Blog: Social Engineering

The spoofed number phone call scam

Tom Roberts 03 Nov 2014

phone-scam

A new Social Engineering Scam has been advised from the Action Fraud Group:
http://www.actionfraud.police.uk/news/alert-watch-out-for-new-number-spoofing-scam-oct14

 

Fraudsters are using a new scam to make the people they are phoning believe they are speaking to a trusted organisation by fooling their phones into displaying any number they choose.
The scam, known as ‘number spoofing’, works by fraudsters cloning the telephone number of the organisation they want to impersonate and then make it appear on the victim’s caller ID display when they telephone them on a landline.”

How does it work?

It is done via exploited VOIP networks (or a purpose built scammer phone network), also some websites in countries where this practice is not illegal (yet) will also allow this as a service. Once upon a time this was used for prank phone calls. Now the prank has turned serious and it’s not laughs they want it’s your personal data and cash.

Why does it work?

This is a trust attack. The victim may even be more security conscious than others and this may in fact play into the attackers hands. The scammers have found a way of spoofing telephone numbers of an organisation or group they wish to be portraying.

The victim may even look up the number or contact on the internet to verify the veracity of it. This may give the victim a false sense of security. In turn the attacker can use this to their advantage to convince the victim they are dealing with a legitimate company or group. These trusted groups will include banks, police officers, loan agencies, mortgage lenders, charity groups and other companies who regularly deal with sensitive or personal financial information.

What can I do?

The countermeasures are simple. Never assume that someone calling you is who they say they are and if they try to draw particular attention to your phone display or make statements like “just check the number I have called you from, you will find it is legitimate” this should set off alarm bells.

The correct action should be to end the call and try to ring the company back from a “clean” perspective. Look at their website and find a valid contact number and ring it up yourself. Make sure the number you are ringing is the right one, and never give away sensitive information to someone over the phone like a PIN or password to an account.

Get involved

The good folks at Action Fraud would also like to hear from you if you have been approached in this manner. See their website at http://www.actionfraud.police.uk/ and they have both a web reporting portal and an action line to ring. Don’t just remain quiet. Awareness is key to defeating these scammers.