The Anti-Phishing Working Group (APWG) reported
that during the third quarter of 2024, there was a strong increase in phone
call phishing, which was 28% higher than in the previous quarter. The report
also noted campaigns that impersonated organizations not usually targeted, such
as gas and electric companies, and city services.
Phone call phishing confronts the victim directly with an attacker backed by a team and a mature process, refined through trial and error. These attackers often perform this activity with near impunity, repeatedly setting the victim in an unfair situation. Let’s explore how these scams work, review one case, and discuss what alternatives we have if we get hooked in one of these situations.
How do phishing scams work?
A scammer (attacker) gathers information in preparation for
an attack. They collect details from our online resumes, public profiles, and
information we share on social networks or through other social engineering
techniques.
They then craft a convincing or intimidating story. They may
pretend to be from popular companies, government entities (like tax authorities
or police), charities, service providers, financial institutions, or even
impersonate employees using their public profiles.
This combination persuades the victim to interact with the
scammer. If the attack is over the phone, they might trick you into not hanging
up so you can’t verify their story. It can be much harder to refuse a request
made over the phone compared to one made in a popup message in your browser, a
text on your phone, or an email.
The final goal, whether they charm or intimidate their
target, is usually to get a payment or sensitive information. At this point,
the victim is too involved or stressed to think clearly. The scammer will offer
options like payment apps, money transfer services, buying cryptocurrency,
wiring money, adding money to a gift card, or receiving a check or money
through an app.
Although this is a common pattern these attackers may use,
they continue to evolve and change their methods, using technologies like
Generative AI to achieve their crimes.
Case Study: Impersonation Scam.
December 30, 2024
The victim received a voicemail with the following message:
“This is Sergeant G**** with the N**** County Sheriff’s Office, trying to
establish contact. I believe this is A**** M****. Mr. M****, please give me a
call back as soon as you get this. My callback number is 9##-###-####. Once
again, my callback number is 9##-###-####.”
The victim was about to have lunch with their family and,
due to the urgency of the message and the fact that it was from an authority,
the victim did not want to delay and decided to call immediately. Sergeant
G**** identified himself from the county Sheriff’s office and instructed the
victim to move to a room away from everyone, alleging that the information was
a legal matter and only the person involved was authorized to listen. The
victim complied, and once alone, the officer started by warning that the call
was about to be recorded. He explained the process and the alternatives in
great detail. Each time he finished explaining something, he asked the victim
to say their name and the date out loud as assurance that everything up to that
point had been understood. The victim imagined the worst—that someone had
cloned their identity and a criminal actor was misusing the victim’s name—which
stressed the situation even more.
The first choice offered to the victim was to hang up and
seek legal aid, with the consequence of following a path to the criminal
process, which could lead to imprisonment and criminal charges being registered
on the victim’s legal history record. The second possibility was to follow the
civil process by freezing the citations against the victim. There were two
citations, one for $1,750.00 and the second one for $1,250.00. After more than
half an hour, there was still no clarity about the possible cause of these
citations. The victim then questioned Sergeant G**** to clarify what caused
this situation, and the Sergeant explained that there was a subpoena signed by
the victim. The Sergeant promised that if it turned out to be an error, the
money would be refunded.
The Sergeant asked what platform was convenient for the
victim to make the payment. The victim, frustrated and thinking about what
other criminal activities might be discovered in the coming days, recognized
the need to be sure of every step and decision to minimize the impact of this
bad situation. The victim then asked how they could verify that it was not a
scam. The Sergeant offered to transfer the call to his supervisor. The victim
rejected that offer, asked for the Sergeant’s badge number, and searched for
the N**** County Sheriff’s office phone number. They called (with the speaker on) to
verify the Sergeant’s identity. The person in the civil department immediately
replied that it was a scam, and the attacker, after listening, hung up. Finally,
the victim searched for Sergeant G**** and found a public profile on a
professional social media platform. The victim continued on a preventive path
and reported this to the authorities.
What could we do if we face this situation?
Prevention
The primary action recommended by the Federal Trade
Commission (FTC) Consumer Advice is to block unwanted calls and text
messages.
Identify
the Red Flags
·
Isolation: The scammer will use any convincing
argument to speak with you alone.
·
Conditions: The scammer will set persuasive
rules to limit your choices, such as not hanging up the phone.
·
Lack of Information: Depending on their
reconnaissance phase, they will struggle to justify their arguments. Avoid
providing additional information.
·
Platforms: They will never have access to
authorized payment platforms.
The FTC also mentions another crucial point: resist the
pressure to act immediately. Legitimate businesses will give you time to make a
decision.
What else would you do to prevent or stop such a situation?
Please leave a comment.
Important links:
