By Kem Gay, Senior Intelligence Analyst, 4iQ
As an intelligence analyst, I am as prepared as anybody for the current COVID-19 environment. From practicing good cyber hygiene – avoiding suspicious emails, using strong passwords, keeping my software updated, etc. – to understanding the current cyber threat landscape, I make a concerted effort to mitigate risks and protect my data from exploitative threat actors who are looking to inflict financial and reputational harm. However, one type of scam I’ve received numerous times in recent months, considered by many as a dated deception technique, has surprised me with its level of sophistication and creativity.
As of June 30, 2020, Imposter Scams were ranked second in all reported cases of fraud, according to the Federal Trade Commission’s Consumer Sentinel Network. Last year, people reported losing more than $667 million to imposters, most frequently paying scammers with a gift card. Usually involving robocalls with too good to be true offers like a free trip or an investment opportunity, these scams were once easily identified since most would come from out-of-state numbers. However, with spoofing technology, fraudsters now easily change the incoming number seen on caller IDs, making it appear from one’s local area and even more difficult to detect.
Recently, I received several consecutive calls from an unknown number. I have a habit of not answering them, as they are usually spam, however, surprisingly a voicemail was left. Even more shocking, the caller stated he was a technician from Apple Support and was reaching out about suspicious activity on my iCloud account. I was swiftly going to return the call when my phone rang again. The technician appeared as if he was calling from a call center, as I could hear voices of other technicians asking routine questions to unwitting victims.
In these scenarios, the fraudster typically has two objectives: first, get the victim to share a computer screen so they can install malware to steal PII and other financial information; and second, lure the victim away from the computer to gain time for additional probing by telling the victim to go purchase a gift card. Fortunately, I didn’t fall victim to either scenario, but I was impressed with the scale and sophistication of the scheme. After I pressed the fraudster to provide me with information to confirm my account, he transferred me to a manager. When I hung up on the caller, he called me back eight times and even followed up with me via text.
Fraudsters will spoof reputable businesses and attempt to exploit the fact that people want companies, like Apple, to have their best interest in mind and notify them if there are any technical issues. However, Apple, like most reputable organizations, doesn’t call consumers out of the blue to ask for sensitive information and advises users who receive unsolicited or suspicious phone calls from someone claiming to be from the company to hang up the phone.
Although the Federal Communications Commission (FCC) has made combatting unlawful robocalls and malicious caller ID spoofing a top consumer protection priority, fraudsters continue to evade and find creative ways to lure victims through their mobile phones. The COVID-19 pandemic has created a perfect environment for phone scams as more people are connected to their phones when working from home. Scammers constantly shift tactics and messaging to keep up with the times – from tax season to the pandemic. In just the past seven months, the FCC has received approximately 35K complaints.
In another sophisticated scam, I received a voice message from someone claiming to be an “investigator” from county court services who was looking for a relative of mine residing in another state. The caller stated my number was provided as a possible location of the relative; my relative ostensibly needed to call a number to prevent a court case from proceeding. I immediately called the relative in question, who stated he had heard the same thing from another friend. Over the course of four hours, six other family members were contacted. No one knew who this “investigator” was and the relative did not have any pending legal issues. Interestingly, the only demand of the caller was to relay the message – a tactic that seems counterintuitive for a suspected fraudster. Eventually, the relative in question called the “investigator” who in turn asked for his social security number and date of birth to verify the alleged court case, most likely a ploy to steal my relative’s PII. When this information wasn’t provided, the “investigator” threatened my relative with jail time. A quick internet search revealed this type of call was a prevalent scam in the area where my relative lives.
This phone scam is unique because it questions an individual’s reputation. At a psychological level, most people care about what others think of them, and the fear of social censure from peers can be demoralizing. This fraud is most likely used to unsettle victims, leading them to call the “investigator” back and disclose any information asked of them.
As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear – pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.
Kem Gay is a Senior Intelligence Analyst for 4iQ, an adversary intelligence company that tracks the use of stolen personal identities by scouring the hidden corners of the Internet.