The Rise of Phone Scams

A few weeks ago, I attended a training session which had nothing to do with cyber or information security. During the session, the instructor said something interesting, “a new study has revealed that we trust voice communications over all other forms of communication”. Of course, we do. Basic communication theory tells us this (palm to face moment here)! I studied this at uni many, many years ago. But do you know who else has worked this out, threat actors?

Phone Scams Move to Number One

One might assume that sophisticated digital attacks dominate the scene in the evolving landscape of cybersecurity threats. However, recent statistics reveal a surprising trend: phone scams, whether conducted via landlines or mobile phones, are currently among the most effective methods employed by threat actors. Just pop onto the Australian Government’s National Anti-Scam Centre. The most effective delivery method for scams (currently) is the phone. For those curious, the second was social networks, and the third was email.

Why Are Phone Scams So Effective?

In an article released by the University of NSW last year, six reasons were documented as to why people fall victim to scams:

• Financial desperation
• Social engineering
• Lack of awareness
• Emotional triggers
• Trust and authority
• Lack of vigilance

Although these points oversimplify the matter, three of the six headings resonate with me: social engineering, lack of awareness, and trust and authority.

Realistically, it all comes down to social engineering a person. Then, not knowing how scams work or not imagining you could fall victim to fraud plays a significant role, as does the idea of trust and authority or, more to the point, trust in authority, of how effective the social engineering scam will work.

Like anything, most people will choose the easiest path, so why wouldn’t a scammer follow the same methodology? I would like to think that security awareness has made us weary of email scams, so threat actors have had to find new avenues to trick us, with the telephone demonstrating to be the most effective. However, academic research suggests it is more than this. Take, for example, a recent article by Torre, White and Knight, which states “There is a reciprocal relationship between trust and vocal communication in human interactions.” The research concludes in very simplistic terms that we tend to trust people with slower speech rates and posh accents.

Could it be that simple? Well, yes and no. Take, for example, the following attributes that have been noted to persuade us:

• Personal Touch – Phone calls provide a personal touch that emails or texts cannot.
• Immediacy – Phone calls that demand immediate attention, leaving little time to think critically are more effective than those that do not create the same immediacy.
• Anonymity – Unlike digital footprints, phone calls can be made from untraceable numbers or spoofed caller IDs, making it easier to trick someone that their call is coming from a trusted number.
• Emotional Connection – Voice conveys emotions and nuances, making the communication more authentic and convincing.
• Perceived Authority – (yep, authority again) People often perceive spoken information as more authoritative and credible, primarily if the caller uses professional language and tone.

Scamming an MFA Code Example

I am not sure if you have ever heard the voice recording released by Westpac of a scammer impersonating a bank employee attempting to scam a customer out of their two-factor authentication code, but it is very revealing.

Considering the above, we can confidently say the following tricks are at play. Firstly, the scammer has spoofed the bank’s number, giving them a sense of authority. Secondly, the scammer’s voice does not meet the stereotypical voice of a threat actor (Russian or North Korean). They have a slightly posh English accent. Although the scammer in the recording talks very fast, they also speak with confidence. I would assume, in this instance, that talking slowly would give the victim time to think, so the scammer is the one doing most of the talking. In fact, in victimology studies, often the victim of a scammer will talk of how it was not until the threat actor stopped talking and the conversation was over that they realised they had been scammed, almost like a pin drop at the precise moment their minds are set free from the scammer’s influence. The phone call also calls for immediate action – the victim’s credit card is about to be used in Mexico. To stop the transaction, she must give the real scammer a code (I can almost hear the music from Mission Impossible in the background).

In a nutshell, the scammer is socially engineering their victim, pretending to be someone of authority, while creating an immediate threat that needs responding to, all through a lovely accent that sounds a little posh, so, therefore, more trustworthy, oh and let’s not forget the spoofing of the bank’s number to create legitimacy. This is to make a credit card transaction on an elderly person’s credit card. Imagine what lengths a threat actor will go to compromise an organisation!!!!

How Do We Fight These Scams?

This was not supposed to be a long article; it was just a, hey, have you heard about the latest statistics on scams? The fact that several of my clients have also received emails and text messages from threat actors, asking them to call a phone number, also drilled home to me that this threat is real and here to stay! Yes, you heard me right, clients have received scam texts and emails asking them to call a number, that is how confident scammers are that this tactic works!!!!

There is no silver bullet when trying to prevent these attacks. As always, public awareness is essential in avoiding any type of scam. The problem, however, is that if you read this article, it is because you went looking for it or saw it in your LinkedIn feed. You are already aware of the problem. It is getting the message out to the rest of the world, which is the hard part. How do we raise awareness? By bringing up scams and threat actor tactics into our regular conversations, making the abnormal, normal, by talking about the elephant in the room, and having conversations that sometimes make us uncomfortable, you get the drift.

There is a lot of research on why voice communication is so persuasive. We know it is persuasive just by looking at the latest scam numbers – we are getting scammed over the telephone! By recognising this is happening, we can better educate and protect potential victims.

If you have had similar experiences with telephone scams, or received emails and text messages from scammers asking you to call, please share these on LinkedIn, or with me if you prefer, so that I can use them to help raise awareness.