Spoofing A Phone Number is So Easy for Fraudsters. I Did it In 3 Minutes.

Matching ANI number (when the customer’s phone number they called in from matched the phone number they listed on their account) used to be the Holy Grail of customer authentication for banks. In retrospect that may sound a little naive but  I mean if you called in from the same phone number that you opened the account with it had to be you, right?

That might have been the case 15 years ago but not anymore.  Matching ANI number is about dependable as the cable company arriving to install your cable when they told you they would.  It’s just not dependable at all.

Caller ID Spoofing For Sale, The Fraudsters Dream Software

Caller ID Spoofing has rendered Matching ANI authentication caller ID matching systems utterly useless.  And the software is available on many different sites across the internet so virtually anyone can use it at any time for pennies.

Caller ID Spoofing is special software that makes the telephone network display a fake number other than the number that you are calling from.  It renders most ANI Matching authentication systems useless forcing banks to change their processes or get hit hard by the fraudsters.

There are many different sites out there that offer caller id spoofing.  They market the solution as a way to “prank your friends” or as a way to “keep your privacy”.

3 of the most popular Spoof Call Sites out There.

aspoofvendores

Fraudsters however are using it for very different means.  They use it too fool banks to takeover consumers banking accounts.

It is Illegal!

In many countries (including the US) spoofing caller id “with the intent to defraud, cause harm, or wrongfully obtain anything of value” is absolutely illegal and the crooks can be prosecuted.

But that doesn’t stop legitimate companies from trying to find loopholes.  For example the New York Times used to spoof their outgoing phone calls with the number 111-111-1111 so that the reporter’s phone numbers would not appear on their “anonymous sources”call logs.  They intentionally masked the phone number to avoid disclosing sources.  They abandoned the practice as the US cracked down on call spoofing.

How Does Caller Id Spoofing Work?

Caller ID Spoofing really caught on in about 2004 with the launch of the first service called Star38.com which allowed you to make spoof calls from a web-interface.. Many companies and websites started offering the services to consumers from there.

The first famous case of Caller ID spoofing was Paris Hilton back in 2006 when she allegedly used it to break into a voicemail system that used CallerID as the authentication method.

Paris_Hilton_3_Crop

Wikipedia has a pretty good page that explains how it all works which you can read here – Caller ID Spoofing.   In a nutshell though, Caller ID is spoofed through 3 primary ways.

  1. VOIP  (Voice over IP) – Using a Web Interface with the caller can configure.  The user chooses the phone number that they want to call and the phone number that they want to appear that they are calling from.  They can also configure the voice pitch and background sounds to make the call sound more legitimate.
  2. PRI (Primary Rate Interface Lines) – Basically similar to VOIP but using T1 lines and ISDN lines.
  3. PrePaid Calling Plans Through Service Providers –  Using a PIN number the fraudster or consumer dials a line owned by the service provider and then the service provider forwards the call using a masked number.  These services can often add  background noise to make the calls sounds more legitimate.

How the Spoof Works with VOIP.  You pay for credits.  Then you can configure the call anyway that you like including masking your voice.  It’s a fraudster’s dream.

configure-spoof

What Types of Scams Do These Fraudsters Do with Spoofing?

Caller ID Spoofing opened up the doors to so many fraud scams.  Some of those scams include:

Account Takeover and Phishing Where fraudsters call in the bank spoofing a real customer’s phone number and social engineer the customer service associate to make them believe they are the real customer.  The end result is your bank account is drained in minutes.

GrandParent Scams – Scammers use the software to pretend that they are the grandchild saying they are in trouble and need money wired.   9 times out of 10 the elderly grandparents fall for it.

Collection Call Scams – When the fraudsters pretend they are calling from a Payday lender and advising unknowing borrowers to wire transfer money to crooks rather than paying their accounts.

Phish your Bank Details – When fraudsters impersonate your bank’s phone number to call you and then get key banking details from you so they can drain the money from your account.

Police Impersonation – When fraudsters spoof police department phone numbers to threaten or get personal information from unsuspecting victims.

The degree and number of scams are endless and fraudsters are constantly thinking of new and bizarre ways to scam unsuspecting consumers and banks.

How Hard is It To Do?

It is remarkably simple to spoof a call.  To test it out I tried it.  It took me about 3 minutes to get setup and within that time I was able to call about every phone in the US from any phone number that I could think of.

I could mask my voice.

I could add background noise.

I could potentially fool anyone into giving me any information if I knew how to do it like a true scammer.  I was amazed at how easy it was.

Do you want to see a video I made on how easy it is to do?  Just click on the link below.

Recommendations for Dealing with Spoofing Software

For banks there are some recommendations I usually have for dealing with this problem.

First – Update your authentication programs to not rely purely on Matching ANI to confirm a customer’s identity.  It’s been at least 7 years since that has been a reliable mechanism. Surprisingly though, most banks still rely on matching ANI to activate cards for customers.  This is a mistake, particularly now that CHIP and PIN is pushing fraudsters to steal cards out of the mail.

Second – Instant callback.  One way to bypass Caller ID spoofing is to call back the customer at the phone number.  Since the fraudster is not calling from the phone number you will reach the true customer and can prevent the fraud.

Third – Use services like Trapcall.  Trapcall cost $4.99 a month and allows you to decline calls and the call rings back to the true number the person was calling from.   Trapcall is primarily for consumers and not banks but it works.

Software like Trapcall helps consumers stop fraud calls to their phone numbers.

TRAPCALL

Fourth – PinDrop is a great industry based solution that can detect social engineering through sophisticated algorithms that track the patterns of sounds on the phone calls.  I am going to write a showcase on the company because they are capturing the industry by storm right now due in part to these types of caller id spoofing scams.

Thanks for Reading

Thanks for checking out the blog.  Remember you can drop me a note and tell me if you have any thoughts on this subject. I always love hearing from people!

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California