Unless it's friends/family calling, of which most calls are likely Facetime or Whatsapp video these days, I don't bother answering and let it go to voicemail and I'd never call back purely based on a number given in a voicemail.
Virtually all call traffic I receive that doesn't fit the above is outright scam attempts, fake IRS / CRA threats, bizarre calls in Mandarin or Cantonese or post-sales "check-ins" to see if I want to spend more money with a service I've already paid for.
So it's unlikely I'd personally fall for this, simply due to a lack of opportunity for the would-be scammers.
That said, with the level of sophistication they're employing I could very easily see how people get trapped by it.
In case you're curious, the calls in a foreign language are, I understand, generally immigration scare attempts.
They were a big thing a few years back when Trump was talking about walls and kicking people out of the US; I thought they had died off, but I've also stopped answering my phone.
I got my first call in Chinese a couple of days after I applied for for my visa to China so I assumed it was legit and related initially (e.g. they want more documents or something). Fortunately I don't speak Mandarin so once I tracked down my coworker and asked him to translate he told me it was a known scam.
If I can figure out the right button to press to get a human, I explain to the Chinese scammers that my Mandarin is really poor, but that I would love to hear what they think about the 6/4 Incident.
I don't think it necessarily has to do with visa to China. I started receiving a ton of spam calls in mandarin despite never applying for a visa to China or having a partner from China or ordering anything from Chinese services like Alibaba.
However, I find it interesting that those calls started shortly after I graduated college and started my first big tech job.
My Chinese wife receives phone calls like this all the time. Either it's DHL telling her she has a package to pick up (in a completely different state) or it's the consulate asking for some information. I guess my phone number got in with hers somewhere along the line as I've also received a call or two like this.
My wife and I have cell phones in the 650 prefix that are less than 1000 apart and my number is less than hers; the Mandarin scam calls come to my number a couple minutes before hers... I'm pretty sure they're just war dialing the whole area code. You can usually guess it's them because they spoof 415 numbers or 213 numbers.
I also get the DHL scam calls. Once I tried telling them that I was American and didn't speak Chinese (which is about the extent of my very rusty Mandarin knowledge) and it stopped the calls for a couple of months. That tactic did not work the second time around, though. :(
> In case you're curious, the calls in a foreign language are, I understand, generally immigration scare attempts.
I've been receiving Chinese language spam on both my Canadian and U.S. numbers for about five years now, and all of them have been DHL impersonators, PRC consulate impersonators, and people impersonating my mobile phone provider "您好,這是Freedom Mobile中文支持blah blah blah"; I've never heard an immigration-related one claiming to be a U.S. or Canadian immigration or customs body.
[DHL/FedEx/the Chinese consulate] has an urgent package for you to pick up.
[Failure to pick up the package will result in the package being returned to the original sender./The package has been confiscated in customs due to irregularities. Failure to contact us will result in a formal investigation.]
There are other formats. Here's one that my wife (who is originally from China) got:
This guy calls claiming to be from the Beijing police. They claim that after she left China, someone stole her identity and tried to make some transactions in her name. They managed to stop him, but now they're investigating and they need to gather evidence. And so they need to get her id and bank account details, etc.
For a while they completely had both of us, and we believed everything they said up until they were asking for her details. She asked for a name and id number, and said she'd call them back. When she looked up the real Beijing police phone number and called them, they said they had no idea what she was talking about.
I assumed they want money in order to complete the delivery, but searching online it appears they want to verify someone will be home and nothing comes of it.
Seem to be some thought they're verifying names and addresses. Weird.
One day almost all the phones started ringing in the office one by one. Turns out someone/some automated system started dialing our phone numbers one by one with the above Chinese message scam.
At that time I realized I never needed my office phone before and unplugged it. Problem solved.
I got a couple calls a while back where the person on the other end was just unresponsively crying and then hung up, sounded like it could be a recording, not sure what that was about.
If you're using an iPhone (dunno if Android has a similar feature), you can enable "silence unknown callers" in the phone settings. Then anyone not in your contacts or suggested contacts won't even ring.
That's great, but my doctor calls every week from an "unknown number" to check in with me and I have to get that call, I can only assume that's some kind of NHS voip solution for calling patients, so even if I wanted to I can't whitelist their number.
I mean the irony is that when you have a huge internal phone system like this the only way to do it "right" is to spoof the number to something consistent.
Got a letter in our letterbox the other day. It was purportedly from the real estate company that manages the apartment we live in. It said "Starting next month we would like you to change the bank account that you transfer money to". My wife was just going to do it because the letter looked legitimate and even seemed to have a stamp from the company (in Japan stamps are used instead of signatures). I stopped her and asked her to call the real estate company (using the number we already had on file) for confirmation. I pointed out that the stamp appeared to have been printed on the letter, not actually stamped. Indeed, it turns out to have been fraud. The real estate company had no idea about the letter.
With all those fraud stories up here, I'm wondering: Has anybody describing such a story in this thread reported the incident to the police after realizing it was fraud?
> Many banks including TD Bank on the East Coast of The US, and throughout Canada are now using voice recognition technology for their telephone banking.
> You can only imagine how easily that is spoofed as well.
That's absolutely hilarious... because the technology that allows a person's voice to be recognized is the exact same technology that allows it to be imitated.
I once had my car towed by the city, only I had no way to tell it was them because it's not like they tell you. I figured I'd call the tow yard before I filed a police report for a stolen vehicle. Completely automated system where you had to give them the social security number of whoever had the title to verify whether or not they had the car in the lot. At the time the car was in my dads name, so I had to give this automated system that I had no way of knowing was legit my dads social security number over the phone. They did have the car at least, but boy if a scammer had a spoofed phone number 1 digit off from the towyard's, they would be sitting on a lot of people's social security numbers right now.
Schwab Bank started using voice recognition "passwords" as well. Luckily, it requires you to log into their website after talking through voice password tutorial to activate the voice password--which I refused to do at the time. Good to know I made a decent choice.
Never mind the insanity of leaking a secret that would otherwise only travel over TLS. Banks wouldn't know actual security if it fell into their lap. They got spoiled by pretending SSNs were somehow private, and are still trying to use "identification" as a crutch rather than focusing on proper authorization - eg a hierarchy of auth levels with the master being a public key on a hardware token, ideally that you go into a branch to replace. The only thing a person can do is refuse their snake oil voiceprints etc wherever possible, and most importantly monitor your accounts religiously at least every 40 days.
Even worse, the snake oil is leaking to non-banks as well. For example, Amazon now seems to insist on doing an email challenge for every login. Very unfriendly UX. Eventually I'll get around to writing a procmail recipe that grabs the codes out of emails/texts, and spits them to a terminal ready to be pasted.
Most banks in the UK have given out hardware 2fa devices for years. I have one for my company accounts that's activated with its own PIN that gives out logon and authorisation codes.
Is this not true in the US?
They are often now replaced by banking apps that offer a similar feature, as my consumer account with the same bank has done.
Android has a similar feature in its Do Not Disturb mode. If you're not already in my address book, my phone simply does not ring. Everyone I need to hear from on a moment's notice is in there, and everyone else can leave a voicemail. It's maybe a bit sad that it's come to this, but the robocalls are rampant and this is the only solution that even puts a dent in the volume.
Daaamn, thank you.. never knew this was an option.
If only government services stopped calling from unknown numbers too, then my life would be so much easier!
Moving from Germany to the uk was very easy and there hasn’t been a lot “unexpected” things I couldn’t cope with... Robo, spam and scam calls.
I’m still only using my German number which only my family and friends have, who know, only call me in case of emergency.
Banks, insurances, institutes etc will never get my phone number. And my money will never be in a place where I have to worry about it getting scammed. Stolen maybe - but that thief would be very lucky.
And all this fuzz and lack of comfort (simply ordering stuff) [especially during times like these] because I’ve become very paranoid, because of situations like that...
What is the best practice for preventing these man in the middle (MITM) attacks? Brian Krebs seems to suggest the only way of doing so using a phone alone is to put down the phone and ring back, that way the initiation of the connection can be guaranteed to be secure.
I suspect there are better schemes that can be adopted when the user has access to both a phone and another connected device that can foil MITM attacks using SSL but you can't always guarantee that a user has access to a web browser or app.
In this case all phone calls from the bank should proceed like so (and it should be made illegal to act otherwise): "Hi I'm calling from Example Bank fraud department. Please go to your banking details and find the phone number for the fraud department and call the number listed and quote the reference ABC. I will now hang up and await your callback"
How does caller ID spoofing work technically? I mean if the attackers do not have the contents of your SIM card stored, how can they pretend to the network that they are you? Isn't that the purpose of the SIM?
Nope because I don't answer calls from outside of my contacts. So much spam these days. If it's important they will leave a voicemail, and I can just skim the transcript rather than listening.
I strongly recommend getting a phone number from an area where you don't know anyone. Any time I get a phone call from Dallas, I know it's a scammer spoofing my misleading area code.
I recently got a call from a Chinese supplier on a presumably VOIP call, routing through my local area code and it has thrown my "avoid the 315 unknown" strategy out the window...
How about this for a scam idea -- you call someone innocuously, without any purpose but to get them talking to you. Record their voice and then create a deep audio fake of them. Then mass dial the area code spoofing their number and try to get someone else on the phone with you using as your bot the audio fake and record their voice and repeat
"This data, known as “CVVs” in the cybercrime underground, is sold in packages for about $15 to $20 per record"
Would it be terribly complicated to make single use credit cards? Like if you have an app from your bank (which they push on you these days, anyways), you could generate a new virtual credit card for every transaction?
Revolut has a feature that does exactly this, and it works great! It's the sole reason I have a Revolut account. I know my usual bank used to do this as well, but they stopped some time ago unfortunately.
Lots of banks already have that service. My bank has had it so long it used to be a Flash applet. You can generate card numbers with a specified expiration date and usage limit.
It seems like the greater risk described in this blog is attackers using social engineering against your bank to gain access to it. How do you prevent that?
You don't. Social engineering has been the best tool in the kit since long ago. Used to do it in the phone phreaking days. The majority of the time, the person being "engineered" is some sort of customer service type who is essentially there to help customers. It takes a robo-level self-control to essentially say "tough cookies, I cannot help you for fear of being scammed".
> Another piece of USA infra that is just miles behind most western countries.
There are massive holes in most government institutions. You just need to encounter them.
Just one example from many of the Australian government failings:
You may receive a phonecall from Centrelink. It'll be from a private number, so there's no need to even spoof it. They ask for your date of birth, Centrelink ID and address to validate you, which just also happens to be everything you need to steal someone's account.
If you refuse to identify without them first identifying, or if you ask if you can call Centrelink directly to be reconnected, you'll find, you can't.
I received a call from Centrelink, in a week when I also received three other calls purporting to be from Centrelink. I can't tell you which one was the legitimate one, just that I was punished for refusing to communicate over the phone, and had my account closed.
(An account that it took the Minister of Health intervening on my behalf to open - Centrelink are incapable of assessing my illness, and thus my account always ends up in a limbo of processing, without me receiving benefits, whilst still being incapable of most work.)
Similar things exist with the Tax Office, the security puss that is mygov, and so on.
I've had similar stories from friends out of the UK and France. Governments don't know how to deal with situations where they cannot just say that they are the authority.
Virtually all call traffic I receive that doesn't fit the above is outright scam attempts, fake IRS / CRA threats, bizarre calls in Mandarin or Cantonese or post-sales "check-ins" to see if I want to spend more money with a service I've already paid for.
So it's unlikely I'd personally fall for this, simply due to a lack of opportunity for the would-be scammers.
That said, with the level of sophistication they're employing I could very easily see how people get trapped by it.