The Scourge of Phone Spoofing

 Introduction

A trend which keeps increasing and sees people receive unwanted calls and messages is caller-id spoofing. Number spoofing is when someone fakes outgoing caller ID info to show a number that isn’t theirs. The spoofed number often belongs to a real person or business, but not to the person using it to call you. 

A common strategy is neighbour spoofing, which is when the caller displays a number with your area code so that you’re more likely to pick up. Scammers will even spoof the numbers of legitimate government agencies, banks, and insurance providers to fool people into paying fraudulent fees or revealing sensitive information. The spoofers goal is  to make a profit by dishonest means.

There are difficulties in presenting caller-id spoofing because it is not illegal as there legitimate use cases of it. There are situations when number spoofing is arguably necessary, or at least understandable. For example, a doctor might display their office number when they need to make professional calls from their home or cell. A company might display its toll-free customer service line rather than one of its hundreds or thousands of numbers. A person travelling for work might display their home office number when making calls from abroad. In all of these scenarios, call spoofing is legal.

The laws and regulations may between countries so that is only a general overview but often call spoofing is illegal only when the caller intends to “defraud, harm, or wrongfully obtain anything of value” from the call recipient. 

At the moment due to the coronavirus crisis, there has been a surge in the number of spam and nuisance calls and messages. As the race for effective treatments and vaccines for COVID-19 intensifies, scammers continue to prey on people hopes and fears in attempts to steal financial info, exhort money or both.

Steps an Individual can Take

There are several steps an individual can take if they are receiving a number of unwanted calls or their own number is being spoofed.

  1. Record a new voicemail message. You can say something like, “If you got a call from this number, please understand that telemarketers or scammers are using my number without my permission. For your own security, do not engage with them and please block this number.” As more people block your number, it  will lose its value to spoofers, making them less likely to continue using it.
  2. If you’re getting overwhelmed with calls and texts, you can temporarily (or permanently) use a 3rd party application to block all numbers that aren’t in your phonebook. Also, block unwanted numbers, in general, should help avoid repeat calls. Though it is best to add numbers to your contacts or phonebook of your bank, insurance, GP etc to avoid missing potentially vital calls. 
  3.  File a complaint with the relevant authorities or agencies in your own country that oversee TelecommunicationsGenerally, they are cracking down on people making illegal robocalls and spoof calls, so any information you provide might help. 
  4. Identity thieves and other fraudsters often pose as representatives of banks, credit card companies, creditors, or government bodies (including the Scottish Parliament and Welsh Assembly) to get people to reveal their account numbers and other sensitive information.
    • Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences.
    • If someone rings you asking for this information, don't provide it. Instead, hang up and call the phone number on your account statement, in the phone book, or on the company's or government department's website to check whether the call was genuine. Wait at least five minutes before making the call - this ensures the line has cleared and you're not still speaking to the fraudster or an accomplice.
  5. Also, staying informed and aware of different types of scams making the rounds is can be vital in ensuring you don't fall for them. 

Scammers tend to cycle through numbers like fast food joints churn out fries, so they’ll stop using your number after a while. By following the steps above, you should be able to speed up the process. Since number spoofers often call the same people multiple times, they’ll realise your number’s no longer useful to them as more and more people block it — and then they’ll stop spoofing it.

Other Actions Being Done

Industry and the Government are also taking steps to mitigate and hopefully prevent malicious use of caller-id spoofing from occurring. Because calls with spoofed numbers can and do come from all over the world and account for a significant and growing proportion of nuisance calls.

In the UK, Ofcom is working with the international regulators and as well as the telecoms industry to find solutions to the problem. As Voice over IP (VoIP) technology  (the type of technology used to make internet calls) is often used in spoofing. They are seeking to address through their work in completing the switchover from ‘public switched telephone network’ (PSTN) to IP technology. Also the Internet Engineering Task Force (IETF), which helps to develop internet standards, has created a group specifically to tackle this issue. This the Secure Telephony Identity Revisited (STIR) working group. 

Examples of action taken are the work of the UK's  HM Revenue and Customs (HMRC) have put an end to fraudster’s spoofing the tax authority’s most recognisable helpline numbers by deploying defensive controls to prevent fraudsters from spoofing the numbers of HMRC. The controls, created in partnership with the telecommunications industry and Ofcom, prevent spoofing of HMRC’s most used inbound helpline numbers and are the first to be used by a government department in the UK. Criminals may still try and use less credible numbers to deploy their scams but that means they will be easier to spot. These measures have significantly reduced the number of reported scams of people receiving spams calls of people claiming to be from HMRC. 

Conclusion

Generally, at least once a year now there seems to be a period of a few weeks where I get numerous spam calls. The easiest way I have found is to just ignore calls from numbers I don't know, look them up to see if they belong to a legitimate source (99% of the time they don't) then block them. So far that seems to minimise the amount of spams calls I get but it varies. In my opinion knowledge of this types of attacks which quickly fall into the category of social engineering can only be stopped by having the knowledge and tools to identify them yourself and to help others who may not be as technology savvy or quick to pick up when they are being conned. Hopefully, this post has provided some useful ideas and information. I would encourage further reading on this area and take some time to ensure yourself, family and friends are aware of phone/caller-id spoofing to minimise the risk of being caught by this type of social engineering attack.

Sources

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more