KrebsOnSecurity reports that scammers are using caller ID spoofing to impersonate their victims, and then socially engineering victims’ banks into divulging information about recent transactions. The scammers then use this information to more convincingly impersonate the bank when they call the victim.
In some cases, the scammers don’t even need to interact with a bank employee in order to obtain this information. Krebs heard from a reader whose wife was targeted by scammers who were able to trick Citibank’s automated phone system by spoofing her phone number.
“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” the reader explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online. As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”
Fortunately, in the reader’s case, the bank happened to send a physical check to the victims rather than wiring it to the scammers. Krebs confirmed that he could indeed use a caller ID spoofing service to access recent transactions in his Citibank account, although he was required to provide his PIN or Social Security number. The reader also noted that an employee in Citibank’s fraud department didn’t seem to know what caller ID spoofing was.
“The person we spoke with at Citi’s fraud department kept insisting that yes, it was my wife that called because the call came from her mobile number,” the reader said. “The Citi employee was alarmed because she didn’t understand the whole notion of caller ID spoofing. And we both found it kind of disturbing that someone in fraud at such a major bank didn’t even understand that such a thing was possible.”
Krebs concludes that people can protect themselves against these types of scams by simply never trusting unsolicited phone calls that claim to be from the bank.
“Both this and last week’s story illustrate why the only sane response to a call purporting to be from your bank is to hang up, look up your bank’s customer service number from their Web site or from the back of your card, and call them back yourself,” he says.
New-school security awareness training can teach your employees how to follow guidelines that will prevent scammers from taking advantage of them.
KrebsOnSecurity has the story: https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-scam/