The Real Threat of Deepfakes to Your Contact Center
Deepfake attacks are constantly evolving. Attend our upcoming webinar and arm yourself with knowledge on the latest deepfake trends and the tools that can help catch them.
From Detection to Prevention: Advanced Strategies to Prevent Contact Center Fraud in 2024
In 2023, data breaches reached an all time high of 3,2051, 78% higher than the previous year. Leveraging generative AI technology, fraudsters are employing advanced tactics, including bots and deepfakes, and exploiting vulnerabilities in outdated systems. In the face of rising contact center fraud, it’s crucial to implement robust and modern fraud prevention strategies.
Watch Pindrop fraud & authentication experts for a comprehensive webinar where we dug into essential fraud-fighting techniques that can protect your contact center from becoming a fraudster’s playground.
Phone scams can be a serious source of problems for many businesses, including contact centers. Unfortunately, employees are often the most vulnerable part of the business. If an employee does not know about potential phone scams, they may struggle to keep confidential data safe.
Most phone scams usually have some common traits. Learning how to spot these signs is imperative for businesses that want to protect themselves.
In this piece, we’ll talk about some of the most common phone scams in the coming year.
4 Phone Scams to Watch for in 2025
As you consider scams that you and your employees may have to watch out for, make sure you’re familiar with potential business scam calls and the impact they can have on your business, including the risk of fraud.
1. Fake Supervisor Calls
Many businesses put most of their information online. Scammers can easily determine who is in charge: the full management team, direct supervisors, and even the CEO. By taking a close look at that information, scammers may call in pretending to be supervisors and ask for confidential information or pressure employees to take actions that could compromise the network. That can include:
- Asking for private client data. A scammer might pretend to be a supervisor in a meeting or in contact with a client who needs immediate information about the client’s account. Employees may look up that information and inadvertently provide it to a scammer. In some cases, employees may never realize the data has been compromised.
- Asking contact center employees to log in to a phishing site. In some cases, scammers may call in and masquerade as supervisors who need their employees to visit a new website using their login credentials. The login may seem to fail from the employee’s end, but the scammer will use it to capture employee information, which they can then use to access the company system.
- Requesting passwords. The supervisor may claim that they need to log in as the employee or that they have forgotten the common password to a vital system. Once employees have shared that information, scammers can then use it to log in as the employee.
- Asking employees to take a specific action, including instituting a money transfer. If employees have access to the company’s finances, scammers may pressure them to make a false payment. If they do not, they may ask employees to submit an invoice.
It’s important for companies to institute checks and balances so that employees can easily figure out whether they are talking to a supervisor or a scammer.
It might be difficult for employees in larger contract centers to recognize supervisors, which increases the risk of fraud.
Companies must put policies in place to ensure employees don’t share passwords over insecure channels with each other, and any employee that does so is reprimanded.
2. Fake IT Calls
Many employees wouldn’t think twice about “helping out a member of the IT department” if a call came through. Unfortunately, scammers know about that tendency all too well.
Business scams usually won’t claim to have found a virus on the computer that they need to access the individual’s account to mitigate. However, they may call in and ask employees to take a number of common actions.
- Testing a new login. Scammers may request that employees log into a new site, which is really a fake website set up to capture company data. The login page may look legitimate from the employee’s view, but instead of logging in to a system or testing credentials, it may simply provide scammers with that login information.
- Checking (or seeking) passwords. A fake member of the IT team may claim that they need to log quickly into an employee account in order to fix a problem. Once the employee has provided them with that password, the scammer will have access to the account. Many scammers can use even lower-level employee access to work their way deeper into the system.
- Seeking remote access. The false IT team member may note that they need to take care of something in the system or on the employee’s account, which they need remote control of the system in order to accomplish. With that access, they can download their own content or get deeper access to the system.
- Downloading files. In some cases, an imposter may call in to let employees know that they need to download a specific file. Unfortunately, when employees do, they may end up installing a virus on the system.
As with protections against supervisor scams, make sure you put the right checks and balances in place to ensure that employees do not inadvertently give system access to a scammer. Let them know that IT team members will not ask for their information over the phone.
Make sure all employees are familiar with the procedures IT team members will actually go through in order to access their systems, including the use of network keys or internal passwords.
3. Customer Impersonation Scams
Scammers can call in with a variety of stories that indicate why they should be given access to customer data, often impersonating customers or using compromised data to access their accounts.
Typically, they will start by going on social media and gathering information about potential clients. They can check reviews from your social media profiles to figure out who those clients are, then look for more data on them from their own pages so that they can share that information with a contact center representative as they try to access the account. Common scams include:
- “Forgetting” the password for the account. False customers may try to guess at the answers to security questions so they can access the account even though it doesn’t belong to them.
- Calling in with a sob story. Many scammers will work up elaborate stories: the account holder has just died; the account holder is in the hospital; the account holder is a former spouse who abused them, and they’re only too eager to tell your employees all about it. By gaining the employee’s sympathy, they can then access the system.
- Pressuring the employee to give them access without going through all necessary verification steps. Scammers may yell or get belligerent in an effort to get employees to provide them with account access or data despite not having all necessary information.
Perhaps the most common way these scams work is when scammers gain access to sensitive identifiable information such as a customer’s password, birth date, and other details. Contact centers that use older authentication systems are often at an increased risk of compromising user data as a result.
With Pindrop’s Deep Voice Biometric Engine, contact centers can reduce the risks of hacks and security breaches, as it analyzes various audio features to determine if a call is authentic or not.
4. External Vendor Scams
Scammers may call in pretending to be an external vendor. Typically, employees of your contact center may not work directly with vendors. However, in some cases, they may receive calls from vendors, juggle payments, or handle communications with those vendors in order to ensure a high-quality customer experience. Vendor scams may include:
- Insisting that the company is behind on an invoice. The scammer may pressure the employee to make sure that the invoice is sent through or, if the employee has access to any payment function, to pay the invoice as soon as possible.
- Pressuring an employee to make a false order. Vendors may insist that they need to make a technology update or that the company is behind on certain items and ask the employee to authorize a purchase.
- Asking for system access. Vendors may, in some cases, use apps or platforms that may need to interact with the company network, and scammers may pressure employees to give them higher-level access.
In order to protect against external vendor scams, make sure employees have a solid idea of how they should expect to interact with vendors over the phone and what information they are allowed to provide. You may also want to make sure that your invoice payment process includes protection against fake invoices, including double-checking who the payment is going to before sending it through.
How Pindrop Helps Contact Center Fraud
At Pindrop, we offer anti-fraud solutions that can reduce 80% of fraud calls to contact center agents. Our solutions use cutting-edge voice biometrics and voiceprinting technology to better identify signs of fraud and increase contact center security. We analyze more than 1,300 factors in real-time, preventing scammers from getting away with many of their techniques. Request a demo to learn more!



Liveness Detection: Ensure that your interactions are with genuine humans, not sophisticated bots or recorded messages.
Multi-Factor Fraud Prevention and Authentication: Pair liveness detection with device recognition, behavior analysis, and more to increase your fraud detection capabilities.
Early Risk Detection: Address potential fraud threats before they escalate.
Negative Voice Matching: Identify fraudsters when tactics are used to change or mask the calling phone number.
Continuous Fraud Detection: Automate your comprehensive fraud risk profiles and increase the accuracy of fraud prediction.
Don’t miss this opportunity to enhance your fraud protection strategies and safeguard your organization!
Your expert panel


Tara Garnett
Sr. Product Manager, Authentication Products, Pindrop


Timothy Mohan
Senior Director, Fraud Prevention & Authentication Operations, Pindrop



From the conversation with Amit Gupta, VP of Product at Pindrop, and Bennett Borofka, Partner Solutions Architect at Amazon Web Services, you can expect to:
Learn about the rise of deepfakes and the threats they pose to your contact center
Gain an understanding of Pindrop’s fraud and deepfake detection solutions and how they can help mitigate fraud losses
Discover how Amazon Connect and Pindrop have teamed up to make the integration process efficient and worthwhile
Meet the Experts


Amit Gupta
VP Product, Pindrop


Bennett Borofka
Partner Solutions Architect, Amazon Web Services
Robocalls, as defined by Tech Target are “automated telephone calls that deliver a recorded message,” often using caller ID spoofing to deceive recipients. Caller ID spoofing allows fraudsters to manipulate the caller ID information, making it appear as though the call is coming from a familiar or trusted number. This increases the likelihood that the recipient will answer the call, as they might believe it is from a legitimate source, such as a known contact or a reputable organization. Despite the U.S. Federal Communications Commission (FCC) taking measures to prevent unsolicited robocalls, they have become more prevalent—showing up as the FCC’s top consumer complaint and a top consumer protection priority.
According to National Consumer Law Center data, Americans receive over 33 million scam robocalls daily and more than 50 billion annually. Additionally, the volume of robotexts has surged, with over 160 billion spam texts received in 2023. And it’s more than just an annoyance. In 2022, Time Magazine reported that around 68 million Americans lost over $29 billion to scam callers.
How does robocalling work?
Robocalls are typically initiated using an autodialer, a software application that automatically dials large numbers of phone numbers from a database. The numbers can be generated sequentially or obtained from lists purchased or scraped from various sources.
Answering just one spam call is a signal to scammers that you are willing to pick up the phone. So they’ll keep calling you, sometimes from different phone numbers, to get you to answer again–often utilizing different schemes, too.
8 common types of robocalls
Robocalls come in many forms, each with a specific goal or target audience. Here are eight common types:
1. Debt collection robocalls
These calls typically attempt to collect payment for unpaid debts. They might be legitimate calls from debt collection agencies or fraudulent attempts to extract money by pretending to be a debt collector.
2. Phishing scams
Phishing robocalls aim to steal personal information such as Social Security numbers, bank account details, or credit card information. These calls often claim to be from reputable organizations like banks or government agencies to trick recipients into divulging sensitive information. Phone scams can be worse in call centers. Be sure to read Pindrop’s article on how phone scams work and how call centers can better protect themselves in the future.
3. Healthcare robocalls
These robocalls offer health insurance plans, medical devices, or prescription medications. While some may be legitimate, many scams attempt to steal personal information or sell fraudulent products.
4. Political robocalls
Common during election seasons, these calls are used by political campaigns to inform voters about candidates, solicit donations, or encourage voter turnout. These calls are generally legal. But they are illegal and considered scams when it’s not someone’s voice. With the advancement in generative AI, replicating voices has become significantly easier and more realistic. Technologies like deep learning and neural networks have made it possible to create highly accurate voice clones that can mimic the tone, pitch, and cadence of a person’s voice. One example of when this occurred is how tough it was for voters to spot the difference in the Joe Biden deepfake in the primary telling voters not to vote in New Hampshire.
5. Charity robocalls
Charity robocalls solicit donations for various causes. While many are from legitimate charities, scammers also use these calls to steal money by pretending to be from well-known organizations.
6. Loan scams
These robocalls offer loans with attractive terms to entice recipients. The goal is often to collect personal and financial information or upfront fees and never provide loan services.
7. Foreign robocalls
These calls come from international numbers and can involve a variety of scams, including fake lottery winnings or threats from foreign governments. These calls often aim to extract money or personal information from recipients.
8. Tech support scams
These robocalls claim to be from tech support teams of major companies, alleging that the recipient’s computer is infected with a virus or has some other problem. The scam involves persuading the victim to pay for unnecessary services or to give remote access to their computer.
How to identify robocalls
Stonebridge Business Partners lists how to recognize robocalls and discusses Pindrop’s Top 40 scam campaigns from 2016, which included Google/business listing scams, loan-related scams, free vacation calls, political campaign calls, local map verification calls, and “lowering your electricity bill” calls. It also cites within this article that the Federal Trade Commission (“FTC”) released the following list of red flags to help consumers recognize a phone scam:
- If the caller says, you’ve been specially selected for the offer.
- They tell you you’ll get a free bonus if you buy their product.
- The caller informs you that you’ve won one of five valuable prizes.
How to stop robocalls
Authorities like the FCC and FTC have implemented the STIR/SHAKEN protocol to verify caller IDs and reduce spoofing. It’s a key authentication mandated on June 30, 2021, to ensure that all US service providers (CSPs) are authenticated for branded calling. They also enforce regulations to curb illegal robocalling activities, such as imposing fines on violators and working with service providers to block suspicious calls.
Set up call spam filters
For individuals, using call-blocking apps and reporting robocalls to the FTC can help mitigate the impact of these unwanted calls.
Put your name on the Do Not Call Registry
The national Do Not Call list protects landline and wireless phone numbers. You can register your numbers on the national Do Not Call list at no cost by calling 1-888-382-1222 (voice) or 1-866-290-4236 (TTY) from the phone number you wish to register. You can also register at donotcall.gov.
Report the number to the FTC and block it
Reporting unwanted calls to authorities and being cautious about sharing personal information can also help avoid robocalls.
How to stop robocalls on Android
The FCC’s website provides consumer tips for stopping unwanted robocalls as well as a printable version to stop unwanted texts as well. It’s also important to know device-specific measures. If you have an Android phone, you can use the built-in call-blocking features under settings and enable the spam calls feature. There are also call-blocking apps, such as Hiya, TrueCaller, and Nomorobo. Carrier-specific services include AT&T Call Protect, Verizon’s Call Filter, and the T-Mobile Scam Shield.
How to stop robocalls on iPhone
If you are on an iPhone, you can also go to settings and enable “Silence Unknown Callers.” Use “Do Not Disturb” to only allow calls from your contacts. Apps that help with call blocking on iPhones include RoboKiller, Hiya, and TrueCaller, which can identify and block spam calls. The same carrier-specific settings also apply.
What to do if you get a robocall
The first measure is to avoid answering or engaging and report the call. By reporting the call to the FCC at donotcall.gov or the FCC, you are doing your part to identify potentially fraudulent callers. You can also block the call directly on an Android or iPhone by clicking the number and blocking that caller in the future.
Potential risks of answering robocalls
Your voice may be stolen
Scammers may record your voice for unauthorized transactions or identity verification purposes.
Malware attacks
Some robocalls may contain links or prompts that, if followed, can lead to malware being installed on your phone.
Identity theft
Providing any personal information can lead to identity theft. Scammers often try to trick you into revealing sensitive information.
Risk of fiscal loss
Engaging with scam calls can result in financial loss through fraudulent transactions or by providing credit card information.
Spam calls vs. Robocalls – What’s the difference?
Spam calls include any unwanted calls, typically unsolicited marketing or sales calls. Robocalls are automated calls that deliver a pre-recorded message, which can be for marketing, information dissemination, or scams.
According to Robokiller, scammers typically defraud older Americans out of more significant amounts of money. The median loss for people 70-79 was $800 and jumped to $1,500 for those 80 and over. The scams that take these considerable amounts of money from seniors over 80 are calls regarding prizes, sweepstakes, and lottery scams.
Conclusion
Robocalls are persistent, but you can significantly reduce their impact using the right tools and strategies. Use call-blocking features and apps, report suspicious calls, and be cautious about sharing personal information over the phone.
See more on how Pindrop’s technology accurately detected fraud in the Biden AI robocall.
Phone scams have evolved considerably in the past few years, especially as malicious actors have begun to incorporate new technologies into their scams.
Today, phone scams are a lot more advanced than ever before, and it’s pertinent for call center agents and for organizations to understand how they work. In this post, we are going to go over all the details to help you understand how phone scams work, and what you can do to protect your business.
The Anatomy of a Phone Scam
Phone scams are generally elaborate, and are usually laid out in several key stages, each designed to manipulate and deceive the target into complying with the scammer’s requests. Understanding these stages can help in identifying and preventing such scams.
1. Preparation
Scammers start by gathering information about their targets. This can involve collecting data from social media, public records, or previous data breaches. The more they know about their target, the more convincing they can be.
2. Initial Contact
The scam begins with a phone call. Scammers often use caller ID spoofing to make it appear as though they are calling from a legitimate or familiar number.
This technique increases the likelihood that the target will answer the call and trust the caller.
3. Building Credibility
Once the call is answered, the scammer works to build credibility. They may impersonate a representative from a well-known organization and use the information they have gathered to sound convincing. The aim is to establish trust and authority.
4. Presenting an Opportunity
The scammer then presents a problem that requires immediate attention (like unpaid taxes or a compromised bank account) or an enticing opportunity (such as winning a lottery or a special investment offer). This creates urgency or excitement, clouding the target’s judgment.
5. Demanding Action
Now, this is when the scam really goes into motion. The scammer will ask the target to take specific action, whether it involves asking for their personal details or banking information.
6. Pressure Tactics
As you can expect, most people tend to resist. They get suspicious and choose not to provide the information that scammers require. To ensure compliance, scammers often use high-pressure tactics.
They might threaten legal action, financial penalties, or other negative consequences. Alternatively, they may create a sense of urgency or scarcity around an opportunity to rush the target into acting without thinking.
How Scammers Target Contact Centers – An Example
WIth advanced technologies like deepfakes available, scammers often target contact centers as well. In a typical scenario, a scammer might target a call center of a financial institution. They use gathered information about a particular customer to impersonate them.
Armed with enough details (perhaps obtained from a previous data breach), they can sound convincing enough to pass the initial security checks.
The scammer may then create a narrative, such as urgently needing to transfer funds due to an emergency or wanting to update contact information or passwords.
By mimicking the customer’s mannerisms and using their personal information, the scammer can fool the call center agent into believing they are the legitimate account holder.
Once they gain access, they can execute fraudulent transactions, change account details to lock out the actual customer, or gather even more information for future scams.
This type of scam exploits the call center’s focus on customer service and efficiency, sometimes at the expense of rigorous security verification.
And, as you can probably imagine, this creates a nightmare scenario for contact centers in general. Because contact centers are heavily regulated, any breach of customer confidentiality or information creates not only a goodwill problem, but exposes the contact center to heavy litigation.
How Contact Centers Can Protect Themselves
There are several steps that contact centers can take to protect themselves against such issues. Here are a few.
Leveraging Advanced Voice Authentication Technologies
Implementing sophisticated voice biometric systems is crucial. These systems analyze unique characteristics of a caller’s voice, such as tone, pitch, and speech patterns.
They are effective in distinguishing between a legitimate caller and a fraudster, even when the latter uses advanced voice manipulation or deepfake audio.
Anomaly Detection Through AI and Machine Learning
Utilizing artificial intelligence (AI) and machine learning can help in detecting anomalies in voice patterns.
These technologies can learn from vast amounts of data and identify subtle irregularities that might indicate a fraudulent call, such as minor inconsistencies in voice modulation that are not typical of the genuine caller.
Caller Verification Procedures
Beyond voice biometrics, implementing strict caller verification procedures is essential. This may involve multi-factor authentication processes, where callers are required to provide additional information or verification codes sent via different communication channels.
Creating an Incident Response Plan
Analyzing the network and technical properties of calls can provide clues about their authenticity.
This includes examining the origin of the call, call quality, and any signs of voice tampering or spoofing. Technologies that analyze these aspects can flag suspicious calls for further investigation.
Protect Your Call Center with Pindrop
Pindrop is an industry-leading voice authentication solution that allows contact centers to authenticate callers using passive voice biometrics. Pindrop’s advanced voice authentication solution not only helps contact centers protect against scammers, but also helps improve overall performance in the call centers while simultaneously enhancing the contact center experience for callers. Request a demo today to learn more!
Voice phishing, often referred to as vishing, is a deceptive technique that cybercriminals employ to trick individuals into giving personal and sensitive information over the phone. We will explore voice phishing, its definition, how it operates, common variations of voice phishing scams, and, most importantly, how you can identify and prevent these attempts to protect your personal information.
What is Voice Phishing / Vishing?
Voice phishing, or vishing, is a form of social engineering where scammers use phone calls to impersonate trusted entities, such as banks, government agencies, or even technical support teams. The ultimate goal is manipulating the call recipient into sharing sensitive information, like account credentials, Social Security numbers, or financial details. These attackers are skilled at creating a sense of urgency or fear, pressuring victims into acting hastily.
How Does a Voice Phishing Scam Work?
Voice phishing scams often begin with a well-crafted call that seems genuine. The scammer may present themselves as a bank representative, IRS agent, or even a tech support specialist. They’ll employ tactics such as Caller ID spoofing to make the call appear legitimate. Once they have your attention, they will create a sense of urgency. They might claim your account is compromised, your taxes are overdue, or your computer is infected with a virus. This urgency is designed to make you drop your guard.
The next step involves extracting information. Scammers may ask for personal details, like your Social Security number, birth date, or account passwords. They might even request a financial transaction to “secure” your account. Once the scammer has your personal information, they can use it to steal your money or identity.
How Voice Phishing Scammers Might Use the Stolen Information
Voice phishing scammers can use the stolen information in various malicious ways. Here are some common scenarios:
- Identity Theft: With access to your Social Security number and personal details, scammers can commit identity theft. They may open credit accounts in your name or engage in other criminal activities using your identity.
- Financial Fraud: Scammers can use your financial information, such as credit card details, to make unauthorized purchases, withdraw funds from your accounts, or transfer money to themselves.
- Account Takeover: If scammers obtain your login credentials for online banking, email, or other accounts, they can take control of these accounts. This can lead to further exploitation and privacy invasion.
- Phishing: Scammers may use the stolen information to craft convincing phishing emails or text messages. By impersonating trusted organizations or contacts, they can trick you into revealing even more sensitive information or clicking on malicious links.
- Blackmail: Scammers might threaten to reveal embarrassing or compromising information they have acquired, coercing you into paying them to keep it secret.
- Romance Scams: If scammers have gathered personal details about your personal life, they may use this information to build trust in romance scams and manipulate you emotionally.
- Social Engineering: The stolen information can be used for further voice phishing attempts. Scammers can contact you again, armed with more details, to make their calls even more convincing.
Common Types of Voice Phishing Scams
Voice phishing comes in various forms, each tailored to deceive victims in specific ways. Here are some common types of vishing:
- Impersonation Scams: These scams involve fraudsters posing as trusted institutions, like banks or government agencies, to lure victims into disclosing personal information. They may claim your account has been compromised and request your account details to “secure” it. Always verify the caller’s identity independently before sharing any information.
- Tech Support Scams: Scammers pretending to be technical support agents claim that your computer is infected or experiencing issues. They will request remote access to your system or demand payment for their “services.” Never grant remote access to unknown callers or make payments to resolve issues you weren’t aware of.
- Bank Scams: Voice phishing scammers may claim to be from your bank and tell you that there is a problem with your account. They may then ask you for your account number, PIN, or Social Security number. For example, a scammer might tell you that your debit card has been compromised and that you need to provide your new PIN immediately.
- Government Agency Scams: Vishing scammers may claim to be from a government agency, such as the IRS or the Social Security Administration. They may tell you that you owe money or that your identity has been stolen. For example, a scammer might tell you that you owe back taxes and that if you don’t pay immediately, they will take your wages.
- Prize Scams: Scammers may tell you that you have won a prize, such as a vacation or a new car. They may then ask you to pay a fee or give them your personal information to claim your prize. For example, a scammer might tell you that you have won a free trip to Disney World but that you need to pay a shipping fee to receive your tickets.
- Student Loan Scams: Vishing scammers may claim to be from a student loan company and offer to help you lower your payments or consolidate your loans. They may then ask you for your Social Security number, loan account number, or other personal information.
- Utility Scams: Scammers may claim to be from your utility company and tell you that your service will be disconnected unless you pay immediately. They may then ask you for your credit card number or bank account information.
- Job Offer Scams: Job offer scams prey on job seekers by promising lucrative employment opportunities. Scammers may pose as recruiters or employers, offering high-paying positions that seem too good to be true. To secure the job, they will request your personal information, such as your Social Security number or banking details.
- Charity Scams: Charity scams exploit individuals’ generosity by pretending to represent reputable charitable organizations. Scammers often claim to raise funds for disaster relief, veterans, or various causes. They will ask for donations and request your credit card number or bank account information.
- COVID-19 Scams: Scammers may claim to be from a government agency or healthcare organization and offer to provide you with information about COVID-19 or a vaccine. They may then ask for your personal information or financial information.
How to Spot and Avoid Voice Phishing Scams
Protecting yourself from vishing scams is crucial. Here are some key steps to identify and prevent falling victim to voice phishing:
- Be suspicious of unsolicited phone calls from trusted organizations: Be cautious of any unsolicited phone call claiming to be from a trusted organization. Legitimate entities typically do not make unexpected calls to ask for your personal information.
- Never give out personal information over the phone: If you are unsure about the legitimacy of a call, hang up and call the organization back at a known phone number.
- Be wary of urgency and scare tactics: Legitimate organizations will not pressure you to make a decision immediately, and they will not threaten you with legal action or financial losses if you do not comply with their demands.
Other tips to help you spot and avoid voice phishing scams:
- Pay attention to the caller’s accent and grammar: Vishing scammers are often from overseas, so their English may not be perfect.
- Beware of calls from unfamiliar phone numbers: If you do not recognize the phone number, it is best to let it go to voicemail.
- Do not call back phone numbers left on your voicemail: Scammers often leave voicemail messages that contain a callback number. If you call back this number, you may be connected to a scammer.
- Be careful about clicking on links in text messages or emails: Especially if they claim to be from a trusted organization. These links can lead to phishing websites designed to steal your personal information.
Voice phishing scams are a serious threat, but with vigilance and proactive measures, you can shield yourself from their potential harm. Scammers use various guises to manipulate victims into revealing sensitive information, and the consequences of falling prey to their tactics can be devastating. By adhering to best practices, such as not sharing personal information over the phone and being cautious of unsolicited calls, you can prevent their attempts and safeguard your privacy and security.
Pindrop Helps Prevent Voice Phishing
In the ongoing battle against voice phishing, Pindrop is a formidable ally. Pindrop’s advanced technology employs voice biometrics and artificial intelligence to verify callers’ identities, ensuring that you speak with the genuine entity you intend to. By identifying the unique characteristics of each voice, Pindrop helps prevent voice phishing attempts. Pindrop’s proactive approach to security empowers individuals and organizations to guard against vishing scams effectively. By embracing modern technology and staying vigilant, we can collectively protect ourselves against this pervasive threat.
Contact us to discover how Pindrop’s cutting-edge solutions can fortify your defense against voice phishing scams. Request a Pindrop demo to learn more about how Pindrop can help you or your organization prevent voice phishing scams and take a step toward safeguarding your sensitive information in an increasingly connected world.
Fraud was never fun – its costs for corporations can climb high when you consider the personnel, re-issuance, and other remediation costs incurred on the operational side in addition to customer attrition and brand damage. As the world adjusts to an incurable disease and devises ways to stay connected – voice interaction with customers has spiked and fell and so has fraud rates. As more consumers are staying home and dealing with economic uncertainty and heightened stress-levels, fraudsters and fraud rings are stepping up their targeting of consumer information via the phone channel.
Though the targeting of consumers may not be of particular interest to you, if you are concerned with the verification of consumers; the prevention of their information being harvested from your phone channel; the threat of malevolent access to their accounts, you may find this post of particular interest. Today, we will look at how consumer-focused vishing attacks impact your contact center and are costing you money.
“Contact centers are impacted by vishers operationally and financially.”
What is Vishing, and How Does It Impact Corporations?
Vishing is a form of phishing that occurs in the phone channel. Instead of hackers sending bogus emails with malicious links to your employees to access systems, vishers leverage the phone channel inside and outside of the contact center, posing as genuine callers or entities to trick the consumer or customer service agents to provide them with bits of information they can later use to defraud.
Compromised customer records and vished information threaten your corporation’s security posture inside and outside of the phone channel. The information that fraudsters gather helps to strengthen profiles that, once complete, allow fraudsters and fraud rings to bypass legacy security measures like KBAs. Contact centers are impacted by vishers operationally and financially. The time lost handling these calls, account takeovers they result in, and brand damage you incur as your customers are compromised, violated, and inconvenienced is what costs you money.
How Vishing Costs You Money
Since about 75% of fraud complaints to the FTC involve contact with consumers by phone, when you think of vishing – you think of consumers receiving calls. But phishing activities are also occurring via the phone channel, inside your contact center.
IVR Vishing
Professional fraudsters leverage IVRs to perform data reconnaissance. Testing your IVR using guessed passwords, and advancing strategies by validating details like account balances using information they gathered on the phone with consumers, inside the IVR itself, or from your contact center agents. The IVR is also a home for fraud rings. With low or no monitoring present, teams of fraudsters call simultaneously, slowly building consumer profiles until they finally gain access and cause monetary loss. Fraud reconnaissance is a necessary step in but is completely separate from an actual fraudulent withdrawal which may happen months after reconnaissance often 30 or more days later.
Agent Vishing
Contact center agents are also susceptible to vishing, though we commonly refer to this as social engineering. Fraudsters bypass KBAs 20% of the time, and even if they don’t, they are still often able to mine information from even the most seasoned agents. Using psychological tricks and leveraging any uncertainty or anxiety from the news headlines, these fraudsters too often act in organized crime rings and leverage the IVR.
These crime rings have multiple parties strike your contact center at once, without visibility at the account level or some way of monitoring data reconnaissance – contact center fraud leaders cannot adequately address vishing’s impact.
In short, vishing impacts your contact center via consumer-focused attacks designed to socially engineer and mine data from those contact center resources. You can address vishing, data reconnaissance, and fraud ring activity with risk-based authentication and anti-fraud strategies.
Pindrop has curated comprehensive tools and resources on verifying customers quickly, safely, and seamlessly; preventing malevolent access to accounts leveraging risk-based anti-fraud solutions.
Some attackers have taken to using a new phone bot for the Discord chat and voice app to send large numbers of harassing and nuisance calls to individual victims, retailers, and even law enforcement agencies.
Known as Phonecord, the bot is being used in a number of different ways. But unlike most other phone-based campaigns, the attackers behind these aren’t out to make money off their calls. Instead, they’re using the calls as a way to harass and annoy their targets. Analysts at Flashpoint have been tracking these campaigns recently, and say that the actors behind them are taking advantage of Discord’s ease of use and Phonecord’s features to go after a variety of targets.
“Although telephone bots in and of themselves are nothing new, Phonecord is relatively unique because it utilizes the social and communication application Discord, which enables users to make international calls directly and easily from the app’s voice chat functionality. And because those seeking to use the Phonecord bot have the option to pay for the service in Bitcoin, most users remain relatively anonymous,” David Shear of Flashpoint said in a post analyzing the campaigns.
“While Discord has long been popular among the gaming community, the app’s ease of use and ability to withstand distributed denial-of-service (DDoS) attacks has given rise to its heavy usage among cyber threat actor communities.”
Shear said the actors using Phonecord have targeted both the FBI and the UK’s National Crime Agency and also have used the bot to pull pranks, such as having dozens of pizzas delivered to a victim’s house. Phone bots have been around for many years, and have been used for any number of different things. Some are used for robocalls and others are used for phone fraud schemes. There’s even an anti-bot bot called Jolly Roger that is designed to combat other phone bots by putting them into a black hole of nonsensical conversations.
The campaigns that Flashpoint has been following probably will keep going, Shear said.
“Flashpoint analysts assess with high confidence that threat actors will likely continue to use the Phonecord bot to carry out harassment campaigns against various individuals and organizations unless the administrators of the service institute additional controls and countermeasures,” he said.
Image: Dan Wiedbruck, CC By-nd license.
Phone scammers have adopted a new tactic recently that is part of a long-term scheme to impersonate victims during calls with banks or other financial institutions.
The new technique involves a scammer calling a victim and when the victim answers, immediately asking, “Can you hear me?” The idea is to record the victim’s voice as he says “yes”, and then use that recording in future calls with the victim’s financial institutions and other companies he does business with. In their initial calls to victims, the scammers often will pretend to be calling from a legitimate company, such as a bank.
The FCC said it has received a slew of complaints about this scam and is warning consumers not to give the fraudsters any information at all.
“According to complaints the FCC has received and public news reports, the fraudulent callers impersonate representatives from organizations that provide a service and may be familiar to the person receiving the call, such as a mortgage lender or utility, to establish a legitimate reason for trying to reach the consumer,” the FCC warning says.
“The scam begins when a consumer answers a call and the person at the end of the line asks, ‘Can you hear me?’ The caller then records the consumer’s ‘Yes’ response and thus obtains a voice signature. This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.”
The best defense against this technique, and many other phone scams, is not to answer calls that come from unknown or blocked numbers. However, many scammers will spoof the caller ID information when they call victims, making it difficult to distinguish legitimate from fake calls.
Image: Da Sal, CC by license.
The FCC is warning consumers, as well as marketers, that robotexts sent by autodialers to mobile phones are illegal and the commission says it will be cracking down on the practice.
Robotexts are the younger cousin of the robocalls that have been plaguing consumers and businesses for a long time. Whereas robocalls typically are made by autodialers and may have a real person or a recording on the other end, robotexts are sent out en masse by autodialers and usually are delivering ad messages or sometimes phishing links. The texting issue is a much newer problem than robocalls, but the FCC is telling consumers and marketers both that the law and the commission treat robotexts the same way as calls.
“The FCC has stated that the restrictions on making autodialed calls to cell phones encompass both voice calls and texts. Accordingly, text messages sent to cell phones using any automatic telephone dialing system are subject to the Telephone Consumer Protection Act of 1991,” the commission said in an advisory.
“The FCC’s corresponding rules6 restrict the use of prerecorded-voice calls and automatic telephone dialing systems, including those that deliver robotexts.7 The FCC’s Enforcement Bureau will rigorously enforce the important consumer protections in the TCPA and our corresponding rules.”
Aside from the annoyance factor, the main problem with robotexts is that they often cost recipients money. Depending upon their cell plan, many consumers are charged for texts they receive. The FCC said that unless consumers have given prior written consent, almost all commercial robotexts are illegal. The exceptions are texts from nonprofits and some health-care related messages. The sender is responsible for being able to prove that it has prior consent for sending the texts.
“Those contending that they have prior express consent to make robotexts to mobile devices have the burden of proving that they obtained such consent. This includes text messages from text messaging apps and Internet-to-phone text messaging where the technology meets the statutory definition of an autodialer. The fact that a consumer’s wireless number is in the contact list of another person’s wireless phone does not, by itself, demonstrate consent to receive robotexts,” the FCC advisory says.
The ongoing problem of fraudsters targeting senior citizens with sophisticated phone scams has taken a new turn, as the criminals have begun using a technique that involves them showing up at victims’ homes to collect their debit cards.
The scam is an extension of a common phone fraud technique in which criminals call victims–typically senior citizens–and inform them that they have identified some fraud on the victim’s account. The callers often pretend to be from the victim’s bank, saying that they have discovered some problematic transactions on the account and need to confirm some personal details in order to fix the issue. They sometimes will ask for the victim’s account number, PIN, and other details, and then use those details in order to steal money from the account.
In some newer cases, the caller will tell the victim that the bank is issuing her new credit or debit cards and that he just needs the PIN on the card in order to cancel the existing cards. The criminal promises that the cards will arrive in the mail the next day, and will then call back to ask if the cards came. When the victim says no, the fraudster will then send a courier to the victim’s house to collect the old cards, as a courtesy, and then the criminals will immediately use the cards to withdraw money from the accounts.
“Telephone fraud has traditionally been a faceless crime, but criminals are now defrauding victims over the phone before collecting their cash cards in person. This poses all kinds of risks to the individual concerned, let alone the financial losses they will incur if they are conned,” said Detective Sergeant Garry Knight, of Bournemouth Criminal Investigation Department in the U.K., in an alert on the scams Tuesday.
The physical component of this scam is unusual, as most phone fraud schemes are designed to succeed solely on the basis of the phone calls. And in other twist on these calls, the caller will pose as a police officer and tell the victim that he is from the fraud department and ask the victim if she has authorized a given transaction. In a call recorded by the Dorset (U.K.) Police, the criminal uses this ruse on his victim, an elderly woman, and then instructs her to call the emergency services number (999) immediately to verify the problem. The scammers in this case will leave the phone line open, rather than hanging up, and when the victim dials 999, she is again connected to a scammer.
“We have reason to believe that you have been frauded, that someone has made a fraudulent transaction in your account in the amount of 1000 pounds. Can I just confirm that that was you?” the scammer says in the recorded call.
The fraudster claims to be from the “Visa fraud department” at the police department, and tells the victim that she should call 999 as soon as possible in order to ix the problem.
“The sooner you do that, the better,” he says.
This kind of phone fraud has emerged as a serious issue in a number of countries, and the U.K. has seen more than its share of it. Police in Dorset estimate that various phone fraud scams have cost residents almost £1,100,000 since 2014.
“Nobody, no matter which organisation they claim to be from, will ask you for bank details over the phone or on your doorstep. This includes the police, banks and retailers.,” Knight said.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, m
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
- Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
- Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
It’s a chilly January day. You’ve been busy hitting the ground running on your New Years’ resolutions, getting back into the daily grind at work, or stocking your pantry for impending snowstorms. One day in the midsts of all the hustle and bustle, you receive this call:
“You may already know effective January 1st of this year, federal law mandates that all Americans have health insurance. If you missed open enrollment, you can still avoid tax penalties and get covered during the special enrollment period, often at little or no cost to you.”
Oh no! Open enrollment has ended and you haven’t signed up for health insurance. You don’t want to be penalized on your taxes so you quickly press one for more information. Soon after you have selected the healthcare plan right for you, paid with your credit card, and avoided all penalties… or so you thought.
What Really Happened
Scammers used a fake robocall to gain your personal information including social security number, your bank account, and your address. With this information, these fraudsters racked up purchases on your credit card and opened new accounts. Because the insurance you thought they offered you was made up, you also are penalized for being uninsured come tax time. Attackers have successfully stolen your identity using the following tactics.
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location
- Confusion – You’ve heard something about Obamacare and tax deadlines, but you haven’t paid much attention to the details. Fraudsters take advantage of your confusion.
- Cross-channel Fraud – Fraudsters use many different channels to extort sensitive information. In the case of the Healthcare Scam, fraudsters use the phone channel to collect personal information and use that information in other channels, like online or in the call center.
Healthcare Scam Examples
5 Obamacare Scams and How to Avoid Them – In addition to offering healthcare, scammers will also tell victims they can get lowered insurance rates, pretend to be government agents, or even offer nonexistent “Obamacare cards”.
Expert Warns about Healthcare Scammers – Brownsville, TX – fraudulent robocallers warn residents about $695 penalty for not enrolling in healthcare.
State Warns of Multiple Scams and Fraudulent Practices in Oregon – Phone scammers are preying upon the financial troubles of Moda Health, calling and intimidating those using Moda as their primary insurance carrier.
Like malware authors, phone scammers change their tactics and lures often, but for the most part, they play the hits. And the number one song so far this year has been the Google/Yahoo/Bing listing scam that accounted for 22 percent of robocalls in January.
The new data from Pindrop Labs shows that scammers are using this scam to prey on the desire of small business owners to raise the profile of their businesses. The scam is a simple one and involves a robocall that supposedly comes from “your local Google specialist”, who is nice enough to offer the recipient a listing on the first page of Google’s search results. That’s some valuable real estate and it probably isn’t something that Google’s ad sales team has to make cold calls to sell.
Collected from a network of honeypot phone numbers controlled by Pindrop Labs, the data reveals that the Google listing scam, which first emerged in 2014, has increased in popularity among phone scammers in the year-plus since it emerged. In 2015, the scam accounted for about 4.4 percent of robocalls hitting the phoneypot numbers. If someone answers one of the calls, the scammer tries to pressure him into giving up a credit card number to cover some taxes or other phantom costs.
Here’s what a sample script for one of these calls looks like:
“Hi! This is Sharon, your local Google specialist. We have a front page position available for business like yours and can guarantee front page placement with unlimited clicks twenty four hours a day. Press the one key right now to see if you qualify and are interested in receiving calls from customers locally searching for your type of business. Please press one now or press the two key to be removed thank you.”
Although the Google listing scam is a big percentage of the robocalls hitting the phoneypot numbers, Pindrop Labs researchers looked at a sample of more than 500 of these calls and found that they could be linked to about 75 individual callers.
In addition to the Google listing, scammers also used the Obamacare enrollment deadline at the end of January as leverage for calls trying to pressure people into surrendering personal information, which is then used in identity theft schemes. Those calls comprised 8.8 percent of scam calls in January.
Image from Flickr stream of Rob Brewer.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a call center representative for major telecommunications carrier. Days are pretty easy, you help customers troubleshoot problems and use KBAs to help identify customers to help them. Sometime in the afternoon you get a call from one of your co-workers who is having a technical issue. No worries, this sort of thing happens all the time. After verifying that he had his employee ID number, you help your fellow call center rep get an account number, PIN,
Here’s What Really Happened
Little did you know that co-worker of yours wasn’t actually an employee, he was a high school hacker, and that information you helped get belonged to a minor internet celebrity. From there the hacker got access to the victim’s email account and found numerous documents, including personal emails, contact lists, phone logs, and even social security numbers. So how did this happen?
- Social Engineering – The high schooler was able to trick several call center representatives into divulging sensitive information all by finding the victim’s phone number online and locating the provider associated with that number. He was able to pass several knowledge based authentication questions (KBAs) just by looking on the Internet.
- Reconnaissance – The caller knew that you would need his employee ID number to get him the information he needed. That means he’d already done his research, making test calls, or searching online, to learn what format to make his own fake id number believable.
- Cross-Enterprise Attacks – Wait – who got attacked here? You gave out the information, but the fraudster was actually hacking into an account at an entirely different company.
Employee Impersonation Scam Examples
The Employee Impersonation Scam can happen to anyone.
How a Teenager Hacked the CIA with Just a Few Phone Calls
High school student uses social engineering to hack CIA Director’s personal AOL account
Using Only His Phone, Man Scams 217 Macy’s Stores Into Issuing Fraudulent Refunds
In September, the FBI arrested a man for calling Macy’s department stores and impersonating the “Director of Customer Service.” With a few phone calls, he was able to get refunds for products never actually purchased.
How Scammers Are Stealing Xbox Live Accounts
Anonymous hackers explain how they impersonate Tech Support agents to take over Xbox Live accounts.
**For more information on how phone fraud affects banks, register for our upcoming webinar, “Bank Fraud Goes Low Tech”
The Scam
Imagine that you’re a customer service agent at a banking call center. You receive a call from someone who sounds a bit like a chipmunk. You talk to so many people every day that it’s nothing too out of the ordinary. Before you can start helping the customer, you must verify her identity. You ask for the customer’s mother’s maiden name.
“My father was married three times, so can I have three guesses?” replies the customer.
“Of course,” you reply with a smile. She gets it on the third guess – It was Smith.
After that, the customer, who tells you she is recently married, just needs help with a few quick account changes: mailing address and email address. She checks on the account balance and ends the call. You wish all of your calls were this easy.
Here’s What Really Happened
A month later, the newlywed’s account is cleared of money. It turns out, she wasn’t a newlywed after all. She hadn’t changed her address or her email. Instead, the person you spoke to on the phone was an attacker, performing the first steps in an account takeover. After changing the contact information on the account, the attacker got into the customer’s online banking and changed her passwords and PIN numbers. It wasn’t long before the attacker began to steal funds from the account.
It’s called Account Takeover Fraud, but it actually combines several popular scam techniques:
- Voice Distortion – Attackers have many tools for changing the way their voice sounds over the phone. They may be trying to impersonate someone of the opposite gender, or simply attempting to avoid voice biometric security measures. Less sophisticated attackers sometimes go overboard on this technique and end up sounding like Darth Vadar or a chipmunk.
- Social Engineering –Think of social engineering as old-fashioned trickery. Attackers use psychological manipulation to con people into divulging sensitive information. In this scam, the attackers acted friendly, and jokingly asked for extra guesses on the Knowledge Based Authentication (KBA) questions.
- Reconnaissance – Checking an account balance for a customer may seem like a low-risk activity. But this is exactly the type of information that an attacker can use in later interactions to prove their fake identity. Pindrop research shows that only 1 in 5 phone fraud attempts is a request to transfer money. Banks that recognize these early reconnaissance steps in an account takeover can often stop the attack months ahead of time.
Account Takeover Fraud in the News
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud – Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.
Account Takeovers Can Be Predicted – Apart from collecting publicly available information about the victim, generally posted on social networking websites, cybercriminals resort to contacting call centers in order to find something that would help in their nefarious activities.
Time to Hang Up: Phone Fraud Soars 30% – Phone scammers typically like to work across sectors in multi-stage attacks. This could involve calling a consumer to phish them for bank account details and/or card numbers; then using those details to call their financial institution to pass identity checks and thus effect a complete account takeover.
**For more information on how phone fraud affects banks, register for our upcoming webinar, “Bank Fraud Goes Low Tech”
The Scam
Imagine that you’re a senior executive at a law firm or hedge fund. It’s the end of a long week at the office. Just as you’re about to hit the road, you answer one last phone call. It’s your company’s bank. They tell you that they’ve detected fraudulent activity on your account. This sounds like it’s going to be a pain to take care of.
Fortunately, this counter-fraud team seems to have everything under control. They already have most of your information. They just need to verify a few details, including your online security code, and they can cancel the suspicious transactions. You give them the information they need and head home, making a note to check in on what happened when you get back on Monday.
When you arrive back at the office the next week, you log into you firm’s online bank account to check that the fraud transactions were canceled. Instead, you see that more than a million dollars has gone missing…
Here’s What Really Happened
It turns out that wasn’t actually your bank calling on Friday afternoon. It was an attacker. When you “verified” your online security details, you were actually giving the attackers everything they needed to take over your company’s account. After you left the office, they logged in and transferred the money out of your account. They know that Friday afternoon is when conveyancing transactions are completed, so by the time everyone returns to the office on Monday, that money is long gone.
It’s called the Friday Afternoon Scam, but it actually combines several popular scam techniques:
- Spear Phishing / Spear Vishing – Unlike many phone scams, which cast a broad, random net, spear phishing or spear vishing attacks are extremely targeted. The attacker will often do extensive research on a single executive in an attempt to steal intellectual property, financial data, or other trade secrets. Here, the attackers are specifically targeting CFOs and other high level financial executives.
- Social Engineering –Think of social engineering as old-fashioned trickery. Attackers use psychological manipulation to con people into divulging sensitive information. In this scam, the attackers call on a Friday afternoon, knowing that the executive will be distracted.
- Bank Impersonation – By pretending to be calling from the company’s bank, the fraudsters were able to gain the executive’s trust fairly easily. Attackers can impersonate a bank by doing reconnaissance work to learn which bank the company uses and spoofing that bank’s Caller-ID. Often attackers will transfer the call to a ‘manager’ in order to make it seem more legitimate.
Friday Afternoon Scam Examples
A London Hedge Fund Lost $1.2 Million in a Friday Afternoon Phone Scam – Last week, Bloomberg reported on this scam, which targeted Forelus Capital Management LLP’s CFO, Thomas Meston. As a result, Meston was terminated and is now being sued by the funds. The firm claims he breached his duty to protect the firm’s assets.
SRA Warns of ‘Friday Afternoon Fraud’ Risk – Earlier this year, The UK’s Solicitors Regulation Authority reported that it had been receiving four reports a month of law firms being tricked by Friday Afternoon Scams. Law firms reported an average $500,000 loss per scam.
Robocalling and other malicious calling campaigns continue to plague the telecommunications industry. The FTC received nearly two million complaints about robocalls in 2014, accounting for about half of the total Do Not Call Complaints made that year. These unwanted calls waste more than 20 million working hours each year for SMBs.
One tool that is helping to solve the problem of robocalling is the Pindrop PhoneypotTM, a large-scale telephony honeypot that allows researchers to collect data from millions of calls to unlisted numbers. Pindrop researchers use the phoneypot to detect calling patterns for unwanted callers, such as robocallers, debt collectors and telemarketers. This provides researchers with new insights into telephony abuse and attack patterns.
Last week, postdoc Payas Gupta presented his research collaboration with Georgia Tech and Pindrop Security at the NDSS Symposium. In March, Pindrop co-founder and CEO Vijay Balasubramaniyan will be appear on a panel at this year’s CFCA Educational Event to discuss the phoneypot project. The panel, which features industry experts across academia, regulatory, enforcement, policy, and solution providers, will focus on the problem of robocalls, and the way voice honeypots, such as Pindrop’s Phoneypot, can contribute to the solution.
The panel will take place from 10:15 to 11:15 on Wednesday, March 4th at the Tropicana Hotel in Las Vegas, NV.
Moderator: Adam Panagia, AT&T
Panelists:
Mustaque Ahamad, Georgia Tech
Kevin Rupy, US Telecom
John Cunningham, CenturyLink
Vijay Balasubramaniyan, Pindrop Security
About CFCA – FIINA Joint Educational Event
Expansion in the telecom industry makes it very important for fraud prevention professionals to build relationships that transcend international borders in order to be successful in protecting their company’s assets. That’s why this joint event with FIINA is going to be one of the best opportunities you’ll ever have to network with experts from all over the world. Don’t miss the opportunity to hear first hand what industry experts are envisioning for the upcoming year for fraud as well as recent cases where individual investigators have worked together with their colleagues from other companies and agencies to investigate and stop fraud.
The IRS is warning people about the “largest ever” phone fraud scam targeting taxpayers. In the interest of learning more about this phone-based threat, Pindrop has investigated the attacks and, among other things, we have successfully posed as a victim and recorded the call. What follows is the complete audio and transcript of the interaction, and our analysis of some of the tactics that these fraudsters are employing. Note that in the audio files, we have distorted the voice of the victim (a Pindrop employee) to protect their identity.
Findings
- Attackers are using magicJack VoIP phone numbers for consumers to “call back” as part of this attack. There is no reason to believe magicJack is in any way complicit with these attacks.
- The attackers appear to be operating out of India and are seeking approximately $5,000 per successful attack.
- The attackers are asking consumers to use GreenDot MoneyPak service to wire money to a Paypal account.
- As compared to previous attacks involving impersonation of the IRS, this attack involves much higher volumes, with complaints in excess of 10 times higher than previously seen. We estimate the number of attack calls has already likely exceeded 450,000 in March.
Listen to the complete call.
Read the transcript.
Setup
The fraudsters use classic call scam techniques: they use a spoofed Caller ID that looks legitimate; they use urgency and threats to keep the caller on the line and force them to act quickly; they leave behind different numbers for “call backs” and they only use these numbers for a limited time.
True to form, the IRS fraudsters made the incoming number appear to be legitimate. Occasionally, they spoof the telephone assistance service number of the IRS, 1-800-829-1040. More frequently, they call from numbers from the same area as the victim, in order to entice the victim to pick up the phone thinking that the call is from someone they know. As heard in the audio, they try hard to keep the victim on the call. And they leave behind a phone number where they can be reached, known as a “call back” number. Typically, a fraudster buys a large block of numbers from a VoIP provider to serve as these “call back” numbers.
The fraudsters are constantly decommissioning these “call back” numbers. From time to time we also see them call from these numbers directly. In order to engage with them we first needed to identify what set of numbers are being used for this purpose and find one that was not yet decommissioned.
Tracking the Attackers
Pindrop maintains the Pindrop Reputation database, the world’s largest collection of phone number data and activity. To identify the phone numbers being used we mined our phone reputation service for IRS related activity. Among the numbers used, the majority was from the magicJack service, an inexpensive, online VoIP service. The most complained about magicJack numbers were non-toll-free numbers, for example: 202-506-9XXX. The line graph shows the number of magicJack numbers associated with IRS scams over time (the IRS is a consistent target of scams). The data clearly shows that the number of phone numbers has gone up significantly this year. Through March, we have observed 523 numbers perpetrating this scam. The total number for all of 2012 was 780. This supports the IRS’ claim that this is the “largest ever” phone fraud scam.
The number of complaints associated with these numbers has gone up even more drastically this year. Complaints are in excess of 2400 calls this year to date – all of last year the number of complaints we observed was 1047.
The number of phone numbers and complaints are good indicators that the number of victims being targeted has dramatically increased. In order to roughly estimate how many calls are being made, we can make the assumption that a call takes 5 minutes, which includes leaving voice mails and live conversations. That adds up to 12 calls an hour. We assume an 8 hour work day for each caller and that each caller is using one of the numbers. Therefore, each number could be making 96 calls a day. At 235 total numbers observed in March, the number of calls made could potentially be in excess of 450,000 in March.
Where are the attacks coming from?
We identified a smaller set of phone numbers that our systems had indicated were still active in this scam. We then looked at what time of day these numbers are most active. We used that to maximize our chances of interacting with these fraudsters. As seen in the temporal activity graph below these fraudsters work east coast hours.
To determine if the attackers are actually operating in the Eastern US, we analyzed the call audio with Pindrop’s phoneprinting technology, which, among other things, can determine the origin of a call based on audio artifacts. In this case, the audio analysis showed clearly and consistently that the calls are originating from outside the US and are most likely calling from India.
Using a brand-new phone, which had not been used for any other purpose, we finally called (202) 239-7034 and after a couple of attempts we were talking with the fraudsters.
Interaction
For a rare and engaging window into how phone scams work, we highly recommend listening to the audio. If you’re short on time, read the transcript. We would like to highlight a few moments that we found the most revealing about their modus operandi. Click on the player for the audio excerpt:
(0:25) – They make some basic checks to determine if the victim is someone they have interacted with previously. We suspect this is to provide the fraudster context to make the conversation real for the victim.
(1:20) – They claim to be the Federal Investigation Department, a legal department working for the IRS
(2:05) – They do NOT target Americans. They are primarily targeting immigrants.
(3:45) – Tries to see if a third party (accountant) files taxes. Claims mistakes in taxes.
(4:01) – Scam starts. Sees if there are any overseas transactions.
(5:32) – Claims $5,868 pending taxes. We created a fake victim and he already owes taxes.
(6:10) – Threat of Arrest Warrant issued.
(7:30) – Get supposed name from scammer “Steve Parker”.
(9:35) – They claim to not accept standard payment types (debit/credit cards), only Tax Pay Voucher from a Government Store such as Home Depot and Food Lion.
(11:50) – Ask for zip code and then get a store close to that zip code.
(13:30) – They settle for $2,400 for warrant cancellation fees when we say we only have $2,600.
(14:20) – They are trying to make the victim stay on the phone while they get the money together.
(17:20) – Transferred to the accounting department “Brian”.
(18:15) – They try to justify why money has to be wired to the restitutions Paypal account via prepaid card.
(20:12) – Their card of choice is GreenDot MoneyPak.
Post-Call
After this call, the scammers tried several attempts to call back throughout the night and morning. This was not surprising to us; the scammers probably assumed that they had almost “closed the deal” on this particular victim. However, the next afternoon, our employee received a call alleging to be from GreenDot asking if he had purchased a MoneyPak card recently. The caller stated that to use the card, activation was required and asked our employee to provide him with the number on the back to gain access to the money on the card.
This leads to some really interesting questions: Was this caller really from GreenDot? If so, how did they obtain the phone number that our employee had used, given that we had just acquired this phone and not disclosed its number anywhere? If the caller was not from GreenDot, is this just another play on part of the scammers to obtain the money on the card?
We continue to investigate this attack and monitor these attackers.
Peter Casanova, Raj Bandyopadhyay, Vijay Balasubramaniyan