The Scourge of Phone Spoofing

 Introduction

A trend which keeps increasing and sees people receive unwanted calls and messages is caller-id spoofing. Number spoofing is when someone fakes outgoing caller ID info to show a number that isn’t theirs. The spoofed number often belongs to a real person or business, but not to the person using it to call you. 

A common strategy is neighbour spoofing, which is when the caller displays a number with your area code so that you’re more likely to pick up. Scammers will even spoof the numbers of legitimate government agencies, banks, and insurance providers to fool people into paying fraudulent fees or revealing sensitive information. The spoofers goal is  to make a profit by dishonest means.

There are difficulties in presenting caller-id spoofing because it is not illegal as there legitimate use cases of it. There are situations when number spoofing is arguably necessary, or at least understandable. For example, a doctor might display their office number when they need to make professional calls from their home or cell. A company might display its toll-free customer service line rather than one of its hundreds or thousands of numbers. A person travelling for work might display their home office number when making calls from abroad. In all of these scenarios, call spoofing is legal.

The laws and regulations may between countries so that is only a general overview but often call spoofing is illegal only when the caller intends to “defraud, harm, or wrongfully obtain anything of value” from the call recipient. 

At the moment due to the coronavirus crisis, there has been a surge in the number of spam and nuisance calls and messages. As the race for effective treatments and vaccines for COVID-19 intensifies, scammers continue to prey on people hopes and fears in attempts to steal financial info, exhort money or both.

Steps an Individual can Take

There are several steps an individual can take if they are receiving a number of unwanted calls or their own number is being spoofed.

  1. Record a new voicemail message. You can say something like, “If you got a call from this number, please understand that telemarketers or scammers are using my number without my permission. For your own security, do not engage with them and please block this number.” As more people block your number, it  will lose its value to spoofers, making them less likely to continue using it.
  2. If you’re getting overwhelmed with calls and texts, you can temporarily (or permanently) use a 3rd party application to block all numbers that aren’t in your phonebook. Also, block unwanted numbers, in general, should help avoid repeat calls. Though it is best to add numbers to your contacts or phonebook of your bank, insurance, GP etc to avoid missing potentially vital calls. 
  3.  File a complaint with the relevant authorities or agencies in your own country that oversee TelecommunicationsGenerally, they are cracking down on people making illegal robocalls and spoof calls, so any information you provide might help. 
  4. Identity thieves and other fraudsters often pose as representatives of banks, credit card companies, creditors, or government bodies (including the Scottish Parliament and Welsh Assembly) to get people to reveal their account numbers and other sensitive information.
    • Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences.
    • If someone rings you asking for this information, don't provide it. Instead, hang up and call the phone number on your account statement, in the phone book, or on the company's or government department's website to check whether the call was genuine. Wait at least five minutes before making the call - this ensures the line has cleared and you're not still speaking to the fraudster or an accomplice.
  5. Also, staying informed and aware of different types of scams making the rounds is can be vital in ensuring you don't fall for them. 

Scammers tend to cycle through numbers like fast food joints churn out fries, so they’ll stop using your number after a while. By following the steps above, you should be able to speed up the process. Since number spoofers often call the same people multiple times, they’ll realise your number’s no longer useful to them as more and more people block it — and then they’ll stop spoofing it.

Other Actions Being Done

Industry and the Government are also taking steps to mitigate and hopefully prevent malicious use of caller-id spoofing from occurring. Because calls with spoofed numbers can and do come from all over the world and account for a significant and growing proportion of nuisance calls.

In the UK, Ofcom is working with the international regulators and as well as the telecoms industry to find solutions to the problem. As Voice over IP (VoIP) technology  (the type of technology used to make internet calls) is often used in spoofing. They are seeking to address through their work in completing the switchover from ‘public switched telephone network’ (PSTN) to IP technology. Also the Internet Engineering Task Force (IETF), which helps to develop internet standards, has created a group specifically to tackle this issue. This the Secure Telephony Identity Revisited (STIR) working group. 

Examples of action taken are the work of the UK's  HM Revenue and Customs (HMRC) have put an end to fraudster’s spoofing the tax authority’s most recognisable helpline numbers by deploying defensive controls to prevent fraudsters from spoofing the numbers of HMRC. The controls, created in partnership with the telecommunications industry and Ofcom, prevent spoofing of HMRC’s most used inbound helpline numbers and are the first to be used by a government department in the UK. Criminals may still try and use less credible numbers to deploy their scams but that means they will be easier to spot. These measures have significantly reduced the number of reported scams of people receiving spams calls of people claiming to be from HMRC. 

Conclusion

Generally, at least once a year now there seems to be a period of a few weeks where I get numerous spam calls. The easiest way I have found is to just ignore calls from numbers I don't know, look them up to see if they belong to a legitimate source (99% of the time they don't) then block them. So far that seems to minimise the amount of spams calls I get but it varies. In my opinion knowledge of this types of attacks which quickly fall into the category of social engineering can only be stopped by having the knowledge and tools to identify them yourself and to help others who may not be as technology savvy or quick to pick up when they are being conned. Hopefully, this post has provided some useful ideas and information. I would encourage further reading on this area and take some time to ensure yourself, family and friends are aware of phone/caller-id spoofing to minimise the risk of being caught by this type of social engineering attack.

Sources

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects

Balancing functionality, usability and security in design