My phone rings. The identifier recognizes the call and the number and tells me that the caller is a friend added from my contacts. But that can’t be true: my friend is in the next room, with his phone on the desk, untouched by it.
In reality, the caller has disguised his number, as a sign that the spoofing it is completely feasible and, even more worrying, not at all complex to do.
The real caller is cybersecurity specialist Eliot Eggers, who has promised me that he can disguise his number and impersonate anyone I have in my contacts. Prior to the call, he asked me for my friend’s number, so I was the one who gave it to him to corroborate his point. Only a few seconds later I receive the call that I know is false, but the identifier of my smartphone does not.
As an educational test it is harmless, as one of the trending scams in Mexico, no.
Spoofing, or when the caller looks like the bank but is not
Alejandra received a call at noon on any given Tuesday. Her phone indicated that it was her bank and, upon answering, the operator on the other end of the line explained that an unusual movement was received in her bank account. Alejandra did not hesitate for a moment. All her trust was in the caller ID of her phone that has told her that the communication is legitimate and comes from her bank since the number is saved in your phonebook.
The following minutes are crucial for the fraudster. At no time can the victim suspect anything, so, always in a friendly, cordial and confident tone, the “operator” explained that, to protect her account, it was necessary to send her a PIN to her phone and then she must provide it at the call. Alexandra agrees. The call lasted no more than ten minutes, during which time Alejandra was asked to wait on the line while the account setup process was completed.
The call ended. Alejandra entered her mobile banking to certify that the account was complete, but her surprise was that, seconds before, an electronic transfer had been made from her account to another, for a value of more than 3,000 pesos.
Then, Alejandra called the bank back using the same call input received from her phone, the one generated by the fraudulent call. Switch sounds. After a menu full of options, Alejandra finally manages to strike up a conversation with an operator who tells her that the call, despite appearing legitimate on her ID, has indications of having been fraudulent. Alejandra had never heard of spoofing when he tells me what happened to him.
How spoofing works
Spoofing consists of identity theft and applies to both IP, email, website and, of course, phone number spoofing. Essentially the scammer does what Eggers has done to me: deliberately falsifying information sent to caller ID. Eggers has done it with a phone number of a friend that I gave him myself; Alejandra has been passed off as her bank.
For this type of fraud, the fraudster must necessarily know the client’s bank, as well as their full name and, on occasion, they may also know the last digits of their card. The problem with that modus operandi is that there is no way to certify the authenticity of the call while you are on it. Some anti-spam apps might work, but with them there are always nuances as to what information is shared with them. The only way to guarantee not being the target of such a scam is not to trust the calls received, regardless of whether the smartphone identifier indicates that it is from the bank, the insurer, or any other company that provides financial services to the user.
The rule is simple: the user must not give any type of personal information in calls he receives, regardless of whether the identifier recognizes that the call comes from the bank.
One of the problems with spoofing is that, Eggers tells me, it is a relatively unknown type of scam in Mexico, despite not being new. The cybersecurity specialist tells me that a large proportion of his client base had never really heard of the term until they came across it, which is relevant considering that his clients are large companies, usually with dedicated cybersecurity teams.
The efforts have been there for a long time but they just haven’t resonated. The Association of Banks continually has communication on the subject and it is not difficult to find other messages from banks especially addressed to their account holders.
— Association of Banks of Mexico (@AsocBancosMx) December 28, 2021
Recommendations to avoid spoofing They are not different from those that are usually given to avoid any type of telephone fraud, the main one not giving any sensitive data in a call, even if the smartphone identifier tells us that the call has everything to seem legitimate. This is a slightly different indication to those that exist to counteract traditional phishing or vishing, since for these types of fraud it was enough not to trust incoming calls or messages from suspicious numbers, according to the recommendations of the Condusef.
Eggers assures that spoofing is equally effective for both Android and iOS users
The data that should never be shared in a call received, regardless of whether the caller ID distinguishes that it is a call from the bank or any financial institution of which you are a customer, are:
- Passwords, can be service or online banking account
- card security code
- Token, which are the numbers usually sent to a smartphone, to validate an online transaction
- Personal data such as name or address
The same day that Alejandra was scammed, she started a procedure to request a refund from her bank. Just over a month later, the request was confirmed as rejected.