How Fraudsters Are Stealing Thousands Using The Caller ID Scam

· 7 min read
How Fraudsters Are Stealing Thousands Using The Caller ID Scam
Photo by Richard / Unsplash

It's a scenario we're all familiar with - your phone rings, displaying an unknown number on the caller ID. Most of us instinctively ignore these calls, letting them go to voicemail. After all, if it's important, the caller will leave a message. However, what if the call appears to be from a legitimate source like a hospital, the police, or even your own bank? In those cases, many of us, especially parents, would likely answer without hesitation.

This difference in our response based solely on the caller ID is exactly what scammers are exploiting to steal hundreds of thousands of dollars from unsuspecting victims. One man's terrifying experience sheds light on just how devastating this scam can be: "That phone call would cost him $137K. All our money's gone."

Phishing scam dupes Jefferson County couple out of $137K
By the time this Golden resident realized the Chase Bank fraud team he had been talking to on the phone were scammers themselves, he was out more than $137,000.

The Anatomy of the Caller ID Scam

The caller ID scam typically begins with a text message, seemingly from your bank, asking you to confirm a suspicious transaction.

For example: "Did you attempt a $64 transaction at [store name] on [date]? Reply with 1 for yes or 2 for no."

Naturally, since you did not make the transaction in question, you reply with "2" for no. This is when the scam truly kicks into gear. You receive a follow-up message, instructing you to secure your account and open a dispute with the bank's fraud department, providing you with a phone number to call.

The phone number and wording used in these messages are carefully crafted to appear legitimate, mimicking the real protocols banks follow when fraudulent transactions are reported. So far, there's nothing to raise suspicions.

Then, the phone rings. Glancing at the caller ID, you see your bank's name displayed, along with "Fraud Division" - the same number provided in the previous text. With no reason to doubt the authenticity, you answer the call.

The Illusion of Legitimacy

From this point forward, the scammers employ various tactics to build trust and give the impression of a genuine interaction with your bank. Former victim Scott recalls,

"He seemed very knowledgeable about Chase. She wasn't asked for account information, her social security number or password. Very, like, very customer service oriented."

The caller will often provide personal details about you that only your bank should know, such as your date of birth, address, and recent legitimate transactions you've made.

This information, readily available on data broker websites for a small fee, or sometimes readily available from the things we share online, serves to further validate the caller's claimed affiliation with your bank.

With your guard sufficiently lowered, the scammer proceeds to claim that your account has been flagged for fraudulent activity. However, before they can assist you, they need to confirm that the phone number listed on your account is correct.

To do this, they will send you a one-time PIN (OTP) via text message, purportedly from your bank. As Scott recounts, "That he did, in fact, receive via text from real Chase, only to then unwittingly share with the scammer who was pretending to be Chase Bank."

Aware that you would be reluctant to share the OTP directly with them, the scammers employ a clever workaround. They claim it is against bank policy to disclose the OTP to a representative and instead transfer you to an "automated system" where you can input the code yourself.

The moment you enter that one-time PIN, you have unwittingly confirmed the fraudulent transaction, and your money is as good as gone. The scammers have now gained complete access to your account.

The Ease of Caller ID Spoofing

The technological aspect behind this scam is shockingly simple and widely accessible. Changing the caller ID to display any text or number is a process known as "branded caller ID" and is commonly used by legitimate call centers to increase answer rates.

However, the same tools that enable branded caller ID for businesses are also available on the dark web, with no verification checks in place. This allows scammers to spoof any caller ID they desire, a practice known as "number spoofing."

For those with minimal technical knowledge, there are even freely available tools and tutorials online that can guide users through the process of creating their own caller ID spoofing system.

While the technology behind caller ID spoofing is relatively straightforward, the real success of this scam lies in the art of social engineering – manipulating human psychology and exploiting emotional vulnerabilities.

As the caller claims your account has been compromised, they offer a sense of relief by appearing to help resolve the situation. They prey on the stress and urgency of the moment, giving the impression of a knowledgeable and customer-service-oriented representative working on your behalf.

Furthermore, the personal information they provide, such as your birthdate and address, instills a false sense of legitimacy, making it easier to trust the caller and follow their instructions.

How scammers obtain personal details

So, how do these scammers obtain the personal details they use to make their calls seem authentic?.

The manual approach involves scouring social media platforms like Twitter, Instagram, and Facebook for publicly shared information about potential targets. A simple Google search for phrases like "I bought this" can reveal posts where people have shared details about recent purchases, birthdays, and other personal anecdotes.

The Hidden Dangers of Oversharing: How Your Innocent Photos and Videos Can Expose More Than You Think
We share more personal information online than ever before. From posting vacation photos on Instagram to checking in at a restaurant on Facebook, our online activities leave a trail of digital breadcrumbs about our lives. While this level of sharing can enhance our connections and allow us to document precious

While this manual method is effective, it can be time-consuming. The easier and more efficient approach for scammers is to purchase data from so-called "data broker" websites. For a nominal fee, these sites provide comprehensive dossiers on individuals, including names, ages, phone numbers, and a wealth of other personal information.

Data Brokers - What They Know About You and How to Take Back Control of Your Privacy
Data brokers operate in the shadows, amassing troves of personal information about individuals and families. But who are these unseen entities, and just how much do they know? Understanding Data Brokers Data brokers gather this information from a variety of public and private sources using methods like purchasing datasets, scraping

Unfortunately, even if you successfully have your information removed from a particular data broker site, it is often a temporary solution. The next time the site acquires a fresh batch of data, your personal details may reappear, forcing you to restart the removal process.

This cycle highlights the importance of services like DeleteMe, which continuously monitor data broker sites on your behalf, persistently working to remove your information as it resurfaces. By acting as your agent in this ongoing battle, DeleteMe aims to provide a more sustainable solution to protecting your privacy.

Your Privacy is our Business
Your Personal Data is Yours Again.

Extracting the One-Time PIN

But even after deceiving you into inputting the one-time PIN through the "automated system," the scammers still need to extract that PIN from the recorded tones. This is easily accomplished by uploading the recording to a DTMF (Dual-Tone Multi-Frequency) decoder website, which translates the tones into the numerical PIN you entered.

Will the insurance help?

Some victims may initially take solace in the belief that the Federal Deposit Insurance Corporation (FDIC) will protect their funds, as it insures deposits up to $250,000 in the event of a bank failure. However, this insurance does not apply in cases of individual fraud or theft, as the loss is not the fault of the bank itself.

How to Protect yourself from the Caller ID Scam

While the caller ID scam is undoubtedly sophisticated and psychologically manipulative, there are steps you can take to protect yourself:

  1. Never provide sensitive information over the phone, especially one-time PINs or passwords, regardless of the caller's claimed affiliation.
  2. If you receive a call from your bank's "fraud division" after reporting a suspicious transaction, do not engage with the caller. Instead, hang up and call your bank directly using the number listed on their website or the back of your credit/debit card. If the initial call was legitimate, there will be notes in the bank's system regarding the issue.
  3. Be wary of any caller who tries to create a sense of urgency or pressure, such as claiming you need to take immediate action within a short timeframe. Real bank fraud departments do not operate this way.
  4. Remember that modern AI technology can be used to mimic real people's voices, so relying on vocal cues alone is no longer a reliable indicator of legitimacy.
  5. Consider using a service like DeleteMe to continuously monitor and remove your personal information from data broker sites, reducing the amount of publicly available data that scammers can exploit.
## Convertkit Newsletter