Recently the Federal Trade Commission put out an alert on phone spear phishing and caller ID spoofing scams that are on the rise among consumers and companies. I imagine you experience the same relentless calls from phone numbers you don’t recognize as I do every day on my personal devices. Usually I just ignore and block the number in my phone. However, the scammers always seem to be one step ahead, using new techniques to trick you into answering that phone call.
Imagine receiving a phone call from a number that your smart phone recognizes as coming from your bank. You answer it, and the person tells you your account has some suspicious activity occurring. The caller recites the last four digits of your card and your Social Security number to you. Initially you might believe this is a legitimate call from your bank, but all the scammer has done is give you the last four digits of your personal identifiable information (PII). This is because they don’t actually have your full card number or Social Security number. After you verify that those are indeed the last four digits, they will ask you to confirm that they are talking to the right person by asking you for the identifiable information they don’t have:
- Your birth date,
- Your address,
- The three-digit security code on the back of your card, and
- Maybe even have you recite your full card number or Social Security number to them
At this point you have given them enough information to steal your identity and start making purchases.
This is a combination of two schemes, both phone spear phishing and caller ID spoofing. Together they are very effective in stealing identities. In fact, they can make your caller ID on your cell phone, or work phone say the bank they want it to say. There are reports of businesses and government employees releasing enough information about the organizations’ bank accounts, wire information and credit cards that the fraudsters can make one large purchase or wire transfer and disappear before you ever know it happened. However, if by chance you realize your mistake, you can often stop transactions within 24 hours of scams by contacting your bank and/or the FBI and reporting the mistake.
Here comes the important call to action. To keep this from happening to you, remember NEVER GIVE OUT ANY INFORMATION TO ANYONE WHO CALLS YOU. You should always be the one to initiate any call in which you are going to give up PII or organizational information. No legitimate bank or financial institution will ever have a problem with you calling them to verify the suspicious activity they are reporting to you. When calling back to verify activity, use a trusted phone number you have used in the past or you obtained from your bank’s website after logging in. Odds are if someone is calling you about your bank activity, your credit cards or your tax return, it is NOT legit. Make sure to educate your employees, co-workers, spouse and kids on these scams, so they don’t fall victim.
Brian Hemmerle, CPA, CFE