We have already spoken on other occasions about scams based on the impersonation of a bank’s identity using SMS message spoofing techniques, which they achieve the feat of sending us messages that are displayed in the same thread as the legitimate ones of our bank, thus managing to convince many unsuspecting users to give up their personal data.
But scammers are always innovating, and some have taken their bank scam prowess to another level. The computer science professor JJ Merelo recounted a few hours ago on Twitter a case that he himself had just suffered, an “attempted fraud with a considerable level of sophistication”. The steps are the following:
They call from the Banco Santander phone.
Your interlocutor already has your ID and your telephones.
They tell you a story about a fraudulent payment supposedly made with your card.
They tell you that they are going to ‘fix’ your position by sending you a message with a code that you must provide to your interlocutor.
“And there is the fraud. At that moment I smelled something strange … I said so and he immediately hung up on me. […] Just in case you are not clear: BANKS DO NOT CALL TO REQUEST SENT CODES “.
A credible scam
In case we suffer a call like this, we must hang up and ignore. And if the doubt corrodes us (after all, the ‘hook’ used is that of having already been the victim of a fraud) We only have to call the Customer Service number of our bank, to clarify that there is no problem with our account and that the previous call was not made by them.
The problem is that how many users will not be convinced to collaborate with the operator thanks to an apparently legitimate call in form (correct phone number) and in depth (they already have our personal data, they do not try to extract it from us)?
Because therein lies the key to this scam, somehow, these scammers have had access to names, IDs and telephones as a result of some previous massive data leak, something that allows to refine social engineering strategies to previously unimaginable extremes.
But what about the other side of the scam? Do youHow is it possible that we see the phone of our bank on the screen when they call us?
This is how phone spoofing works
The ‘phone spoofing’ Allows the scammer who makes a call to impersonate another person or company by falsifying the number displayed on the caller ID screen of the receiver’s terminal.
Thus, just like the ‘SMS spoofing’ is based on hiring a provider that lets you send messages with the sender ID that you want, even if you are not the owner of it, its version for calls makes them appear to come from any phone number wanted by the scammer.
It works more or less like this: the customer (the scammer) hires the provider for a certain number of call minutes by paying in advance. Then each call is made after the customer has provided to said provider the number of both the recipient and the supposed sender of the call (the bank).
Although until a few years ago it was a practice restricted to areas such as State security forces, or – not always legally – to collection agencies and private investigators, the landing of VoIP technology has ‘democratized’ access to the tools to carry out this counterfeiting of phone numbers.