Old School Phone Phishing Scams Make A Comeback

Just when you think it’s safe to answer your phone, think again. With the wave of phishing scams using emails and texts (SMS) as weapons, hackers are finding the public is getting better at spotting them. In response, cybercriminals are now revisiting phone scams as a way of reaching the same end as their online counterparts: to steal as much PII (personally identifiable information), including financial data, as possible. Adding insult to injury, after a hacker cleans out a victim’s accounts, they put the hijacked PII for sale on the Dark Web. In 2018, the Federal Trade Commission (FTC) found phone phishing was one of the top three identity theft attacks. The other two were credit card fraud and employment or tax-related fraud.

Taking advantage of human nature may be as old as history itself. Last year, the FTC reported over 1.1 million fraud complaints, and 74% of those complaints involved phone scams as the method of attack. The agency also reports the average loss to victims was $1,000; triple the average amount lost using other fraudulent methods. Improvements in technology enable bad actors to use auto dialing, also known as robocalls, to dial millions of prospective victims a day. Phone spoofing tools can trick caller IDs into displaying legitimate-looking phone numbers and those that look like local calls. Hacker’s hope recipients will lower their guards and answer a call they believe is safe. Using aggressive tones, false promises, scare tactics and other human vulnerabilities, phone scammers insert the hook and reel-in trusting victims.

Successful phone scams don’t take a whole lot of talent to pull off. A convincing voice and a vulnerable victim on the receiving end are all it takes.

The most common type of phone scams is “man-in-the-middle” attacks, where a scammer pretends to have a connection to the victim. In our digital world, the amount of PII posted online gives phone scammers even more ammunition to pull off man-in-the-middle attacks. Using details found on social media sites and business networking sites, such as LinkedIn as bait, a convincing con has any number of resources available to establish a fraudulent connection with the person on the other end of the call. When that happens, the scammer gets even more PII from the victim. The more PII a hacker has to cobble together, the more successful and far reaching the man-in-the-middle attack.

Keep information as generic as possible when posting online and always be sure to secure those accounts as close to Ft. Knox as possible to keep the information only available to those you intend to see it. This is especially important for those working in departments like human resources and accounting and finance. C-Level managers are also valuable targets to these hackers.

Saying a simple “hello” to a caller can lead to fraudulent attacks, so think twice before you answer a call from an unfamiliar number. Still the most simple and effective response to phone phishing, the best advice is if you don’t recognize the caller, don’t pick up. It’s that easy.