Social Engineering Exploits Delivered Via Telephone
Most individuals who use a computer have received erroneous emails claiming they have won some prize, need to verify online banking credentials, are being contacted to accept funds from some far away estate that has no rightful owner, or some other elaborate story. The list goes on. The email based scams are referred to as phishing attacks. These attacks are carried out by criminals who are looking to farm sensitive information from unsuspecting individuals who fall for the story.
Similar scams are being perpetrated via the telephone and are called vishing attacks. These scams are aimed at getting individuals to give up sensitive information such as credit card data, banking credentials and or some other sensitive information. Many individuals have come to accept ANI or caller id as verification of who is calling. Scammers know this and are using the ability to manipulate caller id information to defraud unsuspecting individuals.
Anyone can manipulate caller id information, called ANI spoofing and it’s as simple as purchasing an online service. The online services will enable the caller to change the number displayed on a caller id, change the voice from male to female or reverse, and record everything that was said. A tool like this may be fun for the average prankster but could be costly to those exposed to a criminal intent on defrauding individuals. Here’s how a typical scam might work.
An organized crime group sets up its own server to manipulate ANI. The group utilizes a predetermined set of phone numbers to call and dials them in mass. This is called war dialing. As the call rings on the receiving end the caller id displays the name of the ‘institution’ the caller pretends to be. A message is played which indicates that the receiving indiviudal has a problem with an account and must dial a particular phone number to resolve the issue. When the caller makes the call they are prompted by a voice activated agent to enter sensitive information, such as banking info, credit card data, address, social security numbers and more. What the unsupsecting individual has not determined is that the call was a scam and they have just provided a thief access to a credit card, online bank account, or worse provided enough information to be the victim of identity theft.
Since the beginning of time there have been frauds, today this behavior remains. What has changed are the methods upon which a criminal can defraud the unsuspecting individual or institution. Technology has been a catalyst in enabling many ongoing exloits. In order to protect oneself follow a few simple rules that you normally follow in everyday life.
- Know who you are dealing with. Just because the phone says Bank of Your Choice don’t assume it is.
- Your bank knows who you are therefore for them to ask you to provide sensitive information such as a social security number is a big red flag. If it is your institution and they are using such information to validate who you are, get a new banker.
- Be on guard, if it sounds too good to be true, it is.
Know now that there exist scammers who launch social engineering attacks via vishing scams. Be wary of what your caller id tells you. If you find you can not resist believing that little display, put a piece of duct tape over it!