Beware of These Common Telephone Scams

Man talking on cell phone in urban crosswalk
Caiaimage/Paul Bradbury / Getty Images

Social Engineering: What Is It?

Social engineering is the act of manipulating others into performing a specific action or giving away confidential info. This often occurs over the phone, and the term is often used to gather info, commit fraud or access computer systems. In most cases, the victim will never meet the bad guy, and these scammers lie so casually and with such conviction that there is no reason for victims not to believe them.

Social Engineering and How It Affects People Both Online and in the Real World

Social engineering has a very negative effect on trust, as it is based on lies and fraud.

Lying is a behavior that is learned; usually as young children. We may stumble upon a certain situation, usually something that is seen as ‘bad,’ and when confronted by an authority figure, such as a teacher or parent, we do not tell the truth. When they believe us, we are relieved of the consequences of telling the truth.

Once we learn this, we will use it throughout our lives. We lie to ourselves, and we lie to others. We see it as a survival mechanism in most cases, and most of us only do it occasionally. However, there are others out there who are professional liars. These people use deception to take things that are not theirs. They do not have empathy, they are greedy, and they are unconcerned about the consequences and harm of their actions.

We Are Easy to Con

Experienced liars can be so good that they end up in high-level positions such as CEOs, heads of states, judges, or members of the clergy. In fact, for about a year, I have corresponded with a minster who was sentenced to 18-months for identity theft.

What makes the problem worse is that humans are fairly naïve.

We were mostly raised to respect and love each other and to be cordial and kind. We were taught to be truthful, to behave and to expect others to be kind to us.

Trust is the foundation of any civilized society. Without trust, we would be unable to move forward and constantly live in fear of the consequences of venturing outside. If we did not have trust, how could we get in a car and drive down the street with nothing but a yellow line separating us from a collision or even death?

Sensing Body Language

When a person lies to us, we typically suspect that things are not right. When we have face-to-face contact with someone else, it gives us a chance to spot the signs of deception. After all, human communication is not only words, but also tone of voice and body language. We all push our energy upon others, both negative and positive. Negative energy, when coupled with certain phrases, words or gestures, can send a message to us that we should be wary of what we are being told.

Using Technology to Lie

Technology has made it easy for thieves to become expert liars. We see thousands of ruses and scams pulled off daily. The key to stopping this, and not falling victim to these, is to understand the motivations, tactics and lures of the bad guy.

When people can sense a snake-oil salesman from afar, they are much safer and more secure than those who believe they are immune from becoming a victim to the lies of a conman. Trust is a necessary and fundamental part of life, but finding a balance between cynicism and trust can go far.

To further explain how easy it is, DEFCON attendees were able to participate in a competition where they were able to successfully manipulated employees from Fortune 500 companies. These people were able to get details about the inner workings of the companies, and the information they gained was more than enough to launch a cyber attack. Some of these people shared information about what operating systems were used, what type of antivirus software was on the browser, the browser brand, laptop model, email addresses, VPN and more.

In some cases, these DEFCON participants could get their targets to visit websites over the phone. This doesn’t seem like a big issue, but remember; simply visiting a website can allow a malicious program to get into your computer if you are not protected.

It is important to remember that while you are not likely to fall into the trap of someone who calls you, there is always a possibility. This means your company should always have a protocols in place that regulates what employees can say to whom, when they can say it, and in what circumstances it is permitted. Training on social engineering is important in a business environment, and it is useful for any person who does not want to become a victim of a con artist.

Caller ID Spoofing Information

Spoofing is falsifying data and masquerading. Criminals use this to hide phone numbers that they call from, and instead, display a different number on the caller ID. This is similar to email spoofing, where a message may appear to have been sent from an email address that is different than what appears. Website spoofing, another similar act, is when a phishing email is linked to a fake website. Most people trust what appears on their caller IDs, and they don’t understand that these systems can be easily manipulated to commit fraud.

Your imagination can run wild when thinking about all of the crimes that can occur with the help of caller ID spoofing, but this is also a helpful technology when investigating crime. For example, law enforcement officials often use the technology that allows for caller ID spoofing. They do that to disguise themselves when trying to catch a suspect. They may also use caller ID spoofing technology to catch people who are trying to evade child support, and people use it as a tool to catch a cheating spouse. Doctors sometimes use caller ID spoofing to hide their phone numbers when on call, and some business professionals use this technology to reach clients that may block private numbers.

Though those are not bad reasons for using caller ID spoofing, there are fraudulent ways to use it, and criminals take full advantage of it. These criminals may pose as entities that victims believe they can trust, such as charities, lotteries, law enforcement authorities, credit card companies and government agencies.

Vishing–What Is It?

One form of social engineering is vishing. This is when a criminal calls their victim on the phone and tries to pull out personal information that they can use to commit identity theft. The term comes from a mix of “voice” and “phishing.” Most criminals use phishing in email, but with vishing, sometimes in addition to a phishing email, the criminal relies on an automated phone call, which instructs people to leave account information via a voice mail.

The scammer will pose as a certain entity, and then use a dual approach, contacting potential victims through both telephone and email. This is a persistent method, and ultimately, a very convincing method for scamming. The best line of defense in this case is to determine whether the communications a person is receiving are legitimate by directly contacting the business, bank or government agency that is supposedly making contact.

Some of the techniques that criminals use during the process of vishing include:

  • VoIP: Voice over Internet Protocol is a phone system that is Internet-based, and it facilitates vishing by allowing several technologies, such as caller ID spoofing and others, to work together. Vishers often use VoIP to not only make calls, but also to exploit any databases that are connected to the VoIP systems.
  • Wardialing: This is a technique where a visher will use an automated system to call a certain area code with a message involving a local entity, such as a credit union or bank. When someone answers the call, either a targeted or generic recording will play asking that the victim enters a credit, bank account or debit card information, including the PIN codes.
  • Social Engineering: Social engineering is a fancy and technical form of lying. These techniques are used to bypass the sophisticated security software and hardware that most people use. The automated recording that is used by vishers often if convincing and professional, though it is a big, fat lie.
  • Caller ID Spoofing: This is the practice where a trickster will cause the telephone network to show a false number of the caller ID of the victim. Many companies sell tools that can do this, and systems such as VoIP systems, have flaws that allow caller ID spoofing to occur. The tools are usually used to show the number of a specific credit union or bank, or event the words “back” and “credit union” to attempt to trick a potential victim.

Protecting Yourself From Vishing

Knowledge is the key to protecting yourself from the practice of vishing. The more you understand about how vishing works, the better it will be for you. Take some time to read up on vishing incidents and talk to your bank to find out if they have information about vishing available. This crime is one that is rapidly evolving and is becoming more sophisticated all of the time, so it is important to stay up to date.

In order to protect yourself, keep the following in mind:

  • If you get a phone call, either a recorded voice or person, requesting personal information, simply hang up. If you believe the call has come from a legitimate organization, call them directly to follow up.
  • Do not trust caller ID. It is easily tampered with.
  • If you notice any potential fraud, call the bank to report it as quickly as you can.

Document any calls in which you give personal information. Write down what type of information they wanted, what you gave them, and if possible, the contact information of the caller, including area code.