Fraudulent calls target US banks, another look at caller ID spoofing

Filed Under: Data loss

Rotary telephoneMany of us at Sophos spend most of our waking hours investigating digital threats designed to steal money, passwords, identities and more.

Most of these crimes take place on the internet, but today I wanted to draw attention to something you might not be expecting, vishing.

I am not a big fan of the term "vishing", but it is the easiest way to describe the act of using the voice telephone network to phish peoples account information the same way we see on the web and in email.

A story on Dark Reading this week pointed out that 30 of the top 50 US-based banks have reported they have received complaints from their customers.

How does this work? It appears to be similar to the fake tech support calls many people were receiving from overseas call centers taking advantage of super-cheap VoIP rates.

This time there is a twist however. They are attempting to spoof the caller ID information to make it more believable that you are in fact receiving a call from "Bank name here".

In the United States this can be particularly convincing as the call display service used by most US phone companies does a reverse lookup for the name information based on the caller ID number provided by the call.

If a criminal does his research and determines that the main phone number for Bank of America is 512-555-0022 and forges his caller ID number to match, your phone will display "Bank of America - 512-555-0022".

People put a lot of blind faith in seemingly reliable technologies like caller ID, but it is in fact trivial to spoof.

Why is this? Caller ID is quite a dated technology and was bolted onto to the existing phone network nearly 30 years ago.

The information about who is calling you is sent down the wire "in-band", meaning the information is transmitted on the same wire that carries your voice.

With Voice over IP (VoIP) technology you can falsify this information making your calls to appear to originate from any number you choose and the criminals appear to have caught on to this fact.

In 2011 this technique was used to send a SWAT team to someone's home as some sort of a cruel prank drawing the ability to forge numbers to the attention of the general public and criminals alike.

SWAT team. Image courtesy of Shutterstock

Whenever you receive unsolicited communications asking you for information, you should always ignore it and contact the party responsible directly.

Whether it is over the phone, through email, an instant message or over a social network, just delete/hang up/ignore the communication.

We all have a certain amount of faith in the technology around us and criminals will continue to take advantage of that fact.

Stay suspicious, keep your guard up and let your friends and family know to be on the lookout so they don't become the next victim to these scams.

SWAT team image, from ShutterStock

, , , ,

You might like

6 Responses to Fraudulent calls target US banks, another look at caller ID spoofing

  1. Randy Askew · 894 days ago

    This article was "Highly Informative & Useful", this has occurred with a friend of mine,whom wondered how can this happen. Now It can be shown using this article.

    Now, I would like to request something be explained when a voice-message comes in an un-invited manner advertising items then urging you to press a set of numbers, and press the # sign afterwards. Then you get a billing in your next month telephone bill.

    That would be nice to know!.

    Thank You in Advance!!!.

    • Robert W. · 893 days ago

      That is a fraudulent practice known as "cramming" where thieves set up some
      kind of product or service delivery arrangement with the phone company, and
      the charges for these products never shipped or services received are added
      to your monthly phone bill, instead of charging your credit or debit card.

      Even alleged 'free trials' end up being billed to your telephone account at the
      full rate immediately, in advance. NEVER respond to any of these unsolicited
      'telemarketing' scams, or give out any information, just like you hopefully will
      not even open phishing emails, much less click on any links in them. Thieves
      use technologies to mask or forge their real telephone number, similiar to a
      forged IP address or header in an email.

      File a complaint with the telephone carrier, the FTC, and the police. You do
      NOT have to pay any disputed amounts.

  2. Susanna · 894 days ago

    My biggest gripe here in the UK is the number of banks whose departments cold-call you and then expect you to give out your password (or parts of it) over the telephone.

    Them, 'Hello, this is Bank of Scotland, we're ringing about a matter on your account ending 1234. Can you give me your password letter 2 and 3, please?'

    Me - 'How do I know who you are? I'm not giving random passwords out over the phone. What is this about?'

    Them: 'I'm sorry, we can't tell you unless you go through security. What is your password?'

    Me: 'Give me your name and department and I'll call you back via the main switchboard.'

    Them: 'I'm sorry, I'm in a call centre with no inbound facility'. I hang up......and after much searching and time-wasting calling my bank directly, discover they were ringing to sell me insurance.

  3. Scott · 894 days ago

    Here's a twist on the phishing scam (which I was ALMOST a victim of):

    Get a call on company voice mail (social engineering most likely will target you at a particular company - or dumpster diving)

    Said call informs you of "fraud" on your credit card account at <insert bank here>
    Please call this 1-800 number to "fix" it.

    The first time I called the number I went through a typical phone menu and ended up talking to a person. The first thing he asked me for was my entire credit card number. Red flags ensued and I ended the conversation. (I write software for banks and credit unions, I know for a fact that the tellers will never see the entire number, usually the last 4 digits, so they should never ask for it - I verified that with my bank and they concur).

    The second time I called (research this time) it was a bit more sophisticated with a phone menu driving the entire conversation. I was never directed to speak to an individual, but, sure enough, the electronic voice asked me to key in my credit card number.

    Now, I know there is a fair number of services out there that offer easy to set up and simple to program VOIP and voice solutions. As an accomplished PHP programmer I can see how easy it could be to phish data using these techniques.

    You should write an article regarding these new VOIP services which allow easy to integrate solutions. It's great if the users are not nefarious criminals, but it just gives the criminals an easier (and more powerful) route to phish.

  4. LAGraham · 893 days ago

    This is also occurring with text messages. Of course, it's quite simple to know it is NOT your bank when the text is at 3 a.m. Thankfully some of these scam artists haven't figured out time zones and banking hours within them. NEVER respond in ANY way to voice OR texts from "your" bank; hang up and call the bank directly.

  5. Roy-Egon Kleveman · 892 days ago

    How exciting! The article is illustrated with a 60's Swedish telephone, the "Dialog". :-D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.