Fraudulent calls target US banks, another look at caller ID spoofing

Rotary telephoneMany of us at Sophos spend most of our waking hours investigating digital threats designed to steal money, passwords, identities and more.

Most of these crimes take place on the internet, but today I wanted to draw attention to something you might not be expecting, vishing.

I am not a big fan of the term “vishing”, but it is the easiest way to describe the act of using the voice telephone network to phish peoples account information the same way we see on the web and in email.

A story on Dark Reading this week pointed out that 30 of the top 50 US-based banks have reported they have received complaints from their customers.

How does this work? It appears to be similar to the fake tech support calls many people were receiving from overseas call centers taking advantage of super-cheap VoIP rates.

This time there is a twist however. They are attempting to spoof the caller ID information to make it more believable that you are in fact receiving a call from “Bank name here”.

In the United States this can be particularly convincing as the call display service used by most US phone companies does a reverse lookup for the name information based on the caller ID number provided by the call.

If a criminal does his research and determines that the main phone number for Bank of America is 512-555-0022 and forges his caller ID number to match, your phone will display “Bank of America – 512-555-0022”.

People put a lot of blind faith in seemingly reliable technologies like caller ID, but it is in fact trivial to spoof.

Why is this? Caller ID is quite a dated technology and was bolted onto to the existing phone network nearly 30 years ago.

The information about who is calling you is sent down the wire “in-band”, meaning the information is transmitted on the same wire that carries your voice.

With Voice over IP (VoIP) technology you can falsify this information making your calls to appear to originate from any number you choose and the criminals appear to have caught on to this fact.

In 2011 this technique was used to send a SWAT team to someone’s home as some sort of a cruel prank drawing the ability to forge numbers to the attention of the general public and criminals alike.

SWAT team. Image courtesy of Shutterstock

Whenever you receive unsolicited communications asking you for information, you should always ignore it and contact the party responsible directly.

Whether it is over the phone, through email, an instant message or over a social network, just delete/hang up/ignore the communication.

We all have a certain amount of faith in the technology around us and criminals will continue to take advantage of that fact.

Stay suspicious, keep your guard up and let your friends and family know to be on the lookout so they don’t become the next victim to these scams.

SWAT team image, from ShutterStock