‘Spear phishing’ + caller ID spoofing = scam on STEROIDS
The Federal Trade Commission (FTC) said scammers are ramping up a combination of two classic phone scams (graphic courtesy of U.S. Navy).
Spear phishing is when an unsolicited caller targets a specific company or individual. The caller tries to trick that company or individual into giving up more personal or financial information by using information it already has on that company or individual.
FTC Consumer Education Specialist Lisa Lake crafted this example:
“I’m calling from [pick any bank]. Someone’s been using your debit card ending in 2345 at [pick any retailer]. I’ll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity…”
“The caller knows some of your personal details,” wrote Lake in this FTC blog. “Does that mean it’s legit? No. It’s a scam — and scammers are counting on the call being so unsettling that you might not stop to check your bank statement.”
To make it even more convincing, the scammer manipulates your caller ID to show the bank’s name and correct customer service number. That’s called caller ID spoofing, a scam I investigated extensively when I was a TV reporter and one which I wrote about in this #WiseWarning blog.
“That’s when scammers fake their caller ID to trick you into thinking the call is from someone you trust,” Lake said.
I’ve reported time and time again: never answer a call you do not recognize on your caller ID, even if the area code is familiar, and never answer a call that reveals your own number on your caller ID. Even if you answer and don’t fall for the scam, you have acknowledged to the scammer’s automated system that yours is a legitimate number (these calls are electronically and randomly generated). They will sell your number on mass mailing lists to other phishers, scammers and telemarketers. The unsolicited calls will skyrocket.
But this double-whammy’s different. Not only does the scammer already have information on you to confuse you into following along, but the scammer has also duped your caller ID to look like a number you do recognize. So what do you do?
Lake wrote in her blog that you should follow THESE:
- Don’t assume your caller ID is proof of whom you’re dealing with. Scammers can make it look like they’re calling from a company or number you trust.
- If you get a phone call, email or text from someone asking for your personal information, don’t respond. Instead, check it out using contact info you know is correct.
- Don’t trust someone just because they have personal information about you. Scammers have ways of getting that information.
I’ll add that you should immediately hang up or discontinue the text/email dialogue, look up the correct contact information for your bank or the alleged source yourself, then contact the real source directly to verify what’s happening (or not happening). You should also simply just check your online bank statement.
If you get an unsolicited call, email or text combining spear phishing and caller ID spoofing, I’d love to hear about it. Please alert me at firstname.lastname@example.org. I’ll be happy to have a dialogue with you.
Copyright 2018 Wise Choices TM. All rights reserved.