Deceptions
Your modest phone number holds more worth than you realize. Discover how it may end up in the incorrect hands – and how you can assist in preventing it from falling into the grasp of scammers.
15 Jul 2024
•
,
7 min. read
What could be one of the simplest methods to defraud someone of their finances – anonymously, naturally?
Could it entail acquiring their credit card details, possibly through digital skimming or by infiltrating a repository of sensitive personal data? Although effective, these techniques might require significant resources and a level of technical expertise.
How about seizing payment information through counterfeit websites? This might be a plausible scenario, but imitating authentic websites (and email addresses for “spreading the word”) may not be viable for all. The chances are also good that adept individuals in security or security measures will detect such deceptions promptly or neutralize them using security measures.
Instead, malevolent individuals are resorting to highly scalable setups that hinge on elaborate social manipulation tactics and have minimal operating costs. Through voice phishing (also known as vishing) and message scams (smishing), these ventures have evolved into a lucrative scam call-center sector valued at billions of dollars.
Initially, these stratagems may necessitate minimal specialized or technical expertise. Moreover, an individual (often a human trafficking victim) can, simultaneously, entangle several unwitting targets in various forms of deception. These frequently involve pig butchering, cryptocurrency schemes, romance scams, and tech support fraud, each weaving a convincing tale and exploiting some aspects of our humanity.
Hello? Anybody there?
Picture answering a call purportedly from your bank notifying you that your account has been breached and to safeguard your funds, they require you to disclose sensitive information. The urgency in the voice of the purported bank “employee” might compel you to share your delicate details. The dilemma is, this individual might not be affiliated with your bank – or may not even be real at all. It could just be a synthesized voice, yet sounding entirely natural.
This occurrence is far from rare, with numerous cautionary narratives from recent times. In 2019, a CEO fell victim to a near US$250,000 scam involving a convincing voice deepfake imitating their parent corporation’s leader. Likewise, in 2024, a financial professional was hoodwinked via a deepfake video call, resulting in a US$25 million loss for their company.
Artificial Intelligence, the facilitator
With advanced AI voice cloning and translation capabilities, vishing and smishing are now more accessible than ever. In fact, ESET Global Cybersecurity Advisor Jake Moore showcased how effortlessly anyone can create a convincing deepfake representation of another person – even someone familiar to you. Seeing and hearing no longer guarantee legitimacy.
AI is reducing the entry barrier for emerging adversaries, acting as a multifaceted instrument for data collection, automating repetitive tasks, and expanding their global influence. Consequently, phishing leveraging AI-generated voices and text will likely grow more prevalent.
In this context, a recent study by Enea pointed out a 1,265% surge in phishing schemes post the launch of ChatGPT in November 2022, shedding light on the potential of extensive language models to bolster such nefarious activities.
Who are you, what’s your contact number?
As indicated by Consumer Reports analysis from 2022, individuals are growing more wary of their privacy compared to previous times. Some 75% of respondents in the survey expressed at least some level of concern regarding the privacy of their online-collected data, which may encompass phone numbers, regarded as a valuable asset for identification and promotional purposes.
However, now that we have left behind the era of the Yellow Pages, how does this correlation between phone numbers and advertising operate?
Take this into account.Explanatory instance: Imagine a baseball enthusiast placed tickets in a specialized application’s shopping cart but did not finalize the purchase. Shortly after exiting the application, he got a phone call presenting a discount on the tickets. Naturally, he was puzzled as he didn’t recall giving his phone number to the app. How did the app acquire his number, then?
The explanation lies in tracking. Certain trackers are capable of gathering specific data from a webpage, so once you input your phone number into a form, a tracker could identify and retain it to generate what is commonly known as customized content and experience. There exists a whole business model referred to as “data brokering”, and the regrettable truth is that a data breach isn’t necessary for the data to become public.
Tracking, data vendors, and breaches
Data vendors harvest your personal details from publicly available sources (such as government licenses/registrations), business sources (collaborative partners like credit card providers or stores) as well as by monitoring your online behaviors (engagement on social media, ad interactions, etc.), before trading your data to others.
Nonetheless, you might be wondering: how do scammers acquire other individuals’ phone numbers?
Typically, the more companies, websites, and applications you disclose your personal information to, the more intricate your personal “marketing profile” becomes. This also elevates your vulnerability to data breaches, as data vendors themselves might encounter security breaches. A data vendor could also vend your data to others, possibly even including malicious entities.
Nevertheless, data brokers, or violations impacting them, are not the only origins of phone numbers for scammers. Here are several other methods through which criminals can obtain access to your phone number:
- Available outlets: Social media platforms or online job platforms might display your phone number to facilitate connections. In the event your privacy settings are not appropriately configured or you are unaware of the ramifications of disclosing your phone number in your social media profile, your number could be visible to anyone, including an AI web crawler.
- Compromised accounts: Various online services necessitate your phone number, whether for identity verification, order placement, or authentication purposes. When your accounts undergo brute force attacks due to weak passwords or if one of your online service providers suffers a data breach, your number could easily be exposed as well.
- Automated dialers: Automated dialers randomly call numbers, and upon answering, you may become a target for a scam. Sometimes, these dialers call simply to confirm that the number is active and can be added to a target list.
- Mail: Check any recent deliveries – they typically display your address on the packaging, but occasionally may also feature your email or phone number. Imagine if someone pilfered one of your deliveries or scoured through your discarded items? Given that data breaches typically involve similar information, this can be extremely hazardous and a basis for further exploitation.
As a demonstration of a broad data breach affecting phone numbers, AT&T recently disclosed that millions of customers’ call and text message records from mid-to-late 2022 were exposed in a massive data breach. Nearly all customers of the company and individuals utilizing the cellular network have had their numbers, call durations, and call counts exposed. While call and text contents are allegedly not part of the compromised data, customer names and numbers can still be easily linked, as reported by CNN.
Reportedly, the fault lies with a third-party cloud platform, which a malevolent actor had infiltrated. Coincidentally, the same platform has experienced several instances of extensive breaches associated with it in recent years.
Securing your phone number
Therefore, how can you safeguard your number and yourself? Here are some suggestions:
- Stay cautious of phishing. Avoid responding to unsolicited messages/calls from overseas numbers, refrain from clicking on unsolicited links in your emails/messages, and keep a level head to deliberate before reacting to an apparently urgent situation, as that’s where they snare you.
- Inquire with your service provider regarding their SIM security protocols. They might offer options for card locks to deter SIM swapping, or additional account security layers to prevent scams like call forwarding.
- Enhance your account security with two-factor authentication, preferably using specialized security keys, apps, or biometrics instead of SMS-based verification. The latter can be intercepted by malicious actors with relative ease. Implement the same for service provider accounts as well.
- Exercise caution before furnishing your phone number to a website. While having it as an extra recovery option for your various apps may be beneficial, alternative methods like secondary emails/authenticators could present a more secure substitute.
- For online transactions, contemplate utilizing a pre-paid SIM card or a VoIP service instead of your regular phone number.
- Employ a mobile security solution with call filtering, ensure that third-party cookies in your web browser are disabled, and explore other privacy-enhancing tools and technologies.
In a world increasingly reliant on online data storage, it’s improbable that your number wouldn’t be retained by a third party somewhere. As illustrated by the AT&T incident, relying solely on your carrier’s security measures is also somewhat problematic. However, this doesn’t suggest that you should exist in a constant state of paranoia.
Alternatively, it emphasizes the necessity of upholding proper cyber hygiene and staying mindful of your online data. Vigilance remains crucial, notably in light of the consequences of this emerging, AI-driven (under)world.
About Author
