No Thank You Very Much, Mr. Roboto
Spammer and Robocall Tactics Even Practitioners Fall For
Tell me if this sounds familiar: your phone rings unexpectedly and it’s an unknown number from the same area code as your personal number. You debate whether to answer knowing it’s probably a scammer, but curiosity kicks in and you answer the phone. Immediately you regret answering as you experience a one beat pause followed by the familiar click as you are connected to a highly scripted character named “Mandy” or “Justin” out of a (seemingly) foreign call center.
With 24.3 billion robocalls already placed in 2018, this year is on track to exceed 2017’s whopping 30 billion robocalls. Coupling the frequency of these calls with the evolving techniques scammers use, even cybersecurity practitioners, well-aware of these threat actors, can fall victim. Let’s take a look at the common types of scams and what to look out for to help you avoid the traps.
These scams often start with a phone call informing you that you owe money for unpaid taxes or an overdue credit card. The pressure is on to immediately pay via debit card or wire transfer to avoid additional fees, collections, or *gasp* jail time. The dollar amounts are often sizable, but reasonable enough to not draw suspicion. This tactic works especially well on individuals who are particularly sensitive working to maintain a high credit score or those who have had a bad collections incident in the past. The emotional impact of the threat can lead even savvy folks to behave irrationally and comply with the bad actors.
You receive a call from a “tech support” employee from a reputable company (Microsoft, Apple, etc.) claiming there’s a problem with your computer. From here they direct you to a specific website in an attempt to gain remote access to your machine or to convince you to purchase software to “fix” the issue. If successful, scammers can have their way with any information stored locally on your machine — some may even use this exploit as a way to move on to other attacks including ransomware. It’s interesting that this tactic leverages an individual’s fear of digital exploitation to carry out the attack. How meta.
These scammers leave voicemails claiming you’ve won a grand prize and simply need to call them back to claim your winnings. Feels kind of like the old pop-ups on AOL, doesn’t it? When you call them back on the number listed, you may be charged excessive cost-per-minute fees without even realizing it until you receive the monthly phone billing statement. Even worse, you may be tricked into paying them money and sharing personal information. Another version of this is when your phone rings once and then the caller hangs up hoping that you will be enticed to call them back.
As consumers have gotten smarter about ignoring calls from 1-800 numbers, scammers began using spoofing techniques. Leveraging readily-available software, scammers can increase the likelihood that their marks will answer by masking the actual number they are calling from with legitimate phone numbers from recognizable companies. A similar tactic called neighbor spoofing has been prolific in recent years. In this tactic, bad actors use a robo-dialer loaded with a range of DIDs (phone numbers) and execute the call from the phone number most resembling the mark’s personal phone number. In either case, these tactics provide scammers with an increased likelihood of being able to carry out the scam to completion.
What You Can Do:
Many phone carriers are working on ways to reduce the number of robocalls — some already identify potentially unwanted calls by listing unknown contacts as “Telemarketer” or “Suspected Spam” on your caller ID or dedicated application. This isn’t a 100% effective way to screen out scammers, but it helps. There are also several third-party, call-blocking services and apps on the market to help reduce the number of calls you receive. However, don’t forget there are simple, no-brainer ways to avoid being a victim of one of these scams.
1. Send it to voicemail.
If you don’t recognize the number, don’t answer. If the call is legitimate, the caller will leave a voicemail or contact you through other means (e.g., text message or email).
2. Hang up.
If you answer the phone and feel uncomfortable in any way (your spidey senses are tingling!), then just hang up. You can complete a quick reverse phone number search, and might find that others have already done you the service of noting the number as spam on a number of sites dedicated to reporting malicious activity. If the contact calls back, resort back to #1.
3. Withhold your PII.
If you weren’t expecting a phone call, don’t ever give out any of your personally identifiable information over the phone. Don’t share your email address, home address, date of birth, social security number, bank account or credit card numbers (even last four digits), or even anything that could be related to your security verification questions (make and model of your first car, high school mascot, favorite pet’s name, etc.). Most legitimate sources will never ask for this type of information over the phone anyway. If you’re on the fence and they ask for this type of information, ask them for a number that you can call back to reach them and see if that phone number corresponds to a listed number for that company.
4. Don’t go to a destination URL that you can’t Google.
As alluded to earlier, some scammers will prompt you to visit a certain website. If a caller ever directs you to a certain website, visiting a page alone could infect your computer. Instead, try to “Google” the page being referenced to see whether it is a legitimate (and static) sitelink.
If you answer the phone and hear a recorded message (not an appointment reminder/medication refill), don’t speak into the phone. Legitimate customer service centers commonly use voice recordings to verify the authenticity of incoming callers. In attempt to get around these precautions, scammers have devised new schemes to get individuals to speak into the phone and then record their voices. When you answer the phone, the person on the other end asks a simple yes or no question such as, “Are you there?” or “Can you hear me?” When you respond “yes,” your answer is then recorded. From here, fraudsters can use your voice signature to assume your identity and authorize fraudulent charges over the phone.
While the form of scams may change over time, the overall problem isn’t going away anytime soon. Because these companies and individuals come and go overnight, it takes sizable efforts to fight these nefarious groups and their unethical efforts. If you’re interested in being part of the solution, consider earning your CEH certification and joining the teams working to put an end to these scams.