Naked Security Naked Security

US government securities watchdog spoofed by investment scammers – don’t fall for it!

Those numbers that show up on your phone to tell you who's calling? Treat them as SUGGESTIONS, never as PROOF.

The US Securities and Exchange Commission (SEC) has issued numerous warnings over the years about fraudsters attempting to adopt the identity of SEC officials, including by phone call spoofing.

Call spoofing is where a scammer calls you up on your landline or mobile phone, claims to be from organisation X, and then reassures you by saying, “If you don’t believe me, check the number I’m calling from.”

Lo and behold, when you do, the Caller ID (as it’s known in North America) or Calling Line Identification (CLI, a term used elsewhere in the world) says that the call is coming from X’s official number.

Proof… except that is isn’t!

The problem here is that the jargon terms Caller ID and CLI are misnomers, because the technology identifies neither the caller themselves nor the phone line that the caller is using.

It’s a suggestion, not a fact

Identifying the actual caller is as good as impossible in the case of a regular landline or mobile call, because the phone (or the phone system) has no reliable way of identifying the person who dialled the call in the first place, or who is speaking into the microphone.

And even identifying the phone number of the calling line is troublesome, because the Caller ID data that’s decoded and displayed on your device is unauthenticated, and therefore unauthenticatable.

If it can’t be authenticated, then it’s not really any sort of identification at all.

In fact, anyone who knows the necessary techniques can inject pretty much any number they like into the call signalling process, and thus can cause almost any number they like to show up before you answer.

As it happens, altering the Caller ID to give a completely different number when you place a call is still legal, and considered useful, in many countries.

For example, you might want to call someone from a call centre (where they wouldn’t be able to return the call to the individual employee’s extension anyway), but to show up on their phone with a toll-free number or a central switchboard number for any return calls.

In short, you need to think of Caller ID or CLI as being no more reliable, and no more precise, than the return address on the back of a snail-mail letter, the choice of which is entirely up to the sender.

In other words, if Caller ID says the call isn’t from someone you expect, it’s OK to decide you are not going to trust it.

But that doesn’t work the other way around: just because it seems to come from someone you do expect, it’s not OK to trust it.

(You may want to read the last two sentences twice each.)

Now targeting cryptocurrency investors

Well, the SEC has recently re-iterated its warning about spoofed phone calls, thanks to investment scammers using the SEC’s “phone identity” to trick people into believing that the caller actually represents the SEC.

As you’ve probably guessed, today’s scammers are often focusing on the hot topic of the day, cryptocurrencies, claiming to be SEC officials who are doing you the favour of warning you about “fraudulent” transactions:

We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number. The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts.

[…]

SEC staff do not make unsolicited communications – including phone calls, voicemail messages, or emails – asking for payments related to enforcement actions, offering to confirm trades, or seeking detailed personal and financial information. Be skeptical if you are contacted by someone claiming to be from the SEC and asking about your shareholdings, account numbers, PIN numbers, passwords, or other information that may be used to access your financial accounts.

We’ve also had Naked Security readers report to us that they’ve had similar scam calls in the UK, where the calls came up with their own bank’s real number, and the crooks (unsurprisingly) opened the call by “identifying” themselves as working for the bank.

Unearned trust

Unfortunately, it’s easy, and very handy, to get in the habit of trusting, or at least relying on, the Caller ID number that shows up.

We know someone who recently had a coronavirus outbreak at home (one of the kids caught the virus at school, so all the family ended up infectious at the same time), and therefore got caught up in a mini-pingdemic all of their own.

Everyone in the household got Track-and-Trace calls triggered by everyone else in the household…

…so the fact that a “Track-and-Trace” Caller ID popped up before they answered each call turned out to be very useful, because they knew – or assumed that they knew – what to expect.

But they admitted, afterwards, that the effect of this was to “teach” them all (or perhaps “innocently misdirect them” is a better term) to trust those incoming caller numbers more than they had been inclined to do so before.

What to do?

Here’s a simple approach: treat Caller ID names or numbers like those unwanted weather icons that your phone insists on showing you, even when you’re already outside.

Often they’re right, or partly right; sometimes they’re wrong, and even badly wrong; but they are never definitive.

If you see an icon showing rainclouds, you might as well take your umbrella, on the grounds that if the sun comes out instead, you can at least use it as a parasol.

But never leave your umbrella behind merely because you see an icon of a shining sun: that icon is a suggestion; it’s not proof of anything.

Most importantly, if any caller ever invites you to look at the Caller ID number as evidence of their truthfulness…

you can be 100% certain, right away, that they are lying. (We recommend that you simply end the call at once, without a further word.)

If you need to contact an organisation by phone, find your own way there, for example by using a number:

  • From a trustworthy document such as the back of your credit card,
  • In the letter you got when you signed up for the service, or
  • As displayed inside one of the branches or offices of the company itself, if there is one near you.

(We snapped a photo of the various official helpline numbers of our bank from a sign in a nearby branch, after asking one of the uniformed staff inside the branch if the information was current.)

And, remember our overarching anti-scammer advice to protect your personal information: if in doubt, don’t give it out.