As regular readers will know, we write up real-world scams fairly frequently on Naked Security.
Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.
This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.
We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.
Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armour – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.
But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.
You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.
You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.
But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.
If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.
That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.
(Watch directly on YouTube if the video won’t play here.)
Well, guess what?
There are still plenty of even older-school crooks who use a scamming technique called vishing, short for voice phishing.
We last wrote about vishing back in September 2020, when we and other Naked Security readers in the UK began receiving a burst of automated, unwanted voice calls that were clearly designed to get our attention whether we answered them live or listened to them later via voicemail.
The vishing scams we wrote about back then concentrated on home deliveries, something that’s important in the lifestyles of many of us these days, thanks to restrictions on movement due to coronavirus concerns:
Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.
Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.
The latest batch of automated vishing that's been reported to us claims to related to taxes and taxation, a theme that the crooks have been exploiting for years.
Interestingly, the tax office in the UK, known as HMRC (Her Majesty’s Revenue and Customs), recently emailed millions of taxpayers with a genuine – and, admittedly, unsuspicious – message to remind taxpayers all that there were just 100 days left until the cutoff for 2019/2020 electronic tax filing.
We don’t know whether the crooks deliberately timed their vishing to overlap with this official email blast or not, or if it was a coincidence.
This scam was a synthetic voice that said, in tones best described as polite but not gentle:
This is extremely time sensitive. This is officer Dennis Grey from HM Revenue and Customs. The hotline to my division is: 020X YYY ZZZZ. I repeat, it is: 020X YYY ZZZZ.
Do not disregard this message, and call us back. If you do not call us back, or we do not hear from your solicitor either, then get ready to face the legal consequences.
Goodbye and take care.
The phone number in the message was the same as the one showed up as the caller’s number.
The “hotline” given above really is a UK landline number: 020 is the dialling code for London, and although London numbers are correctly written and read out in 3-4-4 form (i.e. 020 [pause] YYYY [pause] ZZZZ), it’s common to hear people breaking them up in a more American style, using a 4-3-4 format to speak them aloud.
Of course, calling the number back (we didn’t try, and we recommend you don’t either!) is unlikely to connect you to a subscriber in London, or even in the UK.
You can bet your boots that you’ll end up talking to someone in a “boiler-room” call centre (so-called because the heat is always on and the pressure is high), somewhere outside UK jurisdiction.
Why it works
As much as you’re probably thinking, “But I’d never get suckered by one of these,” the sad things about this sort of scam are:
- The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
- The calls show up with a local number.
- Synthetic voices are widely used by these days, so they no longer sound suspicious.
- The call centre crooks criminals only ever deal with people who are already frightened enough to call back, making their scamming process more efficient.
- The calls are hard to avoid, especially if they arrive on a line kept for friends and family.
- The incoming call numbers change all the time, so they are hard to block.
- Reporting them feels like a waste of time, because the callers aren’t in your country.
- Vulnerable people, including the lonely and elderly, are most likely to be affected.
The last point above, by the way, is why we headlined this article, “Friends don’t let friends get vished.”
Make sure you’re available for vulnerable friends or relatives to talk to if they get one of these calls – you might like to give them a card with your number written on it so they can call you first without relying on any numbers given to them by someone else.
What to do?
Never let yourself get suckered, surprised or seduced into taking any direct action on the basis of a phone call you weren’t expecting from a person whose voice you don’t recognise with certainty.
It doesn’t matter where the call claims to originate.
Anyone can say they are from your bank, a hospital, the tax agency, a coronavirus track-and-trace service, the local police station or the lottery company.
Whether the caller is giving you bad news or good, you have no way of verifying anything that’s said to you from information offered up in the call itself.
Whether you are worried about a fraudulent transaction, scared about a tax problem, or excited about what could be a lottery win, here’s what to do: find a number to call back by yourself, using contact information you already have on record.
Your last tax return should have a tax office contact number on it; your credit card should have a fraud reporting number on the back; most hospitals have a central contact number that can be double-checked online; and so on.
Never rely on information read out to you in a call, or sent in an email, or delivered via SMS, as a way of deciding whether to believe the message or the call.
And don’t be deceived because you receive a phone call or SMS from a number that looks correct.
The caller’s number that shows up on your phone is insecure, and can be faked or spoofed. (Indeed, Oftel, the UK telephone regulator, has its own advice about “number spoofing” and how to report it.)
The apparent cybersecurity value we put on our phone’s incoming number display is not helped by the fact that in the US it’s known by the trustworthy-sounding name of Caller ID, even though it identifies the line and not the caller. In the UK and other Commonwealth countries, it’s referred to as CLI, short for calling line identification, even though it doesn’t reliably identify the incoming line anyway. CLI is at best an indicator, not an identifier.
Calling back the number you were called on to ask if a call was truthful serves no cybersecurity purpose at all.
After all, if the call or message is true, the reply you will receive will be truthful and will say, “It’s true.”
But if the call or message is false, the reply you will receive will be a lie, and will also say, “It’s true.”
So, calling back gets you nowhere.
Friends don’t let friends get vished
If you have any friends or relatives whom you think might be vulnerable to this sort of call, perhaps because they are easily intimidated by people who pretend to be in a position of authority, let them know to ask you first before replying.
If in doubt, don’t give it out – just hang up the phone.
Philip Le Riche
Yesterday I got an SMS saying:
24760 is your Curve verification code.
I don’t use Curve (some kind if dynamic credit card I believe) and never have. The originating number was just 5 digits. If this was a scam I don’t see what it was intended to achieve. It seems unlikely someone was genuinely setting up a Curve account and mistyped their phone number turning it into mine.
Paul Ducklin
5-digit “shortcodes” for SMSes are quite common for businesses to use.
Assuming this was a real SMS from Curve, it’s not impossible that someone mistyped their own phone number while setting up 2FA. In that case, you would get the message (but the code would be useless to you) and they wouldn’t (so they wouldn’t actually be able to activate 2FA in the first place).
Assuming they tried again with the right number, they’d get the code the second time, which would serve to confirm it was OK to enable 2FA, whereafter all the 2FA messages would go to them. So you’d see one message and no more…
J
I got the same thing today at 3am. That’s how I ended up on this site.
Mark
Sorry to say that although it is a very important subject but the article is too long to get to the point and it gets very boring to read all of it. I left and jumped in to another article almost to the middle of this one.
Paul Ducklin
If you read half of this one and then a different one half the length of this…
…you might as well simply have finished reading this one, for twice the information :-)
Jay
@Paul Well said:)
Arif
Hi I got a text message last night from curve sending me a verification code twice, one was sent at 4.43am and the other 4.47am there wasn’t a number it just said curve on the place were the number is meant to show. My question is is this some sort of scam, how will it work and what will they aclomplish with this tactic. Look forward to hearing from you. Thank you.
Paul Ducklin
Why not check your Curve account (assuming you have one) by logging in as you usually do, and check for rogue transactions or for attempted logins that failed? (If there are suspicious login attempts then I suggest you change your password.) If you don’t have a Curve account then perhaps someone else tried to add your phone number as the destination for their security codes – in which case they won’t have received the codes themselves and they won’t accomplish anything.
Thomas
Hi Paul,
Funnily enough. I received the same text messages as Arif at the exact same times this morning (4:43am and 4:47am).
I do not have a curve account and have been unable to find out what this is but believe it is linked to crypto currency as I also received an account verification message on this too.
I tried to report this to my mobile provider but they have no identification of the business and therefore I am at a bit of a loose end as to what to do next.
Emma
I had the same message from Curve at 04:45 and 04:59 on 29/12 – I don’t have an account with them 🤷♀️