Spoofing is a common threat in the cyber security world. The art of the spoof is about tricking someone into giving up something of value to the perpetrator. This could be offering personal information that can then be exploited or payment for a phony financial transaction. There are many types of spoofing methodologies today including email spoofing, IP spoofing, ARP spoofing and DNS spoofing. Now its time to add another one to the list – phone number spoofing.
If you have a cell phone, then you are probably familiar with the practice of neighbor spoofing. Let’s say your cell number is 632-555-1212. You may have noticed a lot of calls in recent months whose area code and first three digits are the same as yours. Upon answering the phone however, you are greeted by an automated spam calling service or a human sales operator. The premise behind it is that people are more likely to accept a call from an unrecognized phone number if it is a local number like theirs. This has become a prevalent routine now for robocallers.
How Caller ID is Manipulated
Caller ID spoofing by itself is not an illegal activity. In fact, it has some legitimate uses. For instance, a call being placed by an employer over their private extension will display the toll-free number. A doctor or attorney placing a call from their cell phone may mask their private number by spoofing the office number. Any organization can in fact control its Caller ID through their PRI or SIP telephony systems. Thanks to online services such as SpoofCard and others, any individual can spoof their outbound Caller ID, no equipment necessary other than a smartphone or computer device. All of this is possible because Caller ID is not associated with the actual phone number that placed the call. The truth is that Caller ID can easily be manipulated. As long as phone number spoofing is not used for illegal or fraudulent activity, someone that spoofs a telephone number is not breaking the law.
More than Just an Annoyance
In most cases, phone number spoofing is mostly a mere annoyance for the receiver of the call who thinks it is someone calling locally but instead is a robocall from another state or even country. A forgotten victim for phone spoofing is the owner of the number that is being spoofed unknowingly to them. Irritated call receivers may in fact call the number to complain. Since the only number displayed within the Caller ID screen is the spoofed phone number, it is impossible to block the true source of the calls. When a call receiver initiates a block of the displayed number on the caller ID, the phone number of a legitimate user or business is then being blocked, not the culprit who placed the call. There are also applications and telephone companies that can block numbers that are perpetually spoofed, which could negatively impact a local business whose phone number is regularly spoofed for one reason or another.
Its when scammers and conmen use phone number spoofing to swindle unsuspecting victims that the real danger becomes ominous. Maybe a malicious culprit knows what bank you or your business uses and calls you under the disguise of its phone number to trick you. After receiving the call, the person explains that they are from the bank and need to verify your personal information and account number. Another example could be someone using the phone number of a subscription service that you use. The person on the other end of the phone then explains that your credit card has expired and you need to supply a new credit card number in order to prevent your service from being disrupted.
Prevention Steps You Can Take
Fortunately, there are some simple steps you can take to protect yourself from these types of calls.
- For robocalls or annoying sales calls, do not respond to any questions that require a “Yes” or “No” as these answers can be manipulated to justify a phony transaction.
- Verify the phone number of any financial institution or government agency calling you from their official website or phone directory
- If someone from your bank or trusted organization calls and asks you for money or personal information, ask for the person’s name and call the verified number back. Scammers are accustomed to questions such as “How do I know you are calling from this company?” Their typical answer is then something like, “Call the number on your caller ID.” However, they will then explain that they cannot be reached through the traditional public number so you will have to wait for a call back from them after you have called to confirm the phone number.
- Never offer your personal information such as account numbers, maiden names or social security numbers, etc., in a conversation with an unexpected or unprompted phone call from any organization.
- Always protect your cellphone’s voice mail with a passcode as it is possible for an imposter to access your voicemail by spoofing your phone number if it isn’t protected.
While phone number spoofing may not result in the damage of a business email compromise (BEC) or targeted phishing attack, you need to be aware of these tactics in order to fully protect yourself.
HALOCK is a trusted cyber security consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States on reasonable security strategies and implementation.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.