FTC says taxpayer voice phishing scams are up nearly 20x

Have you gotten a (fake!) call from a (not!) US Social Security Administration rep? Maybe one in which you’re told that your Social Security number (SSN) has been suspended because of “suspicious” activity, or because it’s been involved in a crime?

Sometimes, the real Social Security Administration (SSA) phone number – or a number that’s close to it – shows up on your caller ID.

All you have to do to clear up the mess is to confirm your taxpayer ID, the scammer will sometimes say. Or maybe you can take care of it by paying a fine… via gift cards, the codes for which you can read to the imposter over the phone.

Of course, you never want to do any of that: if you hand over your SSN, you’re setting yourself up for identity fraud. If you buy gift cards and hand over the codes, you can kiss that money goodbye. We should never give our SSN, credit card or bank account number to anyone who contacts us.

Unfortunately, some people do. And given that we’re in tax fraud season right now, in the months leading up to the April US filing deadline, it’s time for an updated report from the US Federal Trade Commission (FTC).

Losses through taxpayer scams total $16.6 million

The news isn’t good: the frequency of taxpayer scams are going up, the FTC said last week. It’s seen a spike in reports of fake SSA calls, 3% of which have led to victims getting taken to the cleaners.

Since January 2018, the FTC says, it’s received more than 63,000 reports of this scam. Reported losses totaling $16.6 million, with a median loss of $1,484. That’s an enormous jump: it’s nearly 20x the numbers reported in 2017 when 3,200 people told the FTC about experiencing SSA imposter scams. The total amount they reported losing in 2017 was close to $210,000.

The scammers are adept at pushing our fear buttons. They might tell us that our bank accounts are on the brink of being seized, our SSN is about to be suspended, or that we’re about to be arrested.

String that all together, and you get something that sounds like this demonstration of voice phishing (vishing) posted by the FTC in December.

Rat out the rats!

If you’ve received one of these vishing calls, the FTC asks that you report it at ftc.gov/complaint.

If you’ve already handed over your SSN and you’re worried about identity theft, visit IdentityTheft.gov/ssa.

The FTC asks us all to remember these things if we ever do get one of these calls:

  • Your Social Security Number is not about to be suspended. Your bank account is not about to be seized.
  • The real SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.
  • You can’t believe the numbers on your caller ID. Scammers can easily fake those. But if you’re worried, call the real SSA at 1-800-772-1213. You can trust that number if you dial it yourself – just not on your caller ID.
  • Never give your SSN, credit card or bank account number to anyone who contacts you. Ever.

Caller ID spoofing: Why isn’t it illegal?

Many times, people wonder: why in the world is it possible, or even legal, for callers to change the number that shows up in caller ID?

It is, in fact, illegal… but only sometimes.

The Truth in Caller ID Act prohibits spoofing when it comes to “transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value.”

There are many examples of when callers legitimately, and legally, spoof their caller ID number with no intention of ripping us off. For example, when a doctor calls a patient from her personal mobile phone, she may choose to display the office number rather than her personal phone number. Another example is when a business displays its toll-free call-back number.

Unfortunately, it’s very easy for scammers to download automated phone-calling technology, spoof numbers to make it look like calls are coming from whoever they choose – be it the SSA or a local neighbor – and robo-drag victims into their scam spiels.

Just ask the so-dubbed “robocaller kingpin”, Adrian Abramovich, who was fined $120 million for the nearly 97 million spoofed calls his marketing companies made to sell vacations at resorts that, surprise surprise, turned out to be anything but the Marriott, Expedia, Hilton and TripAdvisor vacations initially mentioned.

What Abramovich told the Senate Commerce, Science & Transportation Committee after it subpoenaed him to explain how he did it:

There is available open source software, totally customizable to your needs, that can be misused by someone to make thousands of automated calls with the click of a button.

May you and yours get through tax season without being victimized by one of those button clicks. But if you do, make sure to report it. As the story of the robocall kingpin clearly shows, these crooks don’t always get away with it. Reporting them helps to make the legal case that can shut them up.