Skip to content

Identity thieves start working the phones

by Neal O'Farrell on November 23rd, 2011

One of the reasons identity theft is such an epidemic is that there are so many ways to commit it – steal mail, blast out phishing emails, hack a database, or simply buy identities on a street corner. But for years, security experts have been suggesting, and maybe hoping, that at least you should never expect to get a phone call from the thief.

Time to start rewriting the manual. A security firm called Trusteer recently announced that it has discovered criminal support organizations that provide real people operating customer service-style phone banks to personally call targets and try to swindle them out of their identity.

Experts believe thieves are going to such new extremes because when they steal a victim’s identity online, they may not have quite enough information to maximize that theft. So they hire these criminal dialers to call selected victims, use the personal information they already have about the victim to build trust, and then trick the victim into handing over the last piece of the puzzle.

Here’s how Trusteer believes these calls might go. The scam would start when the criminals try to reset a password or initiate a transaction, and the bank sends a text message to the victim that includes a one-time password for verification.

Step 1: Caller Establishes Credibility

The caller would use data collected by malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending in 2345?”

Step 2: Caller Collects Missing Data

Once the caller has established credibility, they will go on to collect:

a) The one-time password sent by their bank as a text message – for example “We have just sent you a one-time password so we can make sure you are John Smith, can you please read it for me?”

b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”

c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”

According to Trusteer “While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavor to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organizations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realize.”

Trusteer offers the following advice:

  • Make sure to use up-to-date anti-malware solutions, especially any recommended by their bank, to prevent data theft in the first instance
  • Treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer.
  • Use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.

From → In the Headlines