One of the first internet memes was born when The New Yorker published the now iconic cartoon captioned, “On the internet, no one knows you’re a dog.” Today we might update that to: “On the phone, no one knows you’re a scammer.” This is the paradox of today’s hyper-connected era: We now have more ways to interact and communicate with each other than ever before, yet it’s become increasingly more challenging to know with whom you’re really communicating.
Within the past decade, bad actors have exploited this dynamic to their advantage. Call spoofing, which refers to the process of changing the caller ID to any number other than the actual calling number, is a tactic that has lately been on the rise. One analysis estimated that Americans lost nearly $29.8 billion from phone scams in 2020, more than double the amount lost from the previous year.
The most recent example to make national headlines is the story of a California man who lost half his life savings to a fraudster using a phony caller ID. In this case, the victim received a phone call from someone claiming to be a Bank of America fraud specialist who informed him that a criminal 3,000 miles away was in the process of transferring money out of his account.
While the victim was initially skeptical, the fact that his phone identified the call as coming from Bank of America provided him with enough assurance that it was legitimate. This kind of call spoofing is increasingly easy to accomplish, with criminals using simple web-based call-spoofing services to match the 1-800 numbers of legitimate companies.
Bank of America reimbursed the customer although they were under no legal obligation to do so. Savvy companies recognize that customers need help in protecting themselves from these attacks.
The growing sophistication of call spoofing tactics
The disruption and isolation caused by the COVID-19 pandemic appears to have helped fraudsters. Victims were almost three times as likely to give up their personal information in this past year as compared to pre-pandemic times. According to the FTC, phone calls figured into 31 percent of consumer fraud reports in 2020 – but the number of consumers who fall for phone fraud may be much higher, as only one in six victims of phone fraud end up reporting these incidents.
Today’s most successful scammers have also become increasingly adept at leveraging an assortment of tactics from the social engineering playbook, applying a combination of urgency and fear to compel their victims to cooperate. Whether it’s impersonating law enforcement and threatening legal consequences or posing as health department officials and threatening to take away medical benefits, attackers understand that the inherent immediacy of phone communications is an ideal vehicle for separating a mark from their money.
It should also be noted that caller ID spoofing is not only used to target consumers. Some crafty scammers are also using it to trick financial institutions. In this scenario, the scammer employs caller ID spoofing to trick the bank into giving up information about recent transactions on a customer’s account — data that can then be abused and make their phone scams even more effective.
3 strategies companies can use to protect customers
In response to the robocalling epidemic, legislators passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED) that required the FCC to mandate the STIR/SHAKEN caller identification framework that aims to better protect consumers from both unwanted robocalls and from fraudsters who are abusing caller ID to perpetrate their schemes.
The adoption of STIR/SHAKEN will go a long way towards repairing trust in the phone channel. STIR/SHAKEN enables phone companies to verify that the caller ID information transmitted with a call matches the caller’s real phone number. Carriers are standing up services that can analyze the calls on their network and inform their customers of potential spams or spoof threats –though they won’t work for home phones connected to landlines.
Like other fraud prevention measures, the best strategy is a multi-layered approach that gives equal weight to both the latest technologies and resilient workflows. Here’s what companies can do to best protect their customers from scammers:
1. Prioritize education for consumers and workers: Humans are invariably going to be the weakest link in the chain; not even the most robust technology can prevent a victim from unwittingly handing over their private credentials. That said, while many financial institutions are investing in educational programs to teach their customers basic principles around protecting their accounts, they need to make it a continuous and ongoing initiative. Likewise, these efforts should extend to the customer-facing workers and especially contact center employees who are ultimately responsible for authenticating a customer’s identity.
2. Leverage behavioral analytics to signal anomalous activities: Phone-based scams almost always culminate with the victim transmitting funds, buying untraceable gift cards, or sharing critical data that can be used to create synthetic identities to open new accounts. For financial institutions this means that they need to be able to establish a behavioral baseline of their customers to understand normal interactions from anomalous activities that could be earmarks for potential fraud threats. Embedding behavioral analytics into the customer authentication process can help pinpoint the signals within a device or network that indicate the relative risk of each transaction.
3. Drive greater trust into the phone channel: There are solutions available today that go beyond the gaps within the TRACED Act framework that can help a customer determine the legitimacy of a caller with confidence. These solutions go beyond one-dimensional caller ID notifications by enabling businesses to register their calls as legitimate non-spam, to enhance the call experience by displaying their logo alongside a reason for the call, and to provide a visual verification of the caller identity.
The modern scammer is like any successful biological organism: the faster they can adapt to a new environment, the more likely they will survive. Likewise, the agile enterprise that can proactively protect their customers from call spoofing and other brand-damaging phone-based threats will be the ones most likely to thrive in the omnichannel future.