This week the NPR shared a Pindrop researcher’s undercover IRS phone scam conversation with a real fraudster. More than 5,000 victims have been duped out $26.5 million since 2013.
BBC reported this week that last year in the UK, fraud losses totaled ₤755m. Pindrop’s Matt Peachey sat down with BBC to discuss the need for multi-layered security, including monitoring behavior.
The Guardian: The terror of swatting: how the law is tracking down high-tech prank callers – In 2014, a swatting attack was launched on an Atlanta suburb police station that led to a year-long investigation in the US and Canada. This hoax was implemented by a 16-year-old who initiated nearly 40 attacks on homes, schools, and businesses.
The Boston Globe: Why police are having a tough time finding culprits in school robocalls – Dozens of Massachusetts schools are being plagued with a series of hoax robocalls including threats of bombs and roaming shooters. Why can’t authorities trace the calls? Using VoIP, these callers are able to hide their identities.
Ars Technica: “This is the IRS regarding your tax filings” says trio of overseas robocallers – While the FTC searches for a technology to combat robocalling, scammers have now started posing as agents of the IRS using robocalls. Pindrop has found that the wave of IRS scammers can be traced back to 3 distinct groups operating outside the US.
CreditCards.com: Credit card companies may be analyzing your voice – While credit card companies often record phone calls from cardholders, it’s not always for the purpose of quality assurance. Many banks are now analyzing calls and using advanced voice biometrics to root out criminals in the fight against call center fraud.
This is Money: You’re on your own if a conman raids your bank account – This week, This is Money and Money Mail have reported that just 2 out of 1,000 cases in identity theft are investigated and that 70% of customers affected by scams never get a penny back.
ITProPortal: Nationwide develops behavioral authentication prototype – Nationwide’s Innovation Lab, BehavioSec and Unisys are developing an authentication system that uses a customer’s behavior to allow access rather than requiring an additional password to access their banks account from their mobile device.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
Ah, tax day. The chore of rounding up your W-2’s and taking them to your accountant to look over has come. Luckily this year you don’t owe too much. Your write your check, mail it off, and you’re done.
A day or two later you get a call from the IRS. Your accountant messed up and instead of a couple hundred, you owe a couple thousand. If you don’t pay right now over the phone there will be a warrant out for your arrest. You quickly run to your wallet to pull out your card and give the number to the man on the phone. Thank goodness the IRS was able to take your payment over the phone so easily.
Here’s What Really Happened
Wait, the IRS can just call you asking for payment over the phone? Absolutely not. In this consumer scam, attackers are calling all sorts of people who inevitably just finished their taxes. Using scare tactics and threats, these fraudsters can convince victims they are in fact a representative of the Internal Revenue Services to get large sums of money quickly.
- Reconnaissance – These scammers can easily look up phone numbers via the Internet, Facebook, or other social sites. This method is easy for fraudsters with high payoff.
- Intimidation – Using scare tactics, forceful language, and involving the cops in an effort to spook consumers is an effective means of getting someone to pay up phony amounts.
- Card-Not-Present Fraud – Now that you’ve given your credit card information to a scammer, they can now rack up charges using your card number beyond the fraudulent tax charges.
The IRS Scam in the News
Tax Scams/Consumer Alerts The IRS has released statements warning consumers of several different IRS impersonation scams
IRS Phone Scammers are Steal Millions from Victims As this scam spreads throughout the United States, millions are being taken from unsuspecting victims
Five Easy Ways to Spot a Scam Phone Call The IRS has tips to spot and avoid this scam
Last week, the IRS announced that, from February through mid-May this year, criminals accessed the past tax returns of 100,000 Americans using the IRS website. Yesterday, the US Senate Committee on Homeland Security & Governmental Affairs held a hearing to learn more about what went wrong at the IRS, and what steps could be taken to protect American’s personal information going forward.
Dr. Kevin Fu, a cybersecurity expert and Associate Professor at the University of Michigan, highlighted Pindrop’s audio and voice based fraud detection in his testimony: “Pindrop Security, they actually work for financial services companies. They listen to the audio of the phone calls as people call in and they’re able to actually identify repeat offenders who are calling in pretending to be other people based on the delay in the phone line from the country they’re calling from, some interesting characteristics of the copper wires. You could use some of these advanced technologies not to eliminate, but at least reduce the risk of fraudsters trying to go from one fraudster doing 100,000 accounts to at least making it more difficult to scale up to so many different accounts from one adversary.”
Pindrop has been a part of this conversation in the past, when we exposed an attacker caught in the act, when we quantified numbers of attacks, and when we mapped the attack as it spread across the US. Consequently, we were gratified to find our work being credited for contributing to possible solutions.
Fraud against the IRS hurts everyone in the US. We’re glad if we can be part of the solution.
As tax season begins, the IRS Phone Scam observed in years past, is surging. Aggressive phone calls by criminals impersonating IRS agents remain a serious and ongoing threat to taxpayers, as scam artists threaten police arrest, deportation, and license revocation. It remains at the top of the IRS’s official “Dirty Dozen” tax scam warnings for 2015, and was recently ranked #3 on the FTC’s list of top 10 consumer complaints. Read a complete breakdown of the scam here.
As the scam increases in popularity, fraudsters are finding ways to increase efficiency. While last year’s iteration of the scam seemed to target elderly and immigrant populations, in this years version of the scam fraudsters are relying on auto-dialers, robocalling, and voice mail messages to hit as many taxpayers as possible.
Pindrop has obtained a recording of one of these fraudulent voice mails.
Hi, this message is for Sarah Sol. Ms. Sarah, this is Marco Vincent calling you from IRS, Internal Revenue Service. Right now, you hang up the phone call. That means you are intentionally fraud with the IRS. And, we need to call [inaudible 00:00:17] that calling into the courthouse and again [inaudible 00:00:18]. Because you are intentionally fraud with the IRS. You do not follow the terms and conditions, so at this point of time, I would think about that you are intentionally fraud with the IRS. That’s the reason we start the legal action against you. So, this first and last call for you, Ms. Sarah. We need to resolve this case immediately. Call me back on my callback number, it’s (703) 828-0306. Again, this is Marco Vincent. Goodbye, and take care.
These methods are effective because they weed out people who know the scam is not real. Those people who return a voicemail or robocall have self-selected as particularly vulnerable to the scam. Fraudsters then do not have to waste time on the phone, trying to convince a target that they are real. They can get straight to the extortion.
The IRS will never make initial contact with you over the phone – only through certified mail. If you do receive one of these voicemails, there are two steps you can take to report the fraud:
- Report the incident to the Treasury Inspector General for Tax Administration (TIGTA) at 1.800.366.4484 or at http://www.tigta.gov.
- File a complaint using the FTC Complaint Assistant; choose “Other” and then “Imposter Scams.” If the complaint involves someone impersonating the IRS, include the words “IRS Telephone Scam” in the notes.
This week in phone fraud includes reports of the ongoing Microsoft and IRS phone scams, as well as a short feature story on Pindrop Security research and the world of organized phone fraud.
On Monday, eWEEK’s Sean Michael Kerner discussed the vulnerability of the phone channel with our CEO, CTO and co-founder, Vijay Balasubramaniyan. In the video interview, Balasubramaniyan discussed the research behind his recent presentation at Black Hat USA 2014 and the overall phone fraud threat landscape. He pointed out that, “there are multiple levels within phone hacking organizations for each stage of user exploitation, ranging from automated systems to social engineering of call center staff.”
On Tuesday, Oklahoma-based News Channel 4 reported on the increasingly popular Microsoft customer service scam affecting the area. The reporter, Ed Doney, pointed out that fraudsters are even targeting widows in their attempts.
On Wednesday, Alabama-based WKRG 5 covered the IRS scam that continues to plague the state. Reporter, Ashley Knight, also mentioned that over the past few years Americans have been conned out of an estimated $5 million on this scam alone. Earlier this year we published our own research on the pervasive IRS scam as well. Our blog post and research can be found here.
Full Breakdown of This Week’s Phone Fraud News
Gant Daily: Kane Warns Consumers about Recent Credit Card Phone Scam – August 21, 2014
KSPR 33: Missouri AG warns of 202 area code scam calls – August 21, 2014
WKRG 5: Scambuster: IRS Scam – August 20, 2014
Homer News: Police warn of Publishers Clearing House phone scam – August 20, 2014
WSB Atlanta: 86-year-old woman targeted by phone scam – August 19, 2014
KFOR: More victims coming forward in “Microsoft” phone scam – August 19, 2014
eWEEK: Examining the World of Organized Phone-Hacking Fraud – August 18, 2014
CBS Philly: Police Warn Customers Of Utility Phone Scam Making Rounds In Suburban Philadelphia – August 18, 2014
This week in Phone Fraud news saw coverage around the popular IRS and Green-Dot Scams.
On Thursday the Idaho-based Coeur D’ Alene Press covered the spread of the IRS scam in their region. A staff writer for the publication provided some detail into the attack, describing how one man with a heavy accent called a potential victim, claiming that he was an IRS agent and that she was behind on her taxes. The would-be victim was not to be swindled though, and simply asked him to send her a letter, and promptly hung up. Nicely done, madam.
On Monday, the popular Green-Dot phone scam spread to Nebraska, according to an online post from KHAS 5 TV. It’s emergence forced Nebraska Public Power District officials to warn customers of phone calls from someone claiming to work with the utility threatening to disconnect services if the customer does not make an immediate payment through a prepaid card or online payment service like PayPal or Green-Dot.
Full Breakdown of This Week’s Phone Fraud News
Coeur D’ Alene Press: Don’t be Fooled by Fake IRS agents – May 22, 2014
NBC 15 (Wisconsin): SCAM ALERT: IRS Phone Scam – May 22, 2014
WBOC: Rehoboth Beach Business the Latest Target in Phone Scam – May 21, 2014
North Country Now: Massena police chief and Massena Electric warn of ongoing phone scam – May 21, 2014
In Cumbria: Penrith tech firm joins alliance to help combat phone fraud – May 20, 2014
Fresno Bee: Madera County sheriff issues fraud alerts – May 20, 2014
KHAS 5 TV (Nebraska): NPPD warns customers of phone scam – May 19, 2014
Salisbury Journal: Warning over phone scam – May 19, 2014
Are you at risk? Use our interactive tool to view the level of activity from fraudsters in your county. Either enter your zip or county name or simply click on the map. [iframe src=”http://www.pindrop.com/wp-content/themes/zap-installable/visualizations/irs-scam-counties/index.html?v=4″ width=”647″ height=”640″]
In our previous blog post, we recorded our interaction with the scammers by posing as the victim. We wanted to understand if the scammers are targeting individuals at random or are they targeting a particular demographic. We used our Phone Reputation Service databases to determine the location associated with the complaints associated with this scam.
Which counties are most targeted?
We plot the number of complaints by county on a map of the US; the darker the color of the county, the higher the number of complaints. Right away, some locations jump out at us. Several counties in Florida look quite dark, as well as the NYC, DC and some other big cities. Our initial assumption was that the number of complaints would match up well with the population of a region. We do see that to some extent – NYC, LA, Miami and other big cities show up prominently. However, several smaller counties in Florida (Lee, Collier) and California (Marin, Merced) also stand out. What’s different about them? The call that we recorded with the scammer gives us a big hint. At one point the scammer specifically asks whether the intended victim was “born and brought up” in the US. They clearly indicated that the scammer preferred targeting people who were foreign-born. We were curious whether this was a pattern that explained the distribution of targeted counties.
Are foreign-born people disproportionately targeted?
The American Community Survey (ACS) collects extensive data about the place of birth of people in the US to estimate the foreign-born population in each. As shown in the histogram, the general distribution of foreign-born people in US counties is very skewed. Most counties have a very small fraction of immigrants, in fact the median is about 2.5%, and only 5% of counties have a foreign-born population of 15% or more. The table below shows the top 25 most targeted counties in decreasing order of number of complaints, along with estimates for the overall and foreign-born population. Right away, we notice that the all of these counties have a very high proportion of foreign-born people: from 3X of the median (Baltimore, MD) to 20X (Miami-Dade, FL). Additionally, many high-population counties (NY, LA, DC, Harris) are prominent on this list.
|County||State||#Complaints||Total Pop||Foreign-born Pop||%Foreign-born|
|New York County||NY||3087||1619090||455248||28.51|
|Los Angeles County||CA||2094||9962789||3473930||35.30|
|District of Columbia||DC||1598||632323||82048||13.54|
|San Diego County||CA||365||3177063||720485||23.24|
|Santa Clara County||CA||349||1837504||658753||36.83|
What is the relative impact of each of these two factors? In order to tease that out, we plot the total number of complaints on a bubble scatter plot, with the two factors, immigrant proportion and overall population as the axes. The size of the bubble indicates the number of complaints from the corresponding county. As shown in the chart, as the bubbles get larger, they are clearly closer to the Y axis (proportion of immigrants) than the X axis (overall population), implying that the presence of a high concentration of immigrants has a high correlation with the top counties targeted in this scam. This analysis clearly shows that the scammers are following a pattern of targeting immigrant-dense areas of the country. We started this investigation with our employee having a conversation with a single IRS scammer, and eventually demonstrated a consistent pattern of scammers targeting immigrants on a large scale. The main takeaway: if you live in an area with a large immigrant population, be careful when you get calls from unknown numbers.
Raj Bandyopadhyay, Peter Casanova, Philip Thrasher
This week in phone fraud news saw coverage around the revelation that the IRS Phone Scam we reported on in a previous blog post was far larger than originally reported, along with one Forbes reporter’s personal brush with a phone scam.
On Monday, Forbes reporter Tony Bradley published an article detailing his own close call with a phone fraudster earlier this year. Tony received a call from an individual apparently of foreign origin claiming to be an attorney in charge of litigation against him. The fraudster knew a great deal about Tony, including his address and social security number. The fraudster attempted a scam but Tony wasn’t fooled, and wrote this article as a cautionary tale.
On Thursday, Politico reported that the 2013 IRS Scam actually accounted for $2 million in taxpayer loses, a $1 million increase from the IRS’s previously reported figure. Politico also reported that the number of complaints from people who believe they’ve fallen victim to the scam has increased significantly beyond the 20,000 originally reported.
Full Breakdown of This Week’s Phone Fraud News
Politico: Largest tax-fraud phone scam still growing – May 1, 2014
AOL (UK): Fraud offences ‘up by 25%’ – May 1, 2014
Forbes: Don’t Fall Victim To This (Poorly Executed) Phone Scam – April 30, 2014
San Mateo Patch: Police warn of scammers posing as police– April 30, 2014
SF Examiner: San Mateo police warn public of phone call scams – April 28, 2014
WBTW News 13: ‘One ring’ cell phone scam hitting Carolinas – April 28, 2014
The IRS is warning people about the “largest ever” phone fraud scam targeting taxpayers. In the interest of learning more about this phone-based threat, Pindrop has investigated the attacks and, among other things, we have successfully posed as a victim and recorded the call. What follows is the complete audio and transcript of the interaction, and our analysis of some of the tactics that these fraudsters are employing. Note that in the audio files, we have distorted the voice of the victim (a Pindrop employee) to protect their identity.
- Attackers are using magicJack VoIP phone numbers for consumers to “call back” as part of this attack. There is no reason to believe magicJack is in any way complicit with these attacks.
- The attackers appear to be operating out of India and are seeking approximately $5,000 per successful attack.
- The attackers are asking consumers to use GreenDot MoneyPak service to wire money to a Paypal account.
- As compared to previous attacks involving impersonation of the IRS, this attack involves much higher volumes, with complaints in excess of 10 times higher than previously seen. We estimate the number of attack calls has already likely exceeded 450,000 in March.
The fraudsters use classic call scam techniques: they use a spoofed Caller ID that looks legitimate; they use urgency and threats to keep the caller on the line and force them to act quickly; they leave behind different numbers for “call backs” and they only use these numbers for a limited time.
True to form, the IRS fraudsters made the incoming number appear to be legitimate. Occasionally, they spoof the telephone assistance service number of the IRS, 1-800-829-1040. More frequently, they call from numbers from the same area as the victim, in order to entice the victim to pick up the phone thinking that the call is from someone they know. As heard in the audio, they try hard to keep the victim on the call. And they leave behind a phone number where they can be reached, known as a “call back” number. Typically, a fraudster buys a large block of numbers from a VoIP provider to serve as these “call back” numbers.
The fraudsters are constantly decommissioning these “call back” numbers. From time to time we also see them call from these numbers directly. In order to engage with them we first needed to identify what set of numbers are being used for this purpose and find one that was not yet decommissioned.
Tracking the Attackers
Pindrop maintains the Pindrop Reputation database, the world’s largest collection of phone number data and activity. To identify the phone numbers being used we mined our phone reputation service for IRS related activity. Among the numbers used, the majority was from the magicJack service, an inexpensive, online VoIP service. The most complained about magicJack numbers were non-toll-free numbers, for example: 202-506-9XXX. The line graph shows the number of magicJack numbers associated with IRS scams over time (the IRS is a consistent target of scams). The data clearly shows that the number of phone numbers has gone up significantly this year. Through March, we have observed 523 numbers perpetrating this scam. The total number for all of 2012 was 780. This supports the IRS’ claim that this is the “largest ever” phone fraud scam.
The number of complaints associated with these numbers has gone up even more drastically this year. Complaints are in excess of 2400 calls this year to date – all of last year the number of complaints we observed was 1047.
The number of phone numbers and complaints are good indicators that the number of victims being targeted has dramatically increased. In order to roughly estimate how many calls are being made, we can make the assumption that a call takes 5 minutes, which includes leaving voice mails and live conversations. That adds up to 12 calls an hour. We assume an 8 hour work day for each caller and that each caller is using one of the numbers. Therefore, each number could be making 96 calls a day. At 235 total numbers observed in March, the number of calls made could potentially be in excess of 450,000 in March.
Where are the attacks coming from?
We identified a smaller set of phone numbers that our systems had indicated were still active in this scam. We then looked at what time of day these numbers are most active. We used that to maximize our chances of interacting with these fraudsters. As seen in the temporal activity graph below these fraudsters work east coast hours.
To determine if the attackers are actually operating in the Eastern US, we analyzed the call audio with Pindrop’s phoneprinting technology, which, among other things, can determine the origin of a call based on audio artifacts. In this case, the audio analysis showed clearly and consistently that the calls are originating from outside the US and are most likely calling from India.
Using a brand-new phone, which had not been used for any other purpose, we finally called (202) 239-7034 and after a couple of attempts we were talking with the fraudsters.
For a rare and engaging window into how phone scams work, we highly recommend listening to the audio. If you’re short on time, read the transcript. We would like to highlight a few moments that we found the most revealing about their modus operandi. Click on the player for the audio excerpt:
(0:25) – They make some basic checks to determine if the victim is someone they have interacted with previously. We suspect this is to provide the fraudster context to make the conversation real for the victim.
(1:20) – They claim to be the Federal Investigation Department, a legal department working for the IRS
(2:05) – They do NOT target Americans. They are primarily targeting immigrants.
(3:45) – Tries to see if a third party (accountant) files taxes. Claims mistakes in taxes.
(4:01) – Scam starts. Sees if there are any overseas transactions.
(5:32) – Claims $5,868 pending taxes. We created a fake victim and he already owes taxes.
(6:10) – Threat of Arrest Warrant issued.
(7:30) – Get supposed name from scammer “Steve Parker”.
(9:35) – They claim to not accept standard payment types (debit/credit cards), only Tax Pay Voucher from a Government Store such as Home Depot and Food Lion.
(11:50) – Ask for zip code and then get a store close to that zip code.
(13:30) – They settle for $2,400 for warrant cancellation fees when we say we only have $2,600.
(14:20) – They are trying to make the victim stay on the phone while they get the money together.
(17:20) – Transferred to the accounting department “Brian”.
(18:15) – They try to justify why money has to be wired to the restitutions Paypal account via prepaid card.
(20:12) – Their card of choice is GreenDot MoneyPak.
After this call, the scammers tried several attempts to call back throughout the night and morning. This was not surprising to us; the scammers probably assumed that they had almost “closed the deal” on this particular victim. However, the next afternoon, our employee received a call alleging to be from GreenDot asking if he had purchased a MoneyPak card recently. The caller stated that to use the card, activation was required and asked our employee to provide him with the number on the back to gain access to the money on the card.
This leads to some really interesting questions: Was this caller really from GreenDot? If so, how did they obtain the phone number that our employee had used, given that we had just acquired this phone and not disclosed its number anywhere? If the caller was not from GreenDot, is this just another play on part of the scammers to obtain the money on the card?
We continue to investigate this attack and monitor these attackers.
Peter Casanova, Raj Bandyopadhyay, Vijay Balasubramaniyan