01
Oct 18

Voice Phishing Scams Are Getting More Clever

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.

Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? It was the first time the voice inside his head spoke up and said, “Something isn’t right, Matt.” But, he figured, the customer service person at the credit union was trying to be helpful: She was doing him a favor, he reasoned.

The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother’s maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it.

Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He’d given this code out previously in the few times he’d used his card to pay for something over the phone.

Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she’d make sure his existing PIN also served as the PIN for his new card.

Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him.

“I balked at challenging her because everything lined up,” he said in an interview with KrebsOnSecurity. “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”

Now more concerned, Haughey visited his credit union to make sure his travel arrangements were set. When he began telling the bank employee what had transpired, he could tell by the look on her face that his friend was right.

A review of his account showed that there were indeed two fraudulent charges on his account from earlier that day totaling $3,400, but neither charge was from Ohio. Rather, someone used a counterfeit copy of his debit card to spend more than $2,900 at a Kroger near Atlanta, and to withdraw almost $500 from an ATM in the same area. After the unauthorized charges, he had just $300 remaining in his account.

“People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

A CLOSE CALL

Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.

“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” Sasser recalled in a tweet about the experience.

What Sasser didn’t mention in his tweet was that his corporate debit card had just been hit with two instances of fraud: Someone had charged $10,000 worth of metal air ducts to his card. When he disputed the charge, his bank sent a replacement card.

“I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” Sasser recalled in an interview with KrebsOnSecurity. “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”

And so the card-replacement dance began.

“Is the card in your possession?,” the caller asked. It was. The agent then asked him to read the three-digit CVV code printed on the back of his card.

After verifying the CVV, the agent offered to expedite a replacement, Sasser said. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”

That made Sasser pause. Wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?

“It’s just to confirm the change,” the caller told him. “I can’t see what you enter.”

“But…you’re the bank,” he countered. “You have my PIN, and you can see what I enter…”

The caller had a snappy reply for this retort as well.

“Only the IVR [interactive voice response] system can see it,” the caller assured him. “Hey, if it helps, I have all of your account info up…to confirm, the last four digits of your Social Security number are XXXX, right?”

Sure enough, that was correct. But something still seemed off. At this point, Sasser said he told the agent he would call back by dialing the number printed on his ATM card — the same number his mobile phone was already displaying as the source of the call. After doing just that, the representative who answered said there had been no such fraud detected on his account.

“I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser recalled. A visit to the local Wells Fargo branch before his trip confirmed that he’d dodged a bullet.

“The Wells person was super surprised that I bailed out when I did, and said most people are 100 percent taken by this scam,” Sasser said.

HUMAN, ROBOT OR HYBRID?

In Sasser’s case, the scammer was a live person, but some equally convincing voice phishing schemes — sometimes called “vishing” — use a combination of humans and automation. Consider the following vishing attempt, reported to KrebsOnSecurity in August by “Curt,” a longtime reader from Canada.

“I’m both a TD customer and Rogers phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,” Curt wrote. “At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”

The caller said her name was Jen Hansen, and began the call with what Curt described as “over-the-top courtesy.”

“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recalled. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”

Ms. Hansen proceeded to tell Curt that TD Bank was offering a credit monitoring service free for one month, and that he could cancel at any time. To enroll, he only needed to confirm his home mailing address.

“I’m mega paranoid (I read krebsonsecurity.com daily) and asked her to tell me what address I had on their file, knowing full well my home address can be found in a variety of ways,” Curt wrote in an email to this author. “She said, ‘One moment while I access that information.'”

After a short pause, a new voice came on the line.

“And here’s where I realized I was finally talking to a real human — a female with a slight French accent — who read me my correct address,” Curt recalled.

After another pause, Ms. Hansen’s voice came back on the line. While she was explaining that part of the package included free antivirus and anti-keylogging software, Curt asked her if he could opt-in to receive his credit reports while opting-out of installing the software.

“I’m sorry, can you repeat that?” the voice identifying itself as Ms. Hansen replied. Curt repeated himself. After another, “I’m sorry, can you repeat that,” Curt asked Ms. Hansen where she was from.

The voice confirmed what was indicated by the number displayed on his caller ID: That she was calling from Barrie, Ontario. Trying to throw the robot voice further off-script, Curt asked what the weather was like in Barrie, Ontario. Another Long pause. The voice continued describing the offered service.

“I asked again about the weather, and she said, ‘I’m sorry, I don’t have that information. Would you like me to transfer you to someone that does?’ I said yes and again the real person with a French accent started speaking, ignoring my question about the weather and saying that if I’d like to continue with the offer I needed to provide my date of birth. This is when I hung up and immediately called TD Bank.” No one from TD had called him, they assured him.

FULLY AUTOMATED PHONE PHISHING

And then there are the fully-automated voice phishing scams, which can be be equally convincing. Last week I heard from “Jon,” a cybersecurity professional with more than 30 years of experience under his belt (Jon asked to leave his last name out of this story).

Answering a call on his mobile device from a phone number in Missouri, Jon was greeted with the familiar four-note AT&T jingle, followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment.

“It then prompted me to enter my security PIN to be connected to a billing department representative,” Jon said. “My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it.”

WHAT CAN YOU DO?

Just as you would never give out personal information if asked to do so via email, never give out any information about yourself in response to an unsolicited phone call.

Like email scams, phone phishing usually invokes an element of urgency in a bid to get people to let their guard down. If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller. If you want to reach your bank, call the number on the back of your card. If it’s another company you do business with, go to the company’s site and look up their main customer support number.

Unfortunately, this may take a little work. It’s not just banks and phone companies that are being impersonated by fraudsters. Reports on social media suggest many consumers also are receiving voice phishing scams that spoof customer support numbers at Apple, Amazon and other big-name tech companies. In many cases, the scammers are polluting top search engine results with phony 800-numbers for customer support lines that lead directly to fraudsters.

These days, scam calls happen on my mobile so often that I almost never answer my phone unless it appears to come from someone in my contacts list. The Federal Trade Commission’s do-not-call list does not appear to have done anything to block scam callers, and the major wireless carriers seem to be pretty useless in blocking incessant robocalls, even when the scammers are impersonating the carriers themselves, as in Jon’s case above.

I suspect people my age (mid-40s) and younger also generally let most unrecognized calls go to voicemail. It seems to be a very different reality for folks from an older generation, many of whom still primarily call friends and family using land lines, and who will always answer a ringing phone whenever it is humanly possible to do so.

It’s a good idea to advise your loved ones to ignore calls unless they appear to come from a friend or family member, and to just hang up the moment the caller starts asking for personal information.

Tags: , , , , , , ,

218 comments

  1. I don’t give out my phone number to financial institutions and similar. There is no legit reason that I can see why they would need it. No scams pretending to be from my financial institutions are possible.

    • Legit reason for bank to have your phone number: my bank once called me to verify that my rent check should be paid – I had forgotten to sign it.

      • I pay my rent with cash so I can’t have that issue.

        If you make a mistake, you suffer a late fee or similar; that is one’s punishment for making a mistake. The punishment will help reminder one to not do that in the future.

        I have not given any of my financial institutions a contact number for like 20 years, I have had zero problems.

        I don’t have to worry about how to verify the person calling and more importantly I don’t have them disturbing me and most importantly they can’t give that information to third parties (whether by an accident or by a breach). There is no way to track how many parties they may give your contact information to, which means that one can’t even begin to know the extent of follow on scams that one could get.

        Way back, when I was stupid enough to give a financial instition my email, they sent some highly sensitive information in the email; which, of course, was not encrypted. That was the end of that. I also have them mark all my accounts as to not allow internet banking and so forth; just too much risk considering how incompetent most tech people are at security.

        Only giving them a postal address to contact one is so much simpler, safer and far less stressful.

    • There are times when your FI legitimately needs to verify purchases on your card (say you are travelling, for example). . If they can’t get a hold of you, your card is probably going to get blocked. I work at a small credit union and calling members to verify suspicious activity takes up about half of my day.

      • Right way: You call customer and ask the customer to call the phone number on back of card.

        If you’re calling, asking for a customer to verify information, you’re training your customers to do the wrong thing. Shame on you.

        • We’re not asking for card information, like PIN/Expiration Date/CCV. We’re asking to verify purchases. The numbers that we call from are listed on our website for the member to verify, and if a member ever does not wish to validate card activity over the phone, I tell them they are free to hang up and drop by a branch. Most members are grateful that we are providing this service. Here’s another scenario: if a nonmember comes in to cash a check drawn off of your account, but the signature doesn’t match previous checks, wouldn’t you want your bank to call you to let you know? You’d want to close the compromised account ASAP.

          • I’d want to know, but I’d expect the bank to state the issue, not ask a question in an unsolicited call.

            Verification is a question and it’s poor practice to have customers answering questions in unsolicited phone calls, texts or emails.

            Again, the call should be a statement: “We have a question about X, Y, Z. Please call the number on the back of your card, on our website, etc.” Period.

            Customers should be trained: we will NEVER call you to ask a question.

            • LOL here’s how I see that playing out:

              Me: “Hello, I’m calling from Your Credit Union. We are calling to verify X Y and Z. We have placed a temporary block on your card as a precaution to prevent any potential loss.”

              Cardholder: “Oh no, I’m freaking out because I don’t know what’s going on. I’m in line at the grocery store and would like to use my card. Can you ask me about the suspicious transactions so I can tell you if they were me?

              Me: “…nope. Call us back. Byeeeeeeee”

              • 🙂

              • Lol exactly right Hal. I work for a bank as well. The real problem is that for every solution you could turn that useful solution into something corrupt and vice versa. Don’t be angry at the bank employees who are ordinary people trying to do a good job. Be mad at the jerks that are pulling these stunts.

      • That’s no reason to give out information in a call you didn’t originate. You just thank the caller, hang up, and call back at a number you got from their website, your card, or your statement.

    • All the bank can do with your phone number is call you or give/sell it for someone else to call you. The services I get from the bank having my number are worth it to me. I occasionally get calls about errors I made, or fraudulent purchases.
      However, these days I get many more calls from people who call numbers at random and want to help me with my credit card interest rate, hearing aid, or other service I do not need, than from my bank. So whether the bank has my number or not makes little difference.
      I have told people at my bank (actual people at my bank) who called me and were asking for personal information “for verification” to hang up and I would call back.
      There is one rule and it is so simple, I cannot understand why people would not follow it. If somebody calls me, I expect to receive information, not give any in return. DO NOT GIVE PERSONAL INFORMATION TO ANYONE WHO CALLED YOU. If you believe the call is legit, or you want to check BEFORE GIVING ANY INFO, hang up and call the number you know (back of the card).

  2. The real problem here is the failure of antiquated phone system technology to keep up with VOIP and caller ID spoofing.

    There should be some way that the public switched phone system can prevent the use of a fake custom caller ID string of a phone number that already exists as a real number, and also block variants such as letters in place of numbers.

    Public phone switching could be designed to check this and deny a VOIP call from going through at all, if it finds a spoofed caller ID string of a real number.

    • I am currently dealing with this! There is a family of felons using my number. I wouldn’t know this if the bail bondsman wasn’t looking for them or I hadn’t gotten some very nasty voicemails concerning these people . I tried to report it, I block every variant of my number that dials mine, deny their banking transactions, the whole nine yards, and NOTHING helps.

    • Lately I have heard many people telling me that they have received calls that claim to be from their area code and local exchange number. They answer since they assume that it may be someone from work, school, or a local business.

      The phone companies should be able to easily block all calls with a caller ID string from an unused number. It would be a good start.

    • “The real problem here is the failure of antiquated phone system technology to keep up with VOIP and caller ID spoofing.”

      Voip doesn’t have ss7 so the POTS network only delivers what the stupid voip puts out
      ATT, GTE, BELL all tried to deny them access into the public system but was over ruled by the FCC
      so now we have a new way for crime

    • The STIR/SHAKEN protocol being worked on now is supposed to make caller ID more secure.

  3. Always disclose to them that you’re recording your calls, scammers will hang up instantly

  4. There has to be a combined legal and technical response to phone scamming. We’re in danger of losing the use of our telecommunication network.

    I think I’m already at the point where 9 out of 10 calls to my (employer paid) cell phone are junk calls. When someone has actual business to talk about they usually can’t get me because I don’t answer the phone.

    It can’t just be “the user should just ignore it” like they told us in the early days of spam. It can’t just be “the phone company needs to block them.” There has to be some serious enforcement to cut down the number of operators who have to be blocked.

  5. Who did these illustrations? They are terrific — the artist deserves credit.

  6. i will give fake or purposefully wrong information to the caller’s request for personal information, to test them or gauge their reactions. obviously, not foolproof but can help deduce where you are in the transaction, (i.e. are you in a scam?).

    • dave – excellent tactic. It also helps distort information about you collected in myriad databases used by bad guys to try to scam you or impersonate you.

  7. I had something similar after posting my resume online. I’m sure it was a bot as there was always a second or two delay in her responses. I got suspicious when “she” asked for my email. I said, “Don’t you have it already?” and the bot responded, “Thank you for that.” then moved on to her next question. I hung up. Luckily her first few questions were about my job search and the positions I was looking for… as a fraud analyst.

  8. Isn’t the solution here fairly simple, as someone else noted? If you get a call purporting to be from your bank, just thank them, hang up, and call the bank. Saying “it’s a bit of work” has to be the lamest excuse on the planet for just going along.

    I’m of that older generation, running a business, and my position is that if I don’t know the caller, and they don’t leave a voicemail, they don’t need me to call them back. There are plenty of other ways these days to get in touch, and I prefer email to the phone anyway. Again, if people can’t be bothered to to that, then there’s a bigger problem than just the ease with which scammers are using phones.

    I use YouMail on my iPhone, and get protection from my carrier on the Samsung for three bucks a month. Expecting the carriers to spend money on this ignores the fact they don’t give a rodent’s backside because THEY aren’t losing any money. Heck, they’re probably selling all our data as we speak.

    Oh, and start listening to those little alarm bells. Y’all have them for a reason.

  9. how do you spend $2k a flipping supermarket FFS

    • Easy. Gift cards. All major retailers have racks of them for anything from Amazon to cash cards.

  10. As I’ Been saying for many years: The good thing about a phone is that you can HANG UP!!!

  11. Never, ever trust a phone call to you with fraud! Authenticate the report by hanging up and calling whatever financial institution allegedly called. I had a legitimate fraud call from a credit card issuer. I said “thanks, I’ll call your fraud department right back”, dropped the call and called the number on the back of the card. The fraud team were laughing at my paranoia…..or should I say a reasonable amount of caution. It was legitimate fraud and they handled it. The fake Microsoft and Apple service calls (you’re system has a virus, etc) are easy to detect.

    We have all become to trusting of our electronic communications. The intimacy of the contact via the call, and the urgency kick common sense out of our heads.

    • “The fraud team were laughing at my paranoia…..or should I say a reasonable amount of caution.”

      Really? When my people have a level of paranoia that meets or exceeds my own, they get congratulated!

  12. Povl H. Pedersen

    People are too trusting.
    CEO fraud and other fraud have taken place, where multiple communication channels have been combined to convince the user.

    Some years ago, we had someone who started with e-mail, then sent faxes with bank guarantee, and had a “secretary” at another company answer calls (IP telefony numbers). They had other people working at the “bank”. Contact and fax numbers on the bank guarantee were IPT all of them.

    So a mail followed up by a phone call already gives the user 2 degrees of validation, and asking the user to call back to a 3rd phone number, and he has 3 degrees of verification, and will fall for anything.

    The voice call puts a human human touch on it, and people will then know it is not the eastern european or chinese mafia behind.

    Indian phishing still takes place, Microsoft support. I talk with lots of indians in my daily work, but I usually just hang up when the scammers call me, maybe sometimes on the work colleagues as well if we do not have a scheduled phone meeting. Better safe than sorry. Lately 9 out of 10 of the indian scammers has a callerID with one digit too much or one too little. Not sure if telecoms implemented some CID filtering.

  13. And then there are strange Website changes: Not long ago, I accessed the credit card are of US Bank’s Website, and it (1) displayed in a a weird format, looking mostly like a mobile site magnified 4 x or so (I was on a desktop) and (2) asked me to answer security questions, which it had never done before. I figured (2) was legit. but it didn’t like the answer I gave (though I did, in fact, rememberers where I met my wife) — and then it took me to a reauthentication page that asked me for my CVV. I don’t remember ever being asked to enter my CVV on any bankcard site before.

    At that point, I figured suspicion was the better area of judgment, and called the toll-free number on the back of the card. They walked me through a different sequence of Web pages that eventually led to the same page asking me for my CVV. I asked if that was normal, and the customer service rep answered that it was only used for reestablishing authentication credentials.

    Well, either that, or they pwned the bank’s toll-free as well. (Not really — I just verified that the site not only remembers my new security questions answers, but also has my correct card balance.)

  14. “But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.”

    At that point you ask for the persons name and say you will call back, then call your CU.

    “blocked two phony-looking charges in Ohio”
    You know how I found out my card had charges in separate states? It stopped working. I had to call.

    “Then she asked him for his current card PIN”
    Oh c’mon now. I don’t care how much “lined up” this should have a big red flag with burning red flames streaming from it.

    “Think again: Even technology experts”
    Smart and being a technology expert don’t always correlate.

  15. Skeptical Mouse

    When I encounter a call where I think I am talking to a very sophisticated machine, I ask them to say something that wouldn’t normally be in their script.
    “Can you say ‘bungalow’?”
    “Can you say ‘crakatoa’?”

    If you get a, “I don’t have that information…” or, “Well, I’ve never been asked that question before!” … you’re talking to a machine.

    In all my time doing this, I’ve had exactly one person reply with a very confused, “Bung…a…low?” But he was a telemarketer. So I hung up on him.

  16. To be honest, I am surprised there is no ‘opendns’ for phone calls. An open source list of scam numbers would be awesome. I just let all calls go to voicemail, even from contacts (who calls these days anyway?). Then listen to the messages and react that way. Spam calls rarely leave messages.

    • No black list will help. Caller ID’s are spoofed so they look like they come from real, legitimate businesses or people. I once received a spam call with a caller ID of MY OWN PHONE. That was pretty easy to spot.

      I’ve also received a few calls from people saying I called & hung up on them. Which I never did, of course. But my number was randomly used as a caller ID for spamming others.

      As for letting all calls go to voicemail, I hope your contacts don’t follow the same logic….You’ll never talk! Or maybe that was your intention.

  17. The real problem is that organizations in the US (and banks in particular) have and always had a terrible security model.

    Last time I did a big transfer between two banks, the bank called me to ask confirmation, asking a ton of security details. I turned them down. They said that was OK and I could call them back, but that was quite painful because I had to navigate through menus and the person I got didn’t have my information so they needed even more security questions.

    They don’t trust the security of their website, so they rely on a weaker, not even authenticated nor encrypted phone call instead … nonsense.

    • That is part of a larger problem now with real estate transactions with purchase money for a house being diverted to scammers’ accounts.

      Glad we are done with that for a long time to come. However, we did experience the opposite in the paranoia of a teller at our credit union being reluctant to deposit the certified check payment for selling our house from our real estate agent as we had gone out of town the day before the deal was closed by him for us, with all other parties in physical attendance (no electronic payment processing exposures as all bits were local), and we had given him a deposit slip. He is a very savvy guy, whom we had known for years, and with a lot of experience with these kinds of deals, and he said he had never had a bank refuse to TAKE the payment money for deposit. He did get the teller’s manager involved to ok taking the check for deposit.

      I suppose there are Nigerian type angles of scammers trying to get a lot, or even all of the money “back” from the deposit as a cash carve-out, and the inexperienced teller was afraid of something along those lines, but this was a simple deposit-only transaction.

      2 years on now, I am not so sure I would go along with even this kind of a transaction…

  18. Nowadays, when I answer my phone, I adopt the mindset that I’m answering a pay phone at a bus station. It puts me in a more defensive posture!

  19. The comments are interesting and pose a lot of serious concerns from legitimate callers. I’ve tried to adapt the practice of listening with great intent on those occasions when I do answer a number I don’t know. Any legitimate caller will understand if you say that you need to call in a few minutes when you can give this matter your full attention. If they give you a number fine – but NEVER use it. Do exactly what they say, look it up yourself and carefully. I have received fraud alert calls from my Credit Union and they’ve all been legit. They aren’t offended when I call back in to the legit phone number so I know I’m talking to a valid source.

    Unfortunately this is the way the world works now. The minute I hear anything I don’t like I hang up…immediately and without remorse. Legitimate non-profit? Well, if you want to donate look it up and donate on your own. Don’t fall for any of it. And don’t worry about being rude or unkind – you didn’t ask for the interruption and any legitimate organization will understand. If they don’t understand then fire them and move to another!

  20. One can only hope that the FCC and the Robocall Strike Force will push to have the STIR/SHAKEN authentication standard implemented by the major carriers for VOIP and cellular calling. Verizon announced they would implement this later this year with the bulk of production into 2019. This would stop the spoofing calls.

    Meanwhile, try using the online Jolly Roger Telephone service to intercept the robo calls with their own robot responses. Hilarious!

    • Researching further, additional dates are published by CTIA.

      Organization SHAKEN deployment
      AT&T 2018–2019
      CenturyLink beginning in 2019
      Cisco 2019–2020
      Comcast 2018–2019
      Cox 2018–2019
      Nokia 2019
      T-Mobile 2018–2019
      U.S. Cellular second-half 2019
      Verizon 2018–2019

      Sprint “voice-spam network”: No timeline.

  21. Wow! Under no circumstances should anyone ever share a PIN with another human. No one at a bank can use your PIN to verify your identity. Machines generate PINs and send them out, only the machines know your PIN. This is drilled in to everyone that opens a bank account in the UK.

    If my bank call me they will tell me letters from a pre-arranged code-word to prove they are my bank – effectively a reverse password – before they then ask me for security credentials. They are also quite happy for me to call them back.

  22. Daniel Olivares

    I received the AT&T phone scam call described above last Friday. It was quite convincing. However, I hung up on the robot and went to the actual att website and chatted with an actual customer service representative who confirmed my account was fine. I didn’t give the robot anything. What red flagged it for me is AT&T will send you a text message with account updates but, at least in my experience, won’t call you about locking your account. If the text message doesn’t work, your phone will just stop working except for the customer service number.

  23. The federal Do Not Call registry worked for maybe a decade or so. But that time appears to have passed.

    Our government would need to care *a lot* more about scams and fraud than it currently does for that registry, or some “descendant” of that registry to have any real effect.

  24. The best thing to do in these cases is to hang up the phone and call the card company, etc. directly and start asking questions as to the legitimacy of the call you received.

  25. I failed to comprehend the amount of blaming and fuss about the insecurity and stupidity of financial institution. Humans have only evolved till this date, through adaptation and evolution.

    The way, to ensure absolute security, or at least the very minimal loss from compromised situations have long since been created by the banks and governments alike to ensure your security online on the condition of the person asking for it having common sense, brains and a twinge of logic – Prepaid Visa/Master cards.

    There are no sympathy for those who failed to notice and make use of the most basic resources.

  26. EvenMoreCleverYet

    I just want to give you an update on this… it is even more clever than this article explains.

    We got the same “Fraud Detection Call” like is explained in the article. They said there were two suspicious transactions, a charge that was swiped instead of using a chip, and an attempt withdraw from an ATM using a bad pin. The bank had blocked the suspicious activity and triggered the call.

    This call was 100% like every other legitimate call, where they started by asking to confirm if we made the last 5 transaction attempts. The first 3 were recent ones we had made within the last 24 hours. The next two, were the supposed fraud attempts which we had not made and indicated they were of course fraud.

    At this point we had no reason not believe this was a legit call, because who else but the bank would have our number, the card number and our most recent purchases/amounts for the card.

    Then they proceeded to say they would such down the card and send out new ones. They then asked for the pin number so they could complete the request. This sent up alarm bells and we told them we didn’t know the pin because we never use an ATM. The person persisted, at which point I was very suspicious and looked up the caller ID. It came back to Wells Fargo, but of course it is easy to spoof caller ID. Finally once the agent realized I wasn’t going to give up the pin they said “Ok, well I will manually get it requested without the pin” and proceeded to say goodbyes. In hindsight he was trying to bail on the call knowing he wasn’t getting what he wanted. We had assumed this was all legit until our new cards never arrived.

    We called WF back and they said they had no record of the suspected fraud, the call, canceling the cards, etc. At that point I realized it was a phishing scam for sure and they were trying to get pin numbers to cash out at ATMs.

    The thing is though, they had our transaction history up to the moment, which means one of two things…
    1) Online account was compromised, but they didn’t do anything in or update the account with bogus info.
    2) They got the info from the automated phone banking. I think this is most likely, because with just the card number and some basic stuff they likely found elsewhere, like last 4 on SSN, they can access transaction records, especially if spoofing the caller ID of the registered phone.

    I am in infosec and even I was close to falling for it. The only thing that gave me pause was asking for pin number, which I refused to give, and even then I didn’t think it was a scam until later due to not receiving my cards since it went down like a normal fraud prevention call.

    The bank confirmed no one will ever ask for your pin, ever, no matter who calls who, and when they call you they will not ask for sensitive info like card numbers or socials – ever.

  27. For a fraud alert on a credit card, you do not have to giive them any card or id passwords. They have all that info from their records when they call. They are not protecting your interest but their own since they have to pay!

    I received a fraud phone call from USAA bank about 5 or six years ago. They got right to the point and wanted to know if I had been in Italy in the last couple of months. That was all they needed to know. They canceled the card and sent me another.

    Don’t give out security information on the phone to anyone. or anything that calls you.

  28. The public phone system is not secure at all, and yet most institutions and online service make every possible effort to know them.
    The public phone system needs to be changed by something more like Threema or something similar that allows to create their own contact ID associated to some public key technology considered secure so that when the phone rings you can be sure the ID displayed is really from the company/ person… and yes: with everyone blocked by default so that scammers don’t have a incentive to be just trying all possible ID’s… and those that can’t refuse everyone at least would be getting the real ID… that and some sort of public list (“yellow pages”) with confirmed ID’s (personal, institutions, company’s…) could help stop at least some random guy from Nigeria from saying it is from New York… and maybe options just to allow calls from certain regions/ country’s.

  29. I’ve found a pretty good workaround for spam and phishing calls.
    Set “Do not disturb” on my phone.
    This will only allow people in my contacts to ring through.

    Got me a Google Voice number and I forward any unanswered calls to the Voice number.
    I’ll get a transcription of the voicemail in my email almost immediately and an email that I missed a call.

    Genuine calls from schools, banks, doctors, hospitals, or any legitimate callers will always leave a voicemail.
    Scammers don’t, but I have gotten offers for back braces and my last chance to lower my CC interest rate. (Oddly, last chances can amount to more than 1.)

    I wish I could tell the robots, I pay my CC off every month and haven’t paid any interest in over 40 years. LOL!