peoples pins on file. Whenever I've got a new card, the teller takes me to the ATM, explains things and then turns their back on me while I enter my (new) pin.

        • by Megane ( 129182 )
          A few months ago, my bank sent me a new ATM card. Except it was a debit card now. Apparently the Pulse card I got back in the mid '90s (yes, I was still using a card that was over 20 years old!) was just too old of a technology to support. Back then, the PIN was set by me pressing four digit keys on this enormous typewriter-like machine (my vague recollection of that day) that embossed and encoded the card. For the new card, the number to dial for activation handled setting the PIN. I suppose that call coul
    • Pretty much this. I have a simple policy: it doesn't matter whether I believe the call is legitimate or not, I do not give out information or try to resolve a problem when it's the other party calling me. I note who it is and what they claim the problem is, then I call the contact number from my own records for that person/company (from my address book, the credit card itself, the last bill, their Web site from my bookmarks, etc.) and ask to be connected to the correct department for the problem. Now I know

    • So "alarm bells" went off in his head four times and he kept giving out his information?

      Because no alarm bells went off. He's just trying to make it sound after the fact that he isn't completely naive, I suspect.

  • I can vouch for this (Score:5, Interesting)

    by Applehu Akbar ( 2968043 ) on Sunday October 07, 2018 @06:47PM (#57442748)

    The creepiest voice phish I ever got was the call from my little brother, exactly his voice and intonation pattern, telling us he was in jail in Mexico and needed money. The only way I knew it was a scam, besides the Mexican authorities suddenly accepting payment in Bitcoin, was knowing that he had been sick for years and unable to travel.

  • by registrations_suck ( 1075251 ) on Sunday October 07, 2018 @06:54PM (#57442766)

    Donâ(TM)t call me, I will call you.

    If you get a call from ANYBODY claiming whatever, hang up and call that supposed somebody at a known good number. Every time.

  • ... it's a guaranteed scam. NOTHING legitimate has my cell phone number.

    • by msauve ( 701917 )
      You must be an old fart like me, who still has a landline number. Most of the young 'uns have nothing but a cell phone number.
      • by arth1 ( 260657 )

        I had a cell phone number back in the 90s, but I have cut the wireless. Now I am corded only.
        This was a great liberation. I can no longer be reached at any time, anywhere. No texts, send me an e-mail, to be read at my convenience, not yours. I have a phone that still works through power outages (because power to the landline system is supplied through the phone wires), including DSL still working through power outages. This saved me when we had a ten day power outage here, and all cell phone towers wer

        • Your situation will be good until the old copper develops an intermittent issue somewhere off your property that they won't fix because 'copper is deprecated, so we will convert your line to fiber at no cost to you'.
      • This is one of the main reasons I still have a landline. All companies that I do business with have the landline number, and I never give out my cell for any reason. They call my landline during the day (while I'm not there), I listen to whatever voicemails they leave, and I don't worry about getting constantly bugged on my cell all day.
  • marks and are forced to move away from the Nigerian prince method (so ridiculous only someone who's not all there in the head would fall for it) and into trying to scam people who have some of their senses left.
  • As people age they stop remembering details of scams but seem to remember they are smarter than the scammers so they can't be scammed. The result is they get taken. People who worked in security along with retired police and criminal lawyers are easier to scam after they retire than the average person.

  • Rule Number F-cking One: Never give out information to anyone who contacts you first.

    It's just that simple. You find the number or confirm the number they left is legit, and you initiate the contact.

    CSB: Once I was being legitimately audited by the IRS, and the IRS employee/contractor calls me and asks for my SSN. I was 99% sure it was the IRS, and the person threatened me with escalation, and I know you don't eff with the IRS. But I did not give out my SSN because it violated Rule Number F--king One. Ulti

    • by anegg ( 1390659 )
      My wife and I have had some interesting stand-offs like this. Legitimate caller stupidly asks for us to verify who WE are by providing our personal information to them. We refuse to provide the information, because they haven't verified who THEY are. Hilarity ensues.
    • by dryeo ( 100693 )

      There's been a lot of scams up here where the scammers pretend to be from the CRA (Canada Revenue), demanding payment now to avoid arrest. Some people don't even catch on when they demand payment in itunes cards.

  • Easy Fix (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Sunday October 07, 2018 @08:06PM (#57442948)

    Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.

    They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.

  • by petes_PoV ( 912422 ) on Monday October 08, 2018 @12:12AM (#57443376)

    sounds incredibly professional, you'd fall for it, too," Haughey said.

    Errr, no.

    The first principle of phone banking is to never give out personal information to anyone who calls you. Never.
    If you feel there is an issue that does need information to be passed, hang up and phone them on the public number. Just make sure you have actually hung up, there is a long-standing scam where the thieves actually recommend you call the bank, yourself. They then make the sound of hanging up but stay on the line. When you dial the bank's number, you are still actually talking to the scammers.

  • by roc97007 ( 608802 ) on Monday October 08, 2018 @12:12AM (#57443378) Journal

    Don't EVER give out private information to a cold call. Never, for any reason. If there's a problem, and it's urgent, tell them you'll call them back on a known number. (Not a number they provide./duh) Legitimate callers will agree to this. Non-legitimate callers will try to steer you to a different number or insist that you must take care of this now, on this call. Don't fall for it.

    Let me repeat this for the cognitively impared: If they call YOU, do NOT give out private information. If you call THEM on a legitimate number, it's a different story.

    Let's be safe out there.

  • "It's immoral to let a sucker keep his money."
  • hmm I suspect this security professional actually fell for one of these scams.

    when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too

    No I really wouldn't and I don't think anyone I know or where I work would either, I have been targeted with these before and know many others that have received similar types of calls and not even for a nanosecond would I fall for it. Hell when I have had legitimate calls from my bank I ask for a name/extension and tell them I will call the banks switchboard and ask for them. It isn't rocket science, if they called you DON'T TRUS

  • It's easy so say "I wouldn't fall for this", but some scammers are good. The ones that call you are excellent actors, and can be damned convincing. Just look at the number of elderly people who fall for the "grandkid in trouble" scams. Yes, this guy shouldn't have given out his PIN - that was one step too far.

    However, the root problem in this particular case remains spoofing. There is absolutely no excuse for spoofing numbers to still be possible, after all these decades of abuse. The phone company (or VoIP

  • but when someone from a trustworthy number calls

    Caller ID is not "trustworthy", and any number you get via that is by extension not trustworthy. Anyone who hasn't learned that just from the all the "same exchange" spoofing (all but last four numbers same as yours) these days is a fool.

  • Sorry, but if you want something from me, do it in writing. It's that simple.

    If I want something from you, you demand I call your main number and agree/sign things. You have to do the same. Except I have to verify myself to you when I call, so when you call me I expect you to verify yourself to me.

    Any automated or inbound call that doesn't give me information I demand ("Okay, can you tell me my last transaction and my account number please?") doesn't get anything from me. Yes, I've actually asked my ban

  • by epine ( 68316 )

    In a correctly designed phone system, it shouldn't be possible to generate DTMF tones on a call you didn't originate yourself without first spelling "DMMF" by a sequence of Morse-code hook flashes.

    DMMF = dox me, motherfuckers.

    Your address book should have little padlocks beside "verified" numbers, where the name of the organization and the number are known by the smart phone mafia to correspond.

    It really ought to be required to originate the call from a verified address book entry in order to access inline

    • by epine ( 68316 )

      Hmmm, I was feeling bold today, and didn't click preview, having forgotten that I had used any markup at all.

      Very exciting.

  • Ok, so the request for his PIN number didn't set off the alarms.

    Really, this is an example of where you make the caller provide some information, then if ti seems wrong hang up and call in to the number you know.

    I'm getting 5-15 calls a month from the 'credit card reconciliation center' or some such BS. I haven't listened past them asking me for my name, which if they are my bank or card company they should already know.

  • Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

    Uh, no, really, I wouldn't. If they call me, I give them nothing. I have to call them, on their regular public phone numbers.

  • I have gotten legitimate fraud alerts in the past for overseas purchases. They were robocalls requesting me to call back to an automated system that described the date and amount of transaction to the T, then asked to authorize or reject them. No request for address, no request for security code or PIN.

    Nothing clever about this voice phishing. The victim forgot the telltale signs of a scam and ignored the bells going off in his head. Scammers are good at psychological skills and they rush the convers
  • This is a great story of stupidity. You've "given out that information before" so you can give it out again?! "Before", you gave it to someone you trusted/called/engaged. This time, they engaged you.

    Isn't that already enough to tell you to walk away?

    How about the ol' if-it-aint-broke-don't-fix-it? Your card didn't stop working for you. Stop trying to solve a problem that you haven't experienced. Either go to the gas station and try your card for yourself, or use your other card (that's why you should

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...