The danger of spoofed calls and texts

Call and text spoofing is my “go to” demo when I’m doing stuff on TV, radio, or giving a talk. The reason being is it’s incredibly simple to set up, cheap to run, and always makes people gasp in horror when they realise the potential mayhem that can be caused by spoofing.

What is call or text spoofing?

Essentially, the ability to mask your number as any other number. That’s it. It might not seem like that big a deal but the problem is that literally any number can be used as the caller ID, which includes bank phone numbers, police station phone numbers, your friend’s number, or even Pi (see below). It’s ridiculously easy to make a call spoofing device- the one used in the show took me minutes to build and set up, didn’t require any special equipment- and costs very little to operate. In fact, I was surprised just how easy it was to make and use without anyone questioning what I was doing.

For the show, I built a little phone server that can make and receive calls. Using a bit of know how, I figured out a way in which I could call spoof “on the fly” using the touch tones on my phone’s keypad. The system was highly flexible — I’d literally dial the number of my server, wait for the prompt, enter the number I want to masquerade as (my outbound caller ID), and lastly enter the number I want to call. Might sound like quite a bit of a farce to do, but with the ability to con you into thinking I’m the bank/police/service provider of your phone, I can start extracting information out of you that could be used against you.

How is this used in scams?

Scammers will call you claiming to be your bank which, when you check the caller ID against the number on the back of your card, on their website, or on any literature — it’ll look legit. Next, they’ll do some social engineering to gain your trust, and try to reassure you that it is indeed the bank, police, or similar company (spoiler alert, it’s not) in order to extract information from you. Reading this, you’d be forgiven for thinking that you’d smell a rat instantly but under normal circumstances (i.e. not immediately after you’ve read this article!) it’s very easy to do. We all trust the caller ID on our phones explicitly, and that needs to change.

Here’s an example script that I assure you would work given the right circumstances. Let’s say I’ve spoofed your bank’s phone number:

Me: “Hello Mr. X, this is Scott from the fraud department at The Royal Bank of Scotland. We’ve detected some suspicious activity on your account and it seems like there may be a problem with your card.”
 
You: “Oh, thanks. So… my card is still blocked?”
 
Me: “Unfortunately so, I can re-activate it and refund you the fraudulent purchases in two minutes but we need to go through some security questions first, if that’s okay”
 
You: “…but how do I know you are who you say you are?”
 
Me: “Excellent question! It’s great to hear consumers that are worried about security. If you take out your card, the phone number on the back matches the number I’m calling you from. Also I’d be more than happy to let you disconnect this call, call back but be aware that you might not get through to me and you’ll still have to go through loads of security checks”.

(This is me intentionally patting the consumer on the back. It’s important while doing social engineering to make it feel like I’m going out of my way to help this customer, I’m doing something I’m not supposed to but for the benefit of the consumer, and that the consumer is smarter than me. It sounds odd, but it works. Also saying “You can do it the right way if you want, but it takes way longer” is another way of me keeping them on the phone if they feel it’ll take minutes to resolve).

You: “Eh…. let’s just do it then”
 
Me: “Okay, great! Can I have digit 1 and 2 of your online digital banking PIN please?”

(I won’t actually check this against anything, but it’s useful for later if I keep the customer on the phone for longer I can “pretend” to log out of the account and have to re-authenticate them by asking for digits 3 and 4…)

You: “5 and 6”
 
Me: “That’s great, now let’s deal with your problem…”

Already I’ve got the customer’s guard down, and got them trusting me. From here, it’s not difficult to stretch the call out longer and ask for certain card digits, security questions, and more information. It happens all the time and something we are all potential targets of.

How big a problem is it?

Call and text spoofing is a huge problem. It’s a huge problem due to the trust factor involved in receiving a call. There’s absolutely no reason not to trust the number displayed on your phone (or, indeed, name if you have the number saved as a contact) isn’t who they say they are. To use a pop culture reference, imagine it like polyjuice potion from Harry Potter. I can impersonate any number on the planet from your friends, to authority figures, to even the school where you send your children. Once you realise the potential impact, it becomes clear just how big a problem it is.

To bring it back to the Harry Potter reference, here’s the Order of the Pheonix’s potential solution:

How can you protect yourself?

All popular culture references aside, I don’t want to scare you but there’s no true, tried, and trusted preventative measure… yet. It’s something I have been working on personally and trying to put pressure on networks, along with others, to stop allowing call spoofing to take place. There was once a valid and legitimate reason for it but it has since been used primarily purely for illicit purposes now and that has got to stop. As always, here’s my tips on how to stay safe:

  • If you receive a call and are unsure of the authenticity of it, just hang up. If they’re legitimate — they’ll reach out to you again.
  • Call spoofing only works one way, that is to say I can mask my number as your bank’s, but redialing the bank will put you through to the real bank.
  • Call your network provider, they can tell if a number has been spoofed (or looks like it might come from an unlikely source) and advise you.
  • If it’s the “bank” that’s called you — visit a branch in town, in person.
  • Never click on any links on a text message, even if it looks like it came from your Bank, or network provider
  • As always, be skeptical
Like what you read? Give Scott McGready a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.