I-Ching Wang | Senior Director, Engineering
It is widely discussed that cyber criminals look for the easiest way to maximize profit. They are also keen to capitalize on the most vulnerable and to exploit crises, such as during the pandemic or political instability. One of their favorite targets is the older generation. Financially motivated criminals take advantage of the pervasiveness of technology and the lack of sufficient insight to manipulate feelings and emotions and perhaps get away with hundreds of thousands of dollars per victim. To achieve their nefarious goals, criminals use a tactic known as call spoofing, which is becoming more successful with the use of Artificial Intelligence (AI).
What is call spoofing?
Call spoofing exploits a feature of Voice over IP (VoIP) telephony, caller ID.
Spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Scammers often use two tactics:
- Neighbor spoofing so that the incoming call appears to be coming from a local number, or even family or friends.
- Spoofing a number from a company or a government agency you may already know and trust. Favorite spoofed companies are telco providers and banks.
If an unsuspecting person answers, the fraudsters use scam scripts to attempt to steal money or valuable personal information, such as login credentials, which can be used in other fraudulent activities.
Calls with spoofed numbers can and do come from all over the world and account for a significant and growing proportion of nuisance calls., which is why Ofcom, FCC, and Australian Communications and Media Authority (ACMA) are working with international regulators and involved industries – telecoms and finance – to solve the problem.
How does it work?
The popular show 60 Minutes aired an episode with Rachel Tobac, an ethical hacker and CEO of Social Proof, to demonstrate how easy it is to use the information found online to scam someone. The show presenter asked Tobac to target an unsuspecting colleague.
Tobac found the employee's cell phone number on a business networking website and set up an interview. They called the employee using an AI-powered app to mimic the voice of the show presenter and asked for her passport number.
Tobac used a call spoofing tool to call the employee masquerading as the presenter. She also used televised clips found online to clone the journalist’s voice with the help of an AI-powered app. “It took me about five minutes,” said Tobac.
What is the impact?
If a journalist is a public person and could be easily spoofed, the hard truth is that attackers can spoof anybody, using the very voices of people they know. They use publicly available information to understand the relationships between people, and then they can impersonate any person by changing the pitch and modulation of their voice.
Voice scams are primarily successful with older people, as another episode of 60 Minutes Australia demonstrated. Call spoofing has become a “scamdemic,” costing billions of dollars annually. And that’s just the reported cases.
Criminals no longer need to infiltrate computers through the back door. According to 60 Minutes, 95% of scams today happen after a user clicks on a text or a link or gives personal information over the phone. Fraudsters armed with basic information like a relative's name found online and an app that can mimic a voice or change the caller ID can create a convincing story.
Handy tips for protection
Call spoofing is an issue that requires a systemic approach, and you cannot simply blame online platforms, banks, or telcos for the growth of the threat. Professionals from all involved industries agree that, for a start, governments must make sure any new legislation is fit for a digital world.
Once a legislative framework is there, telcos can have more flexibility to drive down SMS fraud scams and fake phone calls. At the same time, banks can also take action to strengthen the process of validating their customers’ identities.
Multi-factor authentication should be a prerequisite for every account and online transaction. Besides being a requirement in the PCI DSS 4.0 standard and the PSD2 directive in the EU, it is a strong recommendation from all national and international cybersecurity agencies (i.e., CISA, NCSC, ACSC, ENISA, etc.).
The goal behind these authentication controls is to add some friction to the transaction process, shifting the balance a bit toward security. In real-time online payments, actions are performed quickly. By placing some roadblocks, such as strong customer authentication using MFA, we can slow down the process to allow room for more checking both on the banks and customer’s sides.
These blocks present an additional advantage, making the criminals “burn more calories per dollar”. As this increases their cost for return on investment, chances are that the call spoofing phenomenon will reduce, alongside the number of victims.
On the customer side, organizations offer handy advice on what to do and not do if they receive a spoofed call. As Rachel Tobac put it, the bottom line is to “be politely paranoid.” If you receive a phone call, a text message, or an email, and it's asking for something sensitive, urgent, or with fear, that's when the alarm bells have to go off in your head. Hang up and check that this person is who they say they are.
Learn more about Thales’ access management and authentication solutions, or speak to one of our data protection experts for solutions to satisfy every scenario and help minimize the impact of call spoofing.