The Computer Corner - May 2018

Recently a member of our Sangat told me he had been receiving phone calls from people he did not know asking him to stop calling them. Of course, he hadn’t called any of them. So, what happened?

Not so long ago, he told me that he had received a phone call on his smartphone in which the caller said that they were calling him back. He politely let the caller know that he hadn’t called them and then came another… and another. Each one said that they had received a call from his mobile number and that the caller hadn’t left them a message. All told he received about a call a day for about a week. He asked me if I had any idea what was going on. I said it sounded like phone spoofing

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a bogus return email address. “Phone spoofing” relates to the number that shows up on caller ID. It’s used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, Attorneys General in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically-challenged telemarketers, debt collectors and/or scammers. And, as with most sketchy callers, they don’t leave a message. If the recipients are curious, all they need to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim, though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the United States from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value….” It also includes penalties of up to $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the United States, it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: the FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses upon actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you must. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do If it Does Happen to You

For starters, you can file a complaint with the FCC.

While it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1) You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2) You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

"No Talk" Phone Scams

Most telephone scammers rely on talk, getting you to pick up the phone so they can give their impersonations of IRS agents, noble fundraisers, tech-support saviors or grandkids in need. But with a new breed of telephone fraudsters, sometimes you don’t even need to say "Hello" to get ripped off. Here’s how some of these crooks may target you.

Call Center Fraud

There are scam artists who spend hours calling the customer service centers of banks, insurance companies and other institutions, posing as people like you, to try to access accounts. These crimes have more than doubled in the past year. “That’s because reps only ask a couple of simple authentication questions — maybe your mother’s maiden name or your Social Security number — before you can transfer money or do whatever,” explains Ken Shuman of Pindrop, a company that provides antifraud services to call centers.

Scammers start by assembling information on you, stolen in data breaches, purchased on the “dark web” or gleaned with a simple Google search. Then, working from boiler rooms (often overseas), they spend all day phoning different call centers to determine if you have accounts with those companies. With your data in hand, they can often answer the authentication questions that call centers ask.

ATM PINs are especially prized — and vulnerable, adds Shuman. He notes that there are only 10,000 possible combinations for a four-digit PIN. Unless a bank’s system blocks calls after several tries — and some don’t — there are scammers who call back 150 times a day, trying different PINs until they get it right. Then they immediately log in as you, change your PIN and take over your account.

Smartphone Swindles

An ever-growing segment of the 20 billion text messages sent each day are attempts at defrauding people through “smishing” (a word that combines the SMS technology that sends text messages and phishing, a ploy to coax confidential information out of you). Typically, a scam texter will fake a problem with one of your financial accounts and ask you for data. Or they might pitch low-cost mortgages or credit cards or promise free gift cards. If you respond by texting back confidential personal information, your identity may be stolen. Millions of these smishing texts can be launched simultaneously. 

Your best defense is to be stingy with your phone number. Scam texts may result if you provide it to contests, say, or businesses. Mobile apps can also be to blame. When you install them, the fine print in the user agreement may grant permission to the app’s developer to use or sell your phone number and sometimes even the numbers of your contacts. In one recently popular scheme, scammers get your contacts from mobile apps, then text you posing as people you know to seek money or ID-theft-worthy information, says Jonathan Sasse, marketing executive at First Orion, a digital security firm that provides the mobile app PrivacyStar.

One more important tip: Never follow a text’s instructions to push a designated key to opt out of future messages. Instead, forward the questionable text to short code 7726, so cellphone carriers can block that sender. You can further bolster defenses against mobile scams — which have quadrupled in the past two years — with call-blocking apps such as Hiya, Truecaller, NoMoRobo and PrivacyStar.  I personally use Hiya which does a very good job of catching scam calls. After you download the "Hiya" app from the app store, you must enable it in your phone's settings.

Curiosity Cons

Knowing that you are likely to ignore unrecognized or private numbers on caller ID, today’s crooks use software that allows them to display fake numbers that are hard to resist. Here are some variations.

• The neighbor ploy Your area code and prefix are displayed, so the call appears to be from a neighbor or nearby business. “Fewer people are comfortable blocking local numbers, increasing scammers’ success rates,” notes Jonathan Nelson of Hiya. And the fake number makes it hard for law enforcement to track.
• The “Hey, there’s a call from my own phone number” scam It’s hard to resist answering a call from your own number, which scammers can simulate. And they can get around any call blocking that you’ve set up.
• The one-ring rip-off Criminals sometimes program auto-dialers to make repeated calls to you, each disconnecting after just one ring. They know this might spur you into calling back the displayed number to complain. There’s double trouble if you call area codes such as 268, 664 and 876. These are for Caribbean countries and other places that have high per-minute phone charges. One scam involves getting you to call one of those numbers, then getting you to hold through transfers that rack up your bill until a scammer gets on the line and starts a fraudulent pitch.

You can help make this column better by sharing your topic suggestions, tips or experiences you have had with your own tech with the Sangat through this column in our Ashram newsletter. Email me and tell me your story, and keep sending me your suggestions for column topics, along with your own favorite smartphone app recommendations and reviews so I can share them here. Just email them to me at [email protected]