I do not have the data to support my conclusion, but myself and others have noticed the sharp increase in email phishing attempts that include only a phishing message and a phone number to call. There are no embedded links or file attachments, and the subjects are just plausible enough that I can see them slipping by normal phishing filters and tricking some very small percentage of people.
If the potential victim is tricked into calling the included phone number, they will usually be directed to a scammer who will attempt to get them to pay a fraudulent bill using some method of payment. The involved phone number is often a VoIP phone number that connects to the scammer’s cell phone somewhere around the world.
Two Examples
Most of the phishing scams involve supposed pending payments for things the victim did not order. They are intended to induce a panicked response in the recipient who then calls to stop an order and bill they did not incur. The phishing scams range from very simple text to more elaborate, branded forms. Here are two examples:
The first is the most simple-looking of the scams.
It claims I, “Dear Customer”, supposedly bought a gaming PC for $520.45. It would be the cheapest gaming PC I ever bought. Usually, the high-end video cards that come with gaming PCs cost more than that. It apparently is trying to look like it is related to PayPal, but is coming from a generic Gmail email address. I love the closing salutations, where instead of stating the company’s name, it includes a typo and “Support Team…#” for some reason. The typo tells you the sender is probably not a native English speaker. The strange closing title is likely due to what the scammer typed into the program that generated the mass of fake emails that it sent out to potential victims. Either they typed in the error because they didn’t understand how the mass email program worked or the program was buggy. This email has scam written all over it.
In looking at a ton of real billing emails, all have identified me by name, indicated the vendor’s name, and included multiple ways to contact them. Not to mention that I actually recognized the vendor, product and transaction with real bills.
The next phishing example has more formatting sophistication and is branded as coming from Amazon.
It is wild that Amazon customer support is using a Gmail email address, huh? I do not know what a “Mice Media Module” is, but it is apparently a very expensive mouse. The stated phone numbers include the +1 country code, which is probably normal to include if you are outside the United States, but never included by any company originating in the United States to people in the United States. The sender did not know this peculiarity about United States culture. We are decidedly non-global thinking.
Interestingly, the “Unsubscribe link” at the bottom of the message is not a real linked URL. Hovering over it does not reveal a URL link and clicking on it does nothing. It is just an embedded graphic to I suppose give the email some pretended additional air of legitimacy, although I am not sure why anyone would need to unsubscribe from an Amazon billing notice.
I do not know of anyone who would be fooled by these examples, but I am sure less sophisticated users and likely many elderly victims might be tricked into calling.
Calling the Scammers
It is never safe to call these numbers because you never know when one of them might cause you to be automatically billed for an expensive telephone call and there is always the chance that the person answering might actually trick you into paying. So, do not call.
But I did.
Over the last few months, I have called many of the included numbers. I did so from a safe VPN calling service so the scammer would not be able to bill me for the call or identify my real number. So, what did I find out?
Many of the numbers led to dead lines with no pick up. Others were picked up…stopped ringing, but were then met with dead space. No one ever picked up. But of the ones that did lead to humans picking up the line, the answering parties ranged from very unsophisticated to fairly sophisticated. Most were unsophisticated and the answering party seemed almost surprised that I was calling. I could almost always hear lots of background noise. Sometimes it was like the noise from a busy call center and other times, I could tell the call was being taken outside in the open air. Once I heard the noises of a busy kitchen and loudly crying baby. Not exactly what I would expect from Amazon billing support.
Some of my calls were answered by recordings claiming to be from the branded company, adding a slight air of sophistication to the call. Sometimes when I called a particular scam number, I would always get the same person and other scams resulted in different people each call. Most of the calls seemed to be going directly to the same person each time and that person always seemed distracted like I was interrupting them in the middle of their busy day. So, my best guess is that most of these scams are being run by small-time scammers with very limited sophistication.
My attempts to find out what countries I was calling always resulted in the answering party hanging up. Most of the time, the person on the other end of the line had no clue what I was calling about. They would ask me to tell them the details of the bill and if I told them newly made-up information, they acted as if it matched what was on their system.
When I asked for more details on the charges, I was told that the charge was real and that I had to pay it or else some negative consequence would happen (i.e., reported to a collection agency, police would be called, etc.). All of them attempted to either get my credit card information or directed me to buy gift cards of some type to pay the bill.
When I revealed that I knew it was a scam and just wanted to talk to them to learn more about what they did, all of them immediately hung up. No professional courtesy at all.
How To Recognize a Scam
Most scams have the same traits, whether the message arrives in an email, SMS message, on a website or a phone call. Here is the scam recognition process I go through for any suspicious or unusual request:
These phone number-only phishing scams meet all four traits and can be ignored and deleted. If they arrive in your business email inbox, report them to your IT or IT security department so they can be made aware of them, track their frequency, and possibly use them in a security awareness training instance.
Teach yourself, your co-workers, your friends and your family how to recognize any scam by using the methods and education above. Help create a culture where every usual, unexpected message is met by an appropriate amount of skepticism and verified using an alternate method before being acted upon.
Here's how it works:
