It’s rare that a month passes without another company getting victimized by a data breach that exposes millions of customers’ personal information. What’s different today is that scammers are now using this stolen data to impersonate trusted companies. This effective scam strategy is called “enterprise spoofing.”
My company, First Orion, analyzed approximately 40 billion calls made to mobile customers and, with that data, predicted that the previously employed method called “neighbor spoofing” will drop by 20% as scammers adopt enterprise spoofing.
The latest trend in spoofing exploits consumers’ trust in companies like Apple, Visa, Mastercard and Microsoft by using the company’s name, known business number, homepage and address to convince victims of the call’s legitimacy. When calls come from convincing caller IDs and the deceptive callers possess information that victims assume only real companies would know — such as their credit card number, Social Security number and more — the challenge to recognize a scam grows exponentially. This poses a threat not only to consumers, but to reputable companies that have built themselves as trusted brands.
Whether you are a consumer or a business, understanding how scams work and how to detect them will help you protect yourself and your business. Knowing the signs of a scam call and what to do when caught in one is the first line of defense.
First, let’s look at some recent examples of scams:
Earlier this year, Apple and its customers were targets of an enterprise spoofing scam. Apple customers were contacted by numbers that had been spoofed to appear as real Apple agents, using the Apple homepage and address to dupe victims into believing a legitimate Apple employee was contacting them.
Visa and Mastercard have also fallen victim to enterprise spoofing, with fraudsters contacting customers and masquerading as representatives from the card companies. They asked cardholders to reveal the 3-digit security code on the back of their card, and then applied unauthorized charges to the card immediately. Scammers already have a wealth of information that was stolen during the security breaches in recent years, such as account numbers, addresses and other personal information, that can make them sound legitimate. When presented with so much convincing information, consumers are more likely to believe the call is real.
Similarly, hackers and scammers took advantage of Microsoft and the company’s widely recognizable name and reputation. The criminals contacted the company’s customers, masquerading as the Microsoft Windows refund department, even spoofing the caller ID so that it displayed a legitimate support number. Scammers used consumers’ credit card numbers and other personal details gleaned from the data breach in phone calls to make it seem authentic.
With data breaches continuing to expose consumer’s personal data, our recent study discovered that 3 in 4 scam victims report personal information was used to extract additional data, leading to financial losses in excess of $10,000. When preyed on by a caller who had their personal information, consumers were five times more likely to experience a financial loss. Additionally, the tactic of enterprise spoofing erodes the trust consumers have in household names.
Earlier this year, the Federal Communications Commission (FCC) clarified the regulations around carrier blocking of illegal calls. This assured carriers that they can block fraud calls automatically, as they offer an opt-out option from the practice instead of only providing such blocking for consumers who have opted in.
There are also two bills currently making their way through Congress that will require more protections for subscribers, including required adoption of STIR/SHAKEN, a new industrywide call-authentication standard.
How To Protect Yourself
1. Know the signs
The FCC issued a consumer guide in August on how to stop unwanted robocalls and avoid phone scams. The most important tip is to not answer calls from unknown calls, and if a call seems suspicious, hang up immediately. Exercise caution when providing any personal information, even if the number is one you recognize.
Some scams are very convincing, and the scammers constantly adapt their methods to seem more legitimate. If you get caught in a scam, the first major step is to let your financial institutions know.
Other steps are to make sure your credit report is frozen.
If you suspect that your Social Security number was affected, contact the Social Security Administration and let them know that someone has an unauthorized hold of your SSN.
Additionally, you can submit a formal complaint to the Federal Trade Commission so they can create a public warning and inform you of your rights.
2. Understand how your mobile provider can protect you
Filtering out potential robocalls and blocklists are good solutions, but they may not always be effective. While the government and telecoms continue to strategize against robocalls, consumers can protect themselves with advanced caller ID protections.
Mobile subscribers looking to protect themselves from enterprise spoofing can seek out providers who have deployed real-time, in-network solutions, as app-based services are less effective in identifying and blocking spoofed calls.
We partnered with T-Mobile or Metro PCS to help users block scams by dialing (#662#). T-Mobile also provides scam identifying services for both TracFone and Simple Mobile, tagging over 3 million calls per day for about 4.5 million subscribers total.
Verizon users can subscribe to the free or paid versions of Call Filter by logging in to My Verizon or enrolling in the Call Filter App. AT&T recently rolled out new spam call features so mobile subscribers can block spam calls.
Scammers are savvy, but understanding how to recognize scams and what to do when caught in one will help you or your company keep pace with the evolving tactics of nefarious callers.