Phone scams, where a person or a computer calls you up and tries to trick you into saying, buying or doing something you later regret, are still a prevalent sort of cybercrime.
We’ve certainly had our fair share of them recently, sometimes clocking up several fake calls a day.
(We can’t tell whether that’s because we recently got a new phone number, or because cybercriminals have stepped up the number of scam calls during coronavirus lockdown, or both.)
What we have noticed is that most of the scam calls we’re getting these days are automated, and that the calls themselves – just like phishing emails that are trying to cajole you into taking the next step by yourself – are merely calls-to-action, not full-on sales pitches in their own right.
Sure, we still get plenty of cold-calling scammers who phone up in person, wade straight in and try to deceive us – common themes at the moment include:
- Providing fake technical support for a non-existent “computer virus” on our home network. Here, the crooks go straight to work trying to get us to give them remote access to our computer as well as to hand over credit card details to pay for fake “work” that doesn’t need carrying out.
- Offering fraudulent “good news” about a free care package for our heating system. This one seems to be a ruse to acquire personal details relating to existing utility accounts, information that is undoubtedly useful to criminals interested in identity theft.
- Warning about problematic home insulation that “could be dangerous”. In this scam, the crooks are clearly angling for an invitation to send someone round to snoop on the property, passing themselves off as official or at least authorised “inspectors”.
But a significant majority of the phone scams we’re getting these days are what’s usually referred to as “vishing”, short for voice phishing or voicemail phishing.
Here, the criminals use automated techniques that seem to recite a message directly if they think a human has answered the phone, or to wait until the right moment to leave a message if they decide they’re through to voicemail.
Note that for the vast majority of recent fraudulent calls we’ve received here in the UK, the caller’s number has shown up as a UK landline, typically with a dialling code in one of England’s major metro areas.
Those calls that weren’t from landlines have all shown up as UK mobile phones – not one of them has been “Unknown” or obviously from overseas.
Why voicemail?
The theory behind recognising and reacting to voicemail prompts is obvious: many people understandably refuse to answer calls from numbers they don’t know, and program them to go through to voicemail automatically.
By leaving automated messages in the same way that many legitimate companies do, such as taxi-booking firms, the criminals avoid having to get involved personally at the start.
This not only saves the crooks time, but also – by asking you to make a voicemail choice such as pressing 1
or staying on the line – pre-selects those people who haven’t figured out right away that it’s a scam.
In other words, the crooks have converted what used to be a time-intensive process of cold calling thousands of people into a largely automated system where only those who are already apparently receptive to the scam end up on a call.
It also means that the criminals can use the same sort of synthetic voice technology that legitimate companies do for their “recorded” messages, coming across with an official-sounding voice, typically speaking clearly enunciated English with a local accent.
Of course, the crooks still rely on giving their automated voices a script to recite, so the messages are sometimes – though not always – obviously rogue calls because of the incongruity of a perfectly accented “local speaker” making unlikely grammatical errors.
Two-in-one
In one recent vishing scam we received, the crooks, fortunately, made a triple blunder: their messaging system kicked off too early, misrecognising the end of our voicemail message in a way that no human caller would do; their message included peculiar grammatical errors; and they accidentally unleashed two scams in one message.
Amusingly, if you can call it that, we received half of a fraud warning message in the voice of a woman speaking British English in an accent that you will hear referred to variously as “RP” (received pronunciation), General English, or South East Midlands.
Then, after a short pause, the voice switched to that of a cheery and upbeat man speaking in what you might call Standard American English, happily telling us that our loan had been approved:
[British female voice, calm and neutral] …worth £350 for which your Visa card attached with your Amazon account has been charged. If you would like to cancel this order, please press
1
to connect to Amazon fraud detection team, else press2
to call back to the same number.
[American male voice, upbeat and happy] Congratulations! This message is regarding your loan application, which has been approved from our company for up to $10,000. So if you are still looking for the loan, press1
now.
The ludicrous combination of two different scams was an obvious giveaway, but it’s a reminder that the crooks behind them are clearly running a global operation, simultaneously targeting people in different parts of the world, in different currencies, with differently themed messages delivered in localised accents.
What to do?
As we’ve said before, there isn’t much you can do to stop these calls being made.
As far as we know, they’re usually made from outside your country, but show up with a local number used by whichever voice-over-internet provider the criminals use, meaning that the numbers change regularly.
We’d encourage you to report the caller’s number to the relevant authorities in your country, but we accept that this may be too much effort, or require you to give away more personal information than you want, in some countries, so we’re not going any further than encouragement here.
We also recognise that in many countries there is not a lot that the regulators can do to clamp down on vishing criminals who operate from overseas (although if no one says anything, then there is quite literally nothing that the regulator can do because the problem remains invisible).
We've listed scam reporting advice for numerous Anglophone countries here: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
Our lifestyle advice on how to spot and stop cyberscammers, including those who use voice and text messaging to draw you is, is as follows:
- Don’t try. Don’t buy. Don’t reply. Memorise this easily remembered saying that the Australian cybersecurity industry came up with many years ago. It’s a neat way of reminding yourself how to deal with spammers and online charlatans:
- Don’t let yourself get sucked or seduced into talking to the scammers at all. We advise against what’s called “scambaiting” – the pastime of deliberately leading scammers on, especially over the phone, in the hope that it might be amusing to see who’s at the other end. You’re talking to a crook, so the best thing that can happen to you is nothing.
- Contact companies you know using information you already have. If you are worried about a fraudulent transaction, login to your account yourself, or call the company’s helpline yourself.
- Never rely on information provided inside an email, or read out to you in a call. Don’t return a call to a number given by the caller. If it’s a scammer, you will not only end up talking to them, but also confirm any guesses (e.g. “you applied for a loan” or “it’s about your Amazon account”) that the scammer made in the initial contact.
Hang up on unwanted voice calls; don’t return automated voicemail calls; don’t click login links in emails; and if you need to report or investigate a scam or a fraud, find your own way to the company concerned.
Mark
The technology behind CLI is decades old and with spoofing or withholding commonplace – even from some geniune organisations – it is time telecoms providers came up with a secure system which works across national boundaries.
not being scammed but still entertained
Sometimes when I’m bored I will ask the caller how they are doing in Kolkata or Hyderabad. Sometimes they will have some polite conversation to pass the time with me. It’s an innocent exchange of human interaction. While I’m always tempted to use vulgar Hindi phrases in response to their attempts at English cursing a few will simply chat. 2020, go figure.
Paul Ducklin
One problem with scammer baiting is that [a] these people probably know where you live [b] they may know a lot more about you than that (depending on how and where their criminal boss got at the database they’re using) and [c] some of them can be pretty vindictive, judging by audio recordings I’ve heard.
For an suggestion of the low regard in which these scammers hold their victims, and the apparent delight that some of them seem to get out of screwing up other people’s lives, especially if they are vulnerable, take a look here:
https://nakedsecurity.sophos.com/2020/03/04/tech-support-scammers-hacked-back-by-vigilante/
Anyway, I’m not going to judge you for chatting to them, but I nevertheless advise against it – they aren’t worth a second of your time, and the only thing you can be sure of is that they are liars and charltans.
Thomas Lewis
Thanks and keep up the good work and systems that really help
Paul Ducklin
Thanks for your kind words. We appreciate them.