Spoofing a phone number is not a new concept, you probably get several calls from them a day, but with the accessibility of VoIP solutions and open source software spoofing a phone number is a breeze.
Telemarketers, robocalls, spammers, scammers, and even prank callers use it, and what once started as a simple grab and go of any available phone number has since evolved.
The first iteration and most common is to acquire a localized phone number that uses the same area code of the victim’s (nearly 18 percent of all unwanted robocalls), but the most advanced will outright attempt to spoof a number for a known brand or company. In most cases you already have a contact name listed on your mobile device, and a spoofed number will still show that information as if they are calling. Be it a vendor or other business relationship, these calls can quickly result in a loss of money or private information.
Ultimately the effectiveness and outcomes of these attacks are fully dependent upon how the caller engineers the conversation and the motive.
New Guidance From FCC
According to the FCC, “spoofing occurs when a caller deliberately falsifies information transmitted to your caller ID display to disguise their identity. Spoofing is often used as part of an attempt to trick someone into giving away valuable personal information so it can be used for fraudulent activity or sold illegally. U.S. law and FCC rules prohibit most types of spoofing.”
Last year marked a new high for spoofed calls, with an FCC report issued in December of 2017 stating an average of 375,000 complaints per month, and that is only the number of reports sent into the FCC. In response to the growing threat, the FCC issued a Notice of Inquiry to collect feedback or solutions to help reduce the damage created by it at the start of 2018 and just announced findings. Though there have been carrier-based and third-party solutions, the FCC and FTC are working together to create a Caller ID authentication program.
“This technology allows for authenticating caller ID information and for that information to be transmitted to carriers along the call path. While several voice providers have already begun testing these protocols, the technology is still currently in development,” stated Eduard Bartholme, Chairperson FCC Consumer Advisory Committee, in a late February report.
How Threat Actors Target Employees
For consumers, caller ID spoofing is a regular occurrence, but for employees, these attacks tend to be a bit more targeted. Unlike the typical pray and spray approach, when a caller goes after a brand or company they must engineer ways to get the victim to either share private information, initiate a wire transfer, or even hand over credentials and billing information.
Caller ID Spoof type: Targeted (spoof known brands/companies number, including internal)
Goal: Initiate wire transfers, acquire credentials, steal private information
While organizations can also receive the same robocall types that a general consumer will, it’s more likely they are being targeted as a person rather than as a company.
How Threat Actors Target Consumers
Like employees, threat actors will also go after consumers. These can be anything from robocalls to international scammers, and they commonly use timely events to engineer a sense of urgency. For example, this time of year, tax season, is prime for IRS and tax collection scams. Other ongoing scams can involve fake insurance claims, prize winnings, and other official-sounding calls to action that result in the theft of your personal information.
If someone asks for you to pay in gift cards, initiate a wire transfer, or pay in bitcoin, those are huge red flags.
Caller ID Spoof type: Localized (similar area code and even same first few numbers)
Goal: Trick you into accepting the call due to its familiar nature
Reducing Impact and What to Look For
While the FCC is busy implementing their own Caller ID Authentication system, there are some current tools available to help curtail or even prevent ever receiving calls from spoofed caller IDs.
For starters, if the calls are going after a mobile number, most devices allow you to block a number. Unfortunately, this is not very effective as a spoofed or localized number is very easy to swap out, and in many cases they also use a rotating list of numbers as well.
If a caller is seeking information on an invoice or paying a vendor through a wire transfer just verify the information. Business Email Compromise (BEC) attacks happen all the time, and the only difference between using a spoofed caller ID is voice versus text. Even if the amount seems small, verify the information both internally and with the sender.
Did someone call you and request a wire transfer or private information? Don’t authenticate the call right then. Instead, either call the number back or to a second line of their own that they did not just provide. By doing so you’ll be able to more accurately confirm the authenticity of the call.
Carrier and Third-Party Apps
Some carriers will charge you to use a filtering tool or app, while others offer it for free by downloading it. In most cases, your mobile devices or network does not include this by default, so it’ll have to be set up after the fact, but these also prevent or reduce the number of scam calls that make it to your phone. Apps like TrueCaller are also effective as they continuously compile numbers that have a history of scams or spam, and will automatically alert you to this when a call comes in.
Don’t Answer the Call
If the number looks phishy (fishy), trust your instinct. Although some of the robocalls will give you an option to remove yourself from their list, there is a good chance you are just helping to confirm a human manages that phone line. Don’t answer the call, don’t interact with the robocaller or scammer. Just let it go to voicemail. The worst case scenario is that the call is legit and you need to call them back.
Do Not Call Registry
It’s been around for years now, you may even have your number already on there, but the National Do Not Call Registry is a small way to reduce robocalls. Unfortunately, this is only beneficial if the call originates from the US, so scammers can continue to do as they please.
Report the Call to the FCC or Local Law Enforcement
If you get a scammy call report it to the FCC, and if you believe you may have accidentally just sent a bunch of money to a scammer, call the local non-emergency line of your police department.