Caller ID Spoofing Scams Prey on Trust to Steal Information
Caller ID or phone spoofing is a phone scam whereby callers impersonate government officials, financial institutions, or legitimate companies by using fraudulent displays of phone numbers (or “spoofs”) to gain the victim’s trust and get them to disclose personally identifiable information (PII) or sensitive financial information.
In November 2021, the FBI’s Atlanta field office issued a phone scam alert that scammers were impersonating law enforcement, spoofing phone numbers of officers, and asking for payment for outstanding warrants or fines. According to the FBI alert, “The scammers are using spoofed law enforcement phone numbers, along with the names, positions, and addresses of officers. The scam is largely targeting women with lucrative careers that have an online presence.”
HOW SPOOFERS OFTEN STAY TWO STEPS AHEAD OF THEIR VICTIMS
It’s easy to see how the mechanics of these calls can be deceiving. In a spoofing call, the perpetrators use simple application software installed on their cell phone or laptop that allows them to make outgoing calls appear to be coming from a legitimate source.
Verizon offers these common examples of spoofing:
- Receiving calls from a friend or spouse’s phone number when your friend/spouse is with you and is not calling you
- Robocalls received from a phone number similar to your own
- Calls from your bank’s phone number asking for personal information (account numbers, account PINs, etc.)
- Caller ID displays “911 Emergency” rather than the actual phone number of the calling party
Spoofers can enter the phone number for the FBI, local Police Department or bank branch — even public charities such as the American Red Cross — and that number will appear on your phone’s caller ID. Even victims who call the caller back will get a legitimate recorded message from that agency or institution.
Unfortunately, widely available digital communications technology has made phone spoofing cost-effective for scammers. For example, spoofers will use the power of automated, recorded robocalls to target a much wider audience of potential victims, and often run several different fraudulent schemes at the same time to diversify their criminal activity. They only need a relatively small number of victims to be successful.
During the COVID-19 pandemic, spoofers have pivoted their phone call strategy, pretending to be from the IRS, Social Security Administration, offering fake coronavirus testing, and scaring small businesses into buying bogus online listing services. You can learn more about these and other types of scams on the Federal Trade Commission website, and hear these directions in some sample “scripts” published by the Federal Trade Commission:
U.S. spoofing crimes affected more than 28,000 victims in 2020 alone, racking up nearly $220 million in losses, according to the FBI’s Internet Crime Complaint Center. Internet-related identity theft disproportionately impacts victims over age 60, who suffer more losses, as a group, than any other age cohort.
The most insidious practice of spoofing con artists is using YOUR personal phone number to try to infiltrate your circle of friends, relatives, and neighbors for the purposes of stealing their identities, money, and other nefarious scams. Sadly, there currently is no legal protection against this form of deception. Fortunately, the FCC has been working with telecommunications providers to create new ways to digitally validate caller IDs (through the so-called STIR/SHAKEN authentication standards). This would greatly reduce the incidence of spoofing, and we think it would bring welcome relief to millions of Americans.
HOW TO PROTECT YOURSELF FROM CALLER ID SPOOFING
The Federal Communications Commission (FCC) has issued detailed guidelines on how to protect your valuable PII from spoofing calls, spoofing emails, and phony landing pages. Here are the critical steps we recommend that you follow:
- Don’t answer calls from unknown numbers. Simply let it go to voicemail. If you do answer an incoming call that looks to be legitimate or coming from a local source but turns out to be a robocall, hang up. Although you may think there’s no harm in answering an unknown caller, your act of answering tells the attacker that your phone number is real and could put you on a list for future scam attempts.
- Verify any sensitive information request by calling back a known number. If you get an inquiry from someone who says they represent a government agency, company, or non-profit organization, hang up and call the phone number on your account statement or on the company’s or government agency’s website to verify its authenticity.
- Never give out personal information to callers. Banks, law enforcement, and most legitimate businesses will never call you to request sensitive information including account numbers, Social Security number, mother’s maiden name, password, or any other identifying information. Don’t be swayed by implied or overt urgency — hang up if you’re asked for PII.