Phone Fraud is Real and Raking in Millions

While social engineering comes in many forms, over the past two years phone fraud has been seen a steady rise with some organizations reporting more than a 30% increase in attacks. Social engineering via the phone offers many advantages to criminals because of the limited technical resources required, the low risk of capture if detected and the ease in which these attacks can be performed.

Most organizations have set policies designed to prevent employees from falling victim to phone fraud. The problem is that these policies are often the same for all organizations and over time criminals have become aware of how these policies work and are finding new ways to have success through loopholes in these policies. In addition the types of attacks themselves are changing, making it more difficult for employees to detect fraudulent activity based on the policies implemented by the organization. This is why it is so important that employees not only follow the policies of the organization but also use their own intuitions when speaking with people on the phone.

Often when a customer calls into an organization they will provide their name and then the employee will ask additional verification questions to confirm the person is who they say they are. Unfortunately many of the verification questions such as mother’s maiden name, first pet name, favorite color, favorite teacher in school, etc. can often be discovered through social media sites. In addition, through the dark web, databases are for sale that contain thousands of people and their associated verification answers including the last four digits of their social security number. Generally this information has been gained through previous phishing attacks.

Another form of verification often used to confirm the identity of the caller is caller ID. Many automated systems will check the phone number of the caller automatically and flag the user as verified when they are connected to the employee. While caller ID does help in the verification process, criminals now have access to online services that for a small fee will allow you to change your caller ID to any number they choose. This in turn makes the caller ID validation only a layer of security and not a guaranteed verification.

Because it has become so difficult for an employee to guarantee the caller is who they claim to be, even when all policies are properly followed, it is up to the employee to watch for suspicious activity while talking with the caller. First, don’t assume the caller will sound nervous, have an accent or act suspicious. Criminals making these calls are often very experienced and will sound just like every other customer calling in. Instead pay attention to the requests of the caller. One of the most common steps a criminal will take is the request to change their contact information. This will include their home address, phone number and email address. Account takeovers often start with the criminal changing this information to allow them to control all correspondence going forward. While these changes may be valid, it is also potentially suspicious and depending on your organization, other verification steps may be required before you should continue.

If your organization is a financial institution, does the caller ask for their balance, want to transfer funds, add addition people to their account, or receive new credit card services? Again, while all possibly legitimate requests, when coupled with a change of address or other odd behavior, it could be a red flag. Often something as simple as additional verification by asking the customer to name off any recent check written or payment made can help confirm the called is legitimate.

In some cases your organization may contain confidential information about your customers and the criminal calling in is looking to gain access to this information. A customer calling in asking for you to provide them with their social security number, account numbers, drivers license number or other confidential information should definitely raise your suspicions. While the caller may have passed the initial verification screening, additional follow up may be required before proceeding with giving out this information. Check with your company policies as many organizations will not allow you to ever provide some or all of this information over the phone.

Another trick criminals use when calling organizations is to pretend to work for a vendor that the organization does business with. By using this relationship they hope to bypass some of the security policies implemented in the organization. For example, a caller may pretend to work for an IT company that is partnered with the organization. Using this business relationship they may explain they are working on a networking issue and ask for login credentials, network information or even remote access to the employees computer. In many cases they will mention other employee names such as management in the organization that they have been working with to help lend credibility to their call. As you read this you may think that seems ridiculous that anyone would fall victim to that type of attack but when a call like this takes place it is often far less obvious than you would think. That is why it is so important to always keep your guard up and remain suspicious with any incoming call.

Phone fraud is real and criminals are adapting to security policies put into place to detect them. As with most types of social engineering attacks, the goal of these criminals is to get you to act quickly without having time to thoroughly think about the actions requested. Your job is to pay attention to the small things and whenever you have any doubt, stop. Take a little extra time to think through the situation and when in doubt get help.

© Copyright 2017 Stickley on Security