Cybercriminals Turn to Phone for Easy Scams



Criminals, like most humans, are fundamentally lazy. When presented with several options for accomplishing a task, they generally will take the easiest one. For some people that’s a function of their skill set, but for others it’s simple practicality. Easier is better. And for criminals, easier also means more money.

Right now, one of the easier avenues to getting that money is through the phone channel. Organized crime rings mount long campaigns that target banks, insurance companies, and other financial institutions, with the goal of gaining access to victims’ accounts. They will perform research and reconnaissance on potential victims, gathering information about their activities, career, family, and then using that for account takeover attempts. A lot of the initial activity during an account takeover is done through calls to a bank’s contact center in which the criminal will try to reset passwords or take other actions while also gathering more information.

Banks and other frequently targeted organizations have begun to address this problem with a variety of techniques, including anti-fraud systems and voice biometrics. But criminals also use the phone channel to target individual victims directly, through the use of fraud calls that are designed to gather information that then is used in other criminal activities. These phone fraud rings have become formidable, distributed, and highly profitable, and the authorities have begun to take notice.

In October, law enforcement officials in India took down a huge phone fraud ring in Mumbai that was allegedly running the IRS tax scam. In that scheme, callers tell victims that they owe back taxes and are about to be arrested for not paying. They then bully the victims into buying prepaid Visa cards or iTunes cards to settle the fictional debt. In other scams, callers impersonate IRS agents or bank officials and ask the victims to confirm personal details such as Social Security numbers, account numbers, and addresses. The criminals then use that harvested data for account takeovers or other activities.

And just last week, the FTC took down a pair of major robocall operations in the United States that were targeting consumers with a variety of schemes. These two rings weren’t running outright scams, but were instead using robocalls to try to sell home security systems or extended auto warranties, according to the FTC’s complaints. The defendants allegedly were calling millions of consumers who were on the Do Not Call registry, in violation of federal law. One group of companies was making hundreds of millions of calls a month.

“According to the FTC’s complaint, between at least March 2009 and May 2016, the defendants made or helped to make billions of robocalls, many of which sold extended auto warranties, search engine optimization services, and home security systems, or generated leads for companies selling those goods and services. Many of those calls were to numbers on the DNC Registry,” the FTC said.

“In just the first three months of 2014, the FTC alleges that the defendants made more than 329 million robocalls to consumers in all 50 states, including 32 million to numbers on the Do Not Call Registry. In the first quarter of 2015, the FTC alleges that the defendants blasted out 222 million calls, including 40 million to numbers on the Do Not Call Registry.”

Robocalls can be far more that just an annoyance. They have become part of the arsenal for advanced cybercrime groups as they work to gather information on potential victims and then turn that information into profit. The security hurdles that are in the way of criminals going through this channel are much lower than the ones they face in traditional attacks. Human nature dictates that most criminals will take the path of least resistance, and until organizations improve their defenses in the phone channel, it will continue to be that path.

Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.