It can be a very convincing trick...
“You can check the number in your display online sir. You’ll see I’m really calling from your bank.”
That is, of course, if you are unaware that phone numbers can be spoofed. Then again, they wouldn’t be successful scammers if they weren’t convincing. If you suggest calling them back, they'll tell you it’s impossible to call their extension directly and you would have to go through the operator in the head office. Which could take a while and because of the urgency that is not really an option now, is it?
What is spoofing?
The definition of spoofing is: to display characteristics that do not belong to you, in order to assume a false identity. We've talked about email spoofing in the past, but in this case we're talking about caller ID spoofing. Caller ID spoofing is when someone calling your phone deliberately falsifies the information transmitted to your caller ID display to disguise their identity.
Normally your display indicates the phone number and name associated with the line used to call you. But there are services that allow you to display any spoofed caller ID. Some Voice over IP (VoIP) providers simply allow the user to configure their displayed number as part of the configuration page on the provider's web interface.
How does this scam pan out?
The scammer calls the victim while spoofing a phone number that belongs to the bank. And the scammer comes prepared with enough knowledge about the victim’s bank account to take away the last shreds of doubt. They tell the victim that they have noticed unusual activity on the victim’s bank account and urgently advise them to put their money in a different account.
If the victim indicates that they only have the one account, the scammer offers them a so-called “vault account” of the bank. The scammer explains that such an account is a safe place for their funds. Their money may be unavailable in such an account for a few days, but that is better than getting robbed blind isn’t it? If the victim starts asking a lot of questions, the scammer will say that there is no time to waste because of the danger of losing everything to an unknown entity. Of course, the “vault account” belongs to the scammer and the whole theatrics are designed to get the victim to transfer their belongings into that account.
Extra information from phishing
What makes this extra successful is that the scammers really come to the call prepared. They can tell you how much you have in your account and who received your latest payments. There are a few theories about how the scammers can obtain that information. Some even go as far to claim that they must have someone on the inside. This would explain a lot, but some victims admitted having received a phishing mail not too far before the call.
If the victims have clicked the link in that mail and have logged in to the phisher's fake bank website, this not only explains how the scammers obtained the information, it also adds credibility to the story of the scammer on the phone. After all, the phishing attempt could have resulted in unauthorized access. What gives the “insider” scenario some extra credibility is the fact that some victims had recently raised their transaction limits because they needed to make some large payments.
Phishing sites mirror the bank site, and the phisher can follow the input of the victim into the real bank site. This allows them to have a look at the account details after getting logged in and equips them with the information they can use during the phone call.
Banking security measures
If the information the scammer has about the victim’s account stems from a phishing attempt and the bank uses a 2FA login method, then the login information will grow stale rather quickly. A successful phish allows the scammer to log in, but usually only once. They can look around and gather intel to prepare their call. Any subsequent action like making a payment or changing the 2FA settings would have to be authorized separately, and such a request would likely make the victim suspicious.
What investigators from a Dutch consumer television show found out is that some banks are more likely than others to be targeted. The investigators suspect that customers of banks that use a card reader to scan QR codes to authorize logins and payments are less vulnerable than those that send text messages. This could be because it is more difficult to mimic the QR codes on the bank phishing site than it is to create an input field for the verification code.
Another fail-safe that the scammer will try to circumvent, if necessary, are the transaction limits that are in place by default for some banks. These are often limited to rather small amounts and customers will have to raise the limit if they want to make larger payments. When the bank asks you to raise this limit instead of the other way around that should be a red flag. Remember that they can do it for you in case of a real emergency.
The aftermath of a spoofing attack
The scammers will try and make sure that the victim will not immediately realize that they have been had, so the scammers can make the money disappear from the target account in order to stop the payments being reversed.
With some banks you will have insurance against banking fraud, but other banks will say the victim transferred the funds themselves and will accept no responsibility for the loss. In most countries you are protected by law against fraudulent payments under certain conditions. One of these conditions can generally be described as “the customer should not be careless”, and a customer could be seen as careless if they gave away their login credentials. Whether entering those credentials on a bank phishing site that looks exactly like the one that belongs to the bank is a careless act is up for debate it seems.
So, in a worst case scenario you would not only feel embarrassed because you fell for the scam, you could also be labelled careless and lose the money in your account.
The future of caller ID spoofing
Caller ID spoofing has been causing problems since 2004 when a service was opened to allow spoofed calls to be placed from a web interface. In 2018, we mentioned one method of caller ID spoofing called "neighbor spoofing”. Neighbor spoofing was a popular method among cold callers using the same area code and telephone prefix of the person being called. Caller ID spoofing is generally legal in the United States unless done "with the intent to defraud, cause harm, or wrongfully obtain anything of value". In 2019 the TRACED Act, the first federal law designed to curb unwanted robocalls was signed.
SEC. 7. PROTECTIONS FROM SPOOFED CALLS.
IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, and consistent with the call authentication frameworks under section 4, the Com15 mission shall initiate a rulemaking to help protect a subscriber from receiving unwanted calls or text messages from a caller using an unauthenticated number.
Stirred, not shaken
One helpful tool in setting up such protection is the STIR/SHAKEN framework which is a caller ID authentication and verification measure. STIR and SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID. The Federal Communications Commission (FCC) is leading the push for industry adoption of these standards to help consumers as quickly as possible.
If and when other countries decide to do more than just make caller ID spoofing illegal, preferably by implementing and adhering to the STIR/SHAKEN framework, this will make consumers around the world just that bit safer and make the scam we discussed a lot harder to pull off.
In the meanwhile, stay safe everyone!