A Convincing, New Phone Phishing Scam Wants Your Banking Secrets. Here’s How to Stay Secure

October 2, 2018, 6:13 PM UTC

Scammers have a new trick up their sleeves to extract financial details and personal information from people, but it’s not through better “phishing” email or sophisticated confidence games. Instead, it relies on something old fashioned: phone calls, sometimes from humans and sometimes automated.

The scam works like this: A victim receives a phone call that may be a live person, an automated message system, or a voice-response system programmed to act like it’s a live person. The Caller ID will show—either by phone number, name, or both—a financial institution or cellular operator at which the person has an account.

Next, the person or recording provides some details and tells the person they’re the victim of fraud and that they need to provide details—often including their account PIN—to set up a replacement card or freeze an account.

With that information in hand, the scammers can quickly manufacture ATM or debit cards, and make withdrawals or purchases. Or they can use online banking to transfer money or issue checks. Some scams simply collect information and then sell it to third parties.

Security writer Brian Krebs has documented a disturbing trend in attacks that rely on these phishers having obtained personal or private details from a victim. This may include part or all of a Social Security number, a credit card, and a home address.

Voice-based scamming isn’t new, and senior citizens lose tens of billions of dollars a year in the U.S. to fraud, a good portion by phone.

But the twist here is how much information these newer phishers have and the polish of the live people involved in the scam. These new attacks are so convincing that they took in two savvy Internet veterans who spoke to Krebs. One of them gave over all his info, while the other barely stopped short.

Part of what makes this attack so convincing is the phishers’ manipulation of Caller ID, which is an unverified system, making it entirely unreliable. With very little effort, a scammer can generate any phone number and text they want, in order to to appear as a reputable institution.

The trick to avoid voice-based scams is an old one: Never provide or confirm any private or financial details when you receive a call from a business. If asked, tell the caller you will call back.

Never use a phone number provided by a scammer, either. Always call the business back at a phone number provided on a card you have from it, or by visiting its web site.

Banks and credit-card companies will never ask for your PIN by phone, and if there’s a reason they need to call you, they verify themselves by providing information, but don’t ask you for anything beyond your name.

If you’re asked for personal details or account secrets, hang up. Some of these phishers may get aggressive, threatening the police, FBI, penalties, or a lawsuit. In that case, ask for a name and number—it’s always a scam, but it’s also likely the fraudster ends the call at that point or provides fake information.