October 1, 2018

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.

Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? It was the first time the voice inside his head spoke up and said, “Something isn’t right, Matt.” But, he figured, the customer service person at the credit union was trying to be helpful: She was doing him a favor, he reasoned.

The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother’s maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it.

Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He’d given this code out previously in the few times he’d used his card to pay for something over the phone.

Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she’d make sure his existing PIN also served as the PIN for his new card.

Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him.

“I balked at challenging her because everything lined up,” he said in an interview with KrebsOnSecurity. “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”

Now more concerned, Haughey visited his credit union to make sure his travel arrangements were set. When he began telling the bank employee what had transpired, he could tell by the look on her face that his friend was right.

A review of his account showed that there were indeed two fraudulent charges on his account from earlier that day totaling $3,400, but neither charge was from Ohio. Rather, someone used a counterfeit copy of his debit card to spend more than $2,900 at a Kroger near Atlanta, and to withdraw almost $500 from an ATM in the same area. After the unauthorized charges, he had just $300 remaining in his account.

“People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

A CLOSE CALL

Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.

“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” Sasser recalled in a tweet about the experience.

What Sasser didn’t mention in his tweet was that his corporate debit card had just been hit with two instances of fraud: Someone had charged $10,000 worth of metal air ducts to his card. When he disputed the charge, his bank sent a replacement card.

“I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” Sasser recalled in an interview with KrebsOnSecurity. “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”

And so the card-replacement dance began.

“Is the card in your possession?,” the caller asked. It was. The agent then asked him to read the three-digit CVV code printed on the back of his card.

After verifying the CVV, the agent offered to expedite a replacement, Sasser said. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”

That made Sasser pause. Wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?

“It’s just to confirm the change,” the caller told him. “I can’t see what you enter.”

“But…you’re the bank,” he countered. “You have my PIN, and you can see what I enter…”

The caller had a snappy reply for this retort as well.

“Only the IVR [interactive voice response] system can see it,” the caller assured him. “Hey, if it helps, I have all of your account info up…to confirm, the last four digits of your Social Security number are XXXX, right?”

Sure enough, that was correct. But something still seemed off. At this point, Sasser said he told the agent he would call back by dialing the number printed on his ATM card — the same number his mobile phone was already displaying as the source of the call. After doing just that, the representative who answered said there had been no such fraud detected on his account.

“I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser recalled. A visit to the local Wells Fargo branch before his trip confirmed that he’d dodged a bullet.

“The Wells person was super surprised that I bailed out when I did, and said most people are 100 percent taken by this scam,” Sasser said.

HUMAN, ROBOT OR HYBRID?

In Sasser’s case, the scammer was a live person, but some equally convincing voice phishing schemes — sometimes called “vishing” — use a combination of humans and automation. Consider the following vishing attempt, reported to KrebsOnSecurity in August by “Curt,” a longtime reader from Canada.

“I’m both a TD customer and Rogers phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,” Curt wrote. “At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”

The caller said her name was Jen Hansen, and began the call with what Curt described as “over-the-top courtesy.”

“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recalled. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”

Ms. Hansen proceeded to tell Curt that TD Bank was offering a credit monitoring service free for one month, and that he could cancel at any time. To enroll, he only needed to confirm his home mailing address.

“I’m mega paranoid (I read krebsonsecurity.com daily) and asked her to tell me what address I had on their file, knowing full well my home address can be found in a variety of ways,” Curt wrote in an email to this author. “She said, ‘One moment while I access that information.'”

After a short pause, a new voice came on the line.

“And here’s where I realized I was finally talking to a real human — a female with a slight French accent — who read me my correct address,” Curt recalled.

After another pause, Ms. Hansen’s voice came back on the line. While she was explaining that part of the package included free antivirus and anti-keylogging software, Curt asked her if he could opt-in to receive his credit reports while opting-out of installing the software.

“I’m sorry, can you repeat that?” the voice identifying itself as Ms. Hansen replied. Curt repeated himself. After another, “I’m sorry, can you repeat that,” Curt asked Ms. Hansen where she was from.

The voice confirmed what was indicated by the number displayed on his caller ID: That she was calling from Barrie, Ontario. Trying to throw the robot voice further off-script, Curt asked what the weather was like in Barrie, Ontario. Another Long pause. The voice continued describing the offered service.

“I asked again about the weather, and she said, ‘I’m sorry, I don’t have that information. Would you like me to transfer you to someone that does?’ I said yes and again the real person with a French accent started speaking, ignoring my question about the weather and saying that if I’d like to continue with the offer I needed to provide my date of birth. This is when I hung up and immediately called TD Bank.” No one from TD had called him, they assured him.

FULLY AUTOMATED PHONE PHISHING

And then there are the fully-automated voice phishing scams, which can be be equally convincing. Last week I heard from “Jon,” a cybersecurity professional with more than 30 years of experience under his belt (Jon asked to leave his last name out of this story).

Answering a call on his mobile device from a phone number in Missouri, Jon was greeted with the familiar four-note AT&T jingle, followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment.

“It then prompted me to enter my security PIN to be connected to a billing department representative,” Jon said. “My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it.”

WHAT CAN YOU DO?

Just as you would never give out personal information if asked to do so via email, never give out any information about yourself in response to an unsolicited phone call.

Like email scams, phone phishing usually invokes an element of urgency in a bid to get people to let their guard down. If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller. If you want to reach your bank, call the number on the back of your card. If it’s another company you do business with, go to the company’s site and look up their main customer support number.

Unfortunately, this may take a little work. It’s not just banks and phone companies that are being impersonated by fraudsters. Reports on social media suggest many consumers also are receiving voice phishing scams that spoof customer support numbers at Apple, Amazon and other big-name tech companies. In many cases, the scammers are polluting top search engine results with phony 800-numbers for customer support lines that lead directly to fraudsters.

These days, scam calls happen on my mobile so often that I almost never answer my phone unless it appears to come from someone in my contacts list. The Federal Trade Commission’s do-not-call list does not appear to have done anything to block scam callers, and the major wireless carriers seem to be pretty useless in blocking incessant robocalls, even when the scammers are impersonating the carriers themselves, as in Jon’s case above.

I suspect people my age (mid-40s) and younger also generally let most unrecognized calls go to voicemail. It seems to be a very different reality for folks from an older generation, many of whom still primarily call friends and family using land lines, and who will always answer a ringing phone whenever it is humanly possible to do so.

It’s a good idea to advise your loved ones to ignore calls unless they appear to come from a friend or family member, and to just hang up the moment the caller starts asking for personal information.


218 thoughts on “Voice Phishing Scams Are Getting More Clever

  1. Ranger Rick

    I have heard of another automated phone scam–you only have to say the word “yes” during the call in order for the robot to do, well, whatever it is instructed to do. Perhaps sign you up for expensive phone services, order merchandise with a different ship-to address on your account, etc.

    1. Leo

      That’s is why people should NEVER user that word over the phone.

      If they even ask “am I speaking with (your name), the answer is “you are”

    2. Jim

      I’ve heard that also.. That’s why I NEVER say YES to a call I’m not familiar with (even @work).. I say Hello, they say is this Jim I say what can I do for you.. I never answer yes..
      My motto always except EVIL…

    3. Dan Nungesser

      Ranger Rick, It can be just as bad if you answer a question with “No.” Consider, a scam agent presents a credit card company with a recording that asks if you mind if they bill your account $39.95 per day. Your dubbed in voice says “No.”

  2. martin chilcutt

    I have had several calls from some one claiming to be Microsoft, and wanting some info, asking for me to let them take control of my account, to make corrections.
    Sounded like a real call, so I hung up.
    I had a couple of the same callers, but always hung up. The person stopped calling me after two weeks.

    THANKS FOR YOUR HELP.

    1. Joe

      I’ve had a few of these, usually with a thick accent. I am running Linux, so I sometimes have some fun with these people, like “I don’t find the Start button.”
      They end up calling me names. That’s when I hang up…

  3. David Brick

    Thanks, Brian.

    For me, the combination of Hiya (a free iPhone app) and “don’t answer if the caller isn’t in your Contacts” works very well. I’m >70, and had to learn not to pick up. It was worth it.

    1. Bruce Hobbs

      Just because a number is in your contacts doesn’t mean it’s not being spoofed. You might have your bank’s number in your contacts but the scammer could call you from that number, making it think you are getting called from your bank.

  4. Bla Bla Bla

    Have you had any luck with phishing type apps installed on your mobile phone to block spoofed numbers?

    Thx and great write up as usual!

  5. Mark

    In the first example, the caller had so much verifying information it seems like the Credit Union had a data breach.

    1. sarah

      Agreed. That is a frightening amount of detailed information.

    2. PattiM

      By allegory, I am reminded of the Roman Empire as it collapsed (it took about 100 years) and the roads became less and less safe for everyone. It sounds more and more like our high-tech money system is collapsing – succumbing to “highway robbers” as it were, and the establishment can no longer really afford the extreme efforts needed to protect citizens.

  6. Tom

    These scammers are the scum of the Earth. Great article! I love answering my phone and pressing “1” to talk to “Rachel” from ‘Card Services’. I have fun with these people, and let them know that they are working for criminal scamming organizations. Often times, the front-level telephone marketers don’t even know it. They think their scam is a real business.

  7. Joe

    I got the AT&T billing scam call as well some time back. And just like Jon, I changed from AT&T (PacBell) to T-Mobile years ago, so I knew it had to be a scam.

  8. Bill Castle

    These all are WAY too convincing. Especially with the verification information.

    As you say, I never give out PINs or anything else to unsolicited calls. Still, I can’t say I would have passed some of these tests.

  9. Doug

    I’ve gotten legitimate fraud alert calls from my bank. I hung up on them, and called them back. It’s not really that hard to do, why can’t a “technology expert” do the same simple thing? (Note: the phone number WAS in my contacts, that’s the only reason I actually answered. I’d say I’m paranoid, but this story proves I’m not.)

  10. Lentoasima

    I just passed my 71st birthday. I am a semi retired crypto geek – not Bitcoin, actual cryptography for protecting electronic data. I do not have a landline, only a Project Fi mobile. I get very few of these, suspect Google is doing something right. My wife is an ATT subscriber (gotta have an iPhone) and gets number spoofing calls (first 3 digits look like local calls) every day.

    We never answer calls that do not match entries in our contact list. We never talk to Elizabeth (though she has not called in a while, kinda miss her). I read Krebs on Security, have done so practically forever. We Geezers do not all rush to our landlines to answer vhishing calls. Some of us are slick enough to recognize incoming for what it is. We watch Youtube vids where hackers take on customer support scammers and pwn their systems.

    No Facebook, no Twitter, and as soon as I can persuade my sweetheart to ditch the iPhone for a Pixel no more ATT. All Project Fi, all the time. I may get one of these per month, and my number has been with me since 2003, ATT to Vonage to Fi. If the antediluvian Telcos cannot help with this crap we have to do so ourselves. Ditch them, never take inbound that asks for personal data, always hang up and call the number on your card. I think I learned that from Brian Krebs a long long time ago.

    1. Clay_T

      “… I do not have a landline, only a Project Fi mobile. I get very few of these, suspect Google is doing something right.”

      Counterpoint:
      I’ve had the same cell phone number for more than 20 years.

      I (finally) made the switch to a ‘smart’ phone three years ago (old phart here, stuck in my ways).

      I used an old burner google account to set it up.
      Went into the account and deleted, disabled, or dismembered every setting I could find in order to minimize the intrusion.

      I was shocked to see how many people google thought were my ‘friends’. Many of the names/numbers I recognized. Several I did not.

      In 20 years, I’d never had a spoofed or spammed call prior to sharing my number with google.

      I was getting them within weeks of activating my new ‘smart’ phone.

      Coincidence, or commerce..?

  11. Kevin

    Excellent article.

    Over 60. Rarely take or make a call. Long wary of phone scams.
    Never answer calls unless it is expected. Block the numbers shortly after calls come in. Especially 800 numbers. So far that is helpful.

  12. Matt

    Just an editing note, it would most likely be “Barrie”, Ontario if it’s in Canada.

  13. george in AZ

    Watching the football game and the phone rings. I look at the caller I.D. and it’s ME!! My name and phone number. O.K. I’m old and talk to my self sometimes, but this was my first real chance to really do it. She claimed she was from Microsoft and was 2 hrs from having my internet taken away. I’m still here. Got to be carefull. And for 2 years now year I’m going to be arrested by the I.R.S.

    1. Mike

      I get those IRS arrest threats too, but usually in snail mail. One recent one had a return address of “US Department of Treasury, 2000 Pennsylvania Ave NW, Washington DC, 20500.”
      I Googled the address which actually a shopping center.

  14. megan

    Mr. Krebs: just a note – it’s Barrie, Ontario, not Barry.

  15. Jim

    Not the phone companies being hacked, but the credit bureaus. I believe it was experion, reported this past summer. And another one, which, I forgot. Remember, they have the same information as the credit companies. Oh, and remember, businesses get more information on you, then your free credit report shows. My last report didn’t show the last four of either the credit card, or the social.

  16. Tom Daggett

    If fraudsters can spoof any phone number or ID on your Caller ID doesn’t that make ‘Whitelists’ useless? In fact, doesn’t it make Caller ID itself useless?

  17. Ken

    Just a minor point – it’s “Barrie”, not “Barry”.

    1. BrianKrebs Post author

      Ok thanks. Guess I figured a Canadian would know, but goes to show you always have to check spelling of proper nouns.

  18. Turd Fergusen

    I have both a land line and cell. The land line gets barraged with the “Hi, I’m calling from Microsoft and we see you have a virus” calls along with a wide range of other such dreck like the IRS collection scams.

    I tried out NomoRobo about tow months ago and the incidents of robo and scam callers has pretty much ended up at or near zero. I’m diligent about reporting calls that do get through, too.

    I haven’t tried it on my cell yet, but probably will in the near future.

    No personal interest here, just sharing for the benefit of the masses. I realize there are other similar services out there that probably do just as good a job. I’m just surprised at what a significant difference it’s made.

    TF

    1. Bill

      In a similar manner, I use Jolly Roger Pirate. Time is literally money for scammers. Jolly Roger sends them to an automated “time waster”. Their website has some great recordings of what they sound like.

      You can white list any number you want. Cool stuff!

  19. Martha Moore

    We get about 6 robo calls a day on our landline phone. If we don’t answer, many leave a voicemail, which is blank. Often, it’s hard to tell whether a call is from someone we know because the Caller ID displayed uses a local exchange and displays the name of a nearby area. What the robo landline calls seem to have in common is that the Caller ID number displayed cannot be called back. I’ve asked [our landline and mobile provider] to block such calls. I’ve been told that our teleco does not want to take the responsibility if a legitimate call was missed. I’d be willing to sign an agreement to miss calls from numbers I can’t call back.

    The blocked call database that came with our cordless phone system has been full for months.

  20. Petepall

    It’s sad that our telephone network has come to this. As a telephone retiree it’s particularly annoying. Those companies could easily put a lid on these miscreants, but choose to retreat to a mantra that their mission is to complete calls, not screen them. Just let the calls go to voice mail and/or call the number back that you look up yourself.

    1. Readership1

      Telcos are common carriers and have no authority to block calls from Jesus, the Easter Bunny, your girlfriend, or a scammer.

      Their job is to connect and transmit calls. In exchange, they’re given the privilege of setting up local monopolies and using public right-of-way for wiring and poles.

  21. Tony

    One would think that the telephone carriers would realize that people are going to stop/reduce using their service as the service is becoming useless. I do not know why the telephone carriers have no incentive to satisfy their customers by enabling the customer to block calls or have the carriers themselves block calls. The carriers are the ONLY ones that know the true calling number. Caller Id is not the true calling number. Blocking systems built on top of caller id will not work. Blocking systems built on the true calling number can work. However only the carriers know the true calling number. Since the carriers don’t seem to care about retaining customers or, more likely, they are an oligopoly so customers have not choice, the solution is simple. Change the law to require carriers to offer free blocking services. Change the law to enable carriers to use Artificial Intelligence to proactively block calls.

    1. John dabeleno

      I can tell that you have no clue about how calls are routed through modern phone systems, and people”quiting” the phone company is laughable…I guess you don’t realize that cell calls go over Telco lines. (that’s those black cables running down cell towers into that little building at the base). Anyways, the calls that come through, due to the nature of the format of the traffic sent, aren’t in a format to where it can be blocked…only hard wire landlines (think of them as having static addresses). Also, the calls come in as those “legit” numbers into the Telco as well, it wouldn’t be feasible for us to block 1-800-chase if that’s the actual number that chase uses. But you can block those on your “home” circuit, because it’s 554-555-5555.

  22. The Sunshine State

    Phone scammers are the lowest scum of this earth !

  23. Robert

    I was staying at a hotel when I got a call from a guy claiming to be from the front desk. Apparently, their system had gone down and they needed my credit card info again. For about 60 seconds, I was taken in, but then my natural paranoia kicked in and I told the guy I would call him back and hung up. I called the front desk and, of course, they had not called me at all.

  24. Jake

    When my Credit Union’s card services detects unusual activity on my card I get a robocall asking me to confirm if I’ve spent such-and-such amount yesterday and such-and-such today. The computer identifies itself as being with “Cardholder Services” or some equally generic name, and the labels with each expense are ridiculously generic categories like “Have you spent $45.19 on Goods and Services? ” This legitimate service sounds WAY more fake than these examples.

  25. James Schumaker

    These days, it’s best to have a robocall blocker as a first line of defense. NomoRobo is good, as is Sentry or other physical systems you can buy on Amazon. Since installing my system, I haven’t been bothered by scammers. Still, the advice in this article is good — don’t give out any personal information to unsolicited callers.

  26. CaptainJon

    Great post! I am of the early boomer generation and unlike most of my generation, follow these scam threats carefully. I also keep my landline but 9 out of 10 calls are spam/scam. But I’ve never used an ATM 🙂

    I’d like to note that the iphone has a privacy setting to over-ride “do not disturb”. Presumably scammers are aware of this, hence 2 or 3 calls from same number in rapid succession. After this setting allowed my phone to awaken me at o’dark-30 I now have that ‘feature’ turned off.

    Never occured to me that spoofed phone number could spoof a legitimate number. Now I have to be more careful about which numbers I am blocking.

  27. Steve

    Don’t give out a cell phone number to any businesses.
    Don’t use any smart-device for important transactions where money is exchanged or can be accessed.
    Cell phones just aren’t secure enough these days, unless you never load any 3rd party apps, IMHO.

  28. Jim

    The point here is NEVER EVER give out or confirm ANY information with the caller.. Always expect the worst and call the bank as best stated USE THE NUMBER on the card or from your BILL. NEVER call the number the caller provides..

    ALSO confirm your security settings with your bank for forms of contact that being email, text or call back numbers.. I have mine set up for text alerts and I will call my bank upon receiving an alert. Also you might be able to set it up to automatically block suspicious activity until confirmed.

  29. Jeff Wyatt

    If you have any doubt on a call like this give them fake data.

Comments are closed.