Ride the Lightning

Defending Against Phone Call Attacks and Scams

July 11, 2018

I am fond of the SANS "OUCH! Newsletter" (so much so that I signed up) and was struck by a recent post (thanks Dave Ries) on phone call attacks and scams.

There are two big advantages to using a phone to scam you. First, unlike e-mail, there are fewer security technologies that monitor phone calls and can detect and stop an attack. Second, it is much easier for bad guys to convey emotion over the phone, which makes it more probable that they can con their victims.

The attackers usually want your money, information, or access to your computer (or all three). They do this by tricking you into doing what they want. The bad guys create scenarios that seem very urgent. They want to get you scared so you won't think clearly, and then hurry you into making a mistake. Some of the most common examples include:

The caller says that they are from a government tax department or a tax collection service and that you have unpaid taxes. Oh yes, I've gotten those calls. They explain that if you don't pay your taxes right away you will go to jail. They then pressure you to pay your taxes with your credit card over the phone. Hang up. Tax departments, including the IRS, never call or e-mail people. All official tax notifications are sent by regular mail.

Maybe the caller pretends they are Microsoft Tech Support and explains that your computer is infected. Yes, I've gotten those – and at least two of my lawyer friends were taken in by these calls. It took a considerable amount of time to clean those messes up. Once they convince you that you are infected, they pressure you into buying their software or giving them remote access to your computer. Microsoft will not call you at home. Neither will Apple.

You get an automated voicemail message that your bank account has been canceled, and that you have to call a number to reactivate it. I feel left out here – I've never gotten this call. When you call, you get an automated system that asks you to confirm your identity and asks you all sorts of private questions. This is really not your bank- they are simply gathering your information for identity fraud.

When someone calls you and there is a sense of urgency, be suspicious. If they say you may go to jail if you don't do something, be suspicious. Once you sense an attack, hang up. If you want to confirm that the phone call was legitimate, go to the organization's website (such as your bank or credit card) and get the customer support phone number and call them directly yourself. That way, you know are talking to the real organization. Both John and I have done this several times. Annoying, but safer.

Don't trust Caller ID. Criminals can spoof the caller number so it looks like it is coming from a legitimate organization or has the same area code as your phone number – even the subsequent three numbers of your phone number.

Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how they can infect your computer and harvest your data – or continuously monitor your activities.

If a phone call is coming from someone you don't know, let the call go directly to voicemail. This way, you can review unknown calls on your own time. We do this all the time. Most of the time, the fraudsters don't even bother to leave a voicemail. You can enable this by default on many phones with the "Do Not Disturb" feature.

You are your own best defense – remember to be skeptical of all the scams listed above. I just hang up on them, but John sometimes enjoy "having fun" with them. This usually results (ultimately) in curses from the bad guys. I recommend simply hanging up – no point in pissing off a criminal.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson