It's a scenario we're all familiar with - your phone rings, displaying an unknown number on the caller ID. Most of us instinctively ignore these calls, letting them go to voicemail. After all, if it's important, the caller will leave a message. However, what if the call appears to be from a legitimate source like a hospital, the police, or even your own bank? In those cases, many of us, especially parents, would likely answer without hesitation.
This difference in our response based solely on the caller ID is exactly what scammers are exploiting to steal hundreds of thousands of dollars from unsuspecting victims. One man's terrifying experience sheds light on just how devastating this scam can be: "That phone call would cost him $137K. All our money's gone."
Rob Low
The Anatomy of the Caller ID Scam
The caller ID scam typically begins with a text message, seemingly from your bank, asking you to confirm a suspicious transaction.
For example: "Did you attempt a $64 transaction at [store name] on [date]? Reply with 1 for yes or 2 for no."
Naturally, since you did not make the transaction in question, you reply with "2" for no. This is when the scam truly kicks into gear. You receive a follow-up message, instructing you to secure your account and open a dispute with the bank's fraud department, providing you with a phone number to call.
The phone number and wording used in these messages are carefully crafted to appear legitimate, mimicking the real protocols banks follow when fraudulent transactions are reported. So far, there's nothing to raise suspicions.
Then, the phone rings. Glancing at the caller ID, you see your bank's name displayed, along with "Fraud Division" - the same number provided in the previous text. With no reason to doubt the authenticity, you answer the call.
The Illusion of Legitimacy
From this point forward, the scammers employ various tactics to build trust and give the impression of a genuine interaction with your bank. Former victim Scott recalls,
The caller will often provide personal details about you that only your bank should know, such as your date of birth, address, and recent legitimate transactions you've made.
This information, readily available on data broker websites for a small fee, or sometimes readily available from the things we share online, serves to further validate the caller's claimed affiliation with your bank.
With your guard sufficiently lowered, the scammer proceeds to claim that your account has been flagged for fraudulent activity. However, before they can assist you, they need to confirm that the phone number listed on your account is correct.
To do this, they will send you a one-time PIN (OTP) via text message, purportedly from your bank. As Scott recounts, "That he did, in fact, receive via text from real Chase, only to then unwittingly share with the scammer who was pretending to be Chase Bank."
Aware that you would be reluctant to share the OTP directly with them, the scammers employ a clever workaround. They claim it is against bank policy to disclose the OTP to a representative and instead transfer you to an "automated system" where you can input the code yourself.
The moment you enter that one-time PIN, you have unwittingly confirmed the fraudulent transaction, and your money is as good as gone. The scammers have now gained complete access to your account.
The Ease of Caller ID Spoofing
The technological aspect behind this scam is shockingly simple and widely accessible. Changing the caller ID to display any text or number is a process known as "branded caller ID" and is commonly used by legitimate call centers to increase answer rates.
However, the same tools that enable branded caller ID for businesses are also available on the dark web, with no verification checks in place. This allows scammers to spoof any caller ID they desire, a practice known as "number spoofing."
For those with minimal technical knowledge, there are even freely available tools and tutorials online that can guide users through the process of creating their own caller ID spoofing system.
While the technology behind caller ID spoofing is relatively straightforward, the real success of this scam lies in the art of social engineering – manipulating human psychology and exploiting emotional vulnerabilities.
As the caller claims your account has been compromised, they offer a sense of relief by appearing to help resolve the situation. They prey on the stress and urgency of the moment, giving the impression of a knowledgeable and customer-service-oriented representative working on your behalf.
Furthermore, the personal information they provide, such as your birthdate and address, instills a false sense of legitimacy, making it easier to trust the caller and follow their instructions.
How scammers obtain personal details
So, how do these scammers obtain the personal details they use to make their calls seem authentic?.
The manual approach involves scouring social media platforms like Twitter, Instagram, and Facebook for publicly shared information about potential targets. A simple Google search for phrases like "I bought this" can reveal posts where people have shared details about recent purchases, birthdays, and other personal anecdotes.
Frankline
While this manual method is effective, it can be time-consuming. The easier and more efficient approach for scammers is to purchase data from so-called "data broker" websites. For a nominal fee, these sites provide comprehensive dossiers on individuals, including names, ages, phone numbers, and a wealth of other personal information.
Frankline
Unfortunately, even if you successfully have your information removed from a particular data broker site, it is often a temporary solution. The next time the site acquires a fresh batch of data, your personal details may reappear, forcing you to restart the removal process.
This cycle highlights the importance of services like DeleteMe, which continuously monitor data broker sites on your behalf, persistently working to remove your information as it resurfaces. By acting as your agent in this ongoing battle, DeleteMe aims to provide a more sustainable solution to protecting your privacy.
Douglas Choate
Extracting the One-Time PIN
But even after deceiving you into inputting the one-time PIN through the "automated system," the scammers still need to extract that PIN from the recorded tones. This is easily accomplished by uploading the recording to a DTMF (Dual-Tone Multi-Frequency) decoder website, which translates the tones into the numerical PIN you entered.
Will the insurance help?
Some victims may initially take solace in the belief that the Federal Deposit Insurance Corporation (FDIC) will protect their funds, as it insures deposits up to $250,000 in the event of a bank failure. However, this insurance does not apply in cases of individual fraud or theft, as the loss is not the fault of the bank itself.
How to Protect yourself from the Caller ID Scam
While the caller ID scam is undoubtedly sophisticated and psychologically manipulative, there are steps you can take to protect yourself:
- Never provide sensitive information over the phone, especially one-time PINs or passwords, regardless of the caller's claimed affiliation.
- If you receive a call from your bank's "fraud division" after reporting a suspicious transaction, do not engage with the caller. Instead, hang up and call your bank directly using the number listed on their website or the back of your credit/debit card. If the initial call was legitimate, there will be notes in the bank's system regarding the issue.
- Be wary of any caller who tries to create a sense of urgency or pressure, such as claiming you need to take immediate action within a short timeframe. Real bank fraud departments do not operate this way.
- Remember that modern AI technology can be used to mimic real people's voices, so relying on vocal cues alone is no longer a reliable indicator of legitimacy.
- Consider using a service like DeleteMe to continuously monitor and remove your personal information from data broker sites, reducing the amount of publicly available data that scammers can exploit.
