Evolving phone scam landscape

Lot of us have heard of someone getting scammed over the phone. Typically it is the result of some action triggered by the scammer by reaching out to the target via phone call/email/message. I have seen lots of instances where one of these channels was utilized. 

Recently, I came across another type of attack where the scammer sets up a bait, then waits and lets the victim reach out to the scammer. The attack scenario is like this. The victim placed an order on a trusted website like amazon. The order was paid for via credit card. Now, the victim didn’t get the order and the order suddenly disappears on the amazon website. The initial part of the flow looks something like as shown below wherein the trap is set up by scammers and then they wait for some issue to happen on third party retailers like Amazon and the affected customer to call them.

 With amazon avoiding any good publicly known callback numbers, the victim ends up searching google for amazon support number. The scammer knowing the design from amazon to avoid a clean public number, puts up a fake number on websites that ends up showing up in google search as amazon support number. This is the bane of Mobile App First/Internet First companies that they fail/deprioritize clean presence/information on other channels like sometimes even having a website or proper phone numbers that are published and don’t change frequently. There are numerous examples of this type of behavior by companies such as Uber, PayTM, etc. The victim finds this fraudulent phone number on google and calls up to check for order status and possibly request a refund. The scamster picks up the call and using the phone of the caller, immediately looks up the name of the caller via a public registry. Victim tells the scammer about the missing order and describes the order details. A scammer is able to find the price of the item described and relays back the charge along with the name derived from the caller. The flow is depicted in the diagram below.

By relaying back the name and amount associated with the order, scammers gain confidence of the victim that they have reached the right support even when they didn’t get a callback from the retailer. As part of user security training over the years, it has been taught to not trust the call you get but always call the publicly listed numbers yourself to make sure you are talking to the right people. The scammer then mentions that there is some system error that is causing the refund to fail the original payment method. They send a message with a link to click in order to accept the payment. This link typically contains a malware payload. Since the confidence level of the victim is high, they do end up clicking the link and the phone is compromised at this point. Now, the scammer tells the victim that payment is still failing and if the victim can share other account details, those accounts will be tried for refund. Victim shares another account details and the scammer triggers the payment using the victim phone that is under the control of the scammer. There are OTP messages generated and received by the victim's phone during the call and those are read by scammers. The victim still thinks that they didn’t share any OTP with the person on the phone so they are safe. This is another aspect of security training over the years. Scammers try to keep the victim on the phone as long  as possible in order to show how helpful they are and also get as many accounts as possible and try to empty out the accounts. These calls sometimes go as long as an hour. The victim did have some knowledge of scams and basic knowledge to avoid these by not picking up calls from strangers and never sharing their OTP passcodes. Still the fraud happened. So far, we covered the How of the attack. Now, let's get into Who all are responsible for this. It would be naïve to put blame on one party in the flow. So what are the weak links or points of failures here. 

1. First and foremost is the user/victim. They have been trained to avoid clicking any link. They still did it and stuck on call sharing accounts one after the other.
2. Retailer is the next participant in this chain that is responsible here. The policy of leaving the holes on older channels as part of either saving operational cost or going after certain demographics can result in those gaps being filled by bad actors. We know that technological change takes time in society. We know people keep switching between the channels over time like paper based mail, phones, Fax, email, Messengers, etc. But different demographics adapt to these channels at different paces. By just switching to the latest channel and avoiding presence over the old channels, the company might be behind a certain demographic. Maybe they just want young customers. For whatever reason these gaps are, they end up being the source of trouble. The other bigger issue from the retailer side is the loss of integrity of data. The sudden disappearance of order from the supported app/website is big damage to trust. A canceled order for whatever reason is better than a disappeared order where customers will get anxious and try to call the support. The retailer on their side does try to make the experience better for users to never have to call the support. But, it doesn’t happen. Good goal but there are failures.
3. Search Engines are also responsible for the problem. This one is a little tricky. On one hand, search engines are just gathering information and distributing without validation. The whole argument around the legal protections these platforms enjoy. I get that part. Now where it gets tricky is that we know these platforms are starting to do more than just search and distribute functions. As part of Covid misinformation spread, we have seen the content distribution channels starting to filter or mark articles as not verified or something to stop the misinformation. The major search engines are moving towards AI capabilities telling us they can and will be doing way more than just search and distribute. They apply a lot more checks to control the spread of misinformation.

Now let's cover the solution. The solution may involve more than one party. 

1. We will start with the first weak link. User/victim is the first weak link here. One of the strategies to help with the issue will be user training by making them aware of these issues with dos and don’ts. But, with ever evolving threat landscape, we can see that some of the guidelines can help them fail by giving false confidence when the attack is changed. As we can see in the current scenario, the fact that the victims themselves called the scammer and heard some information they expected only the trusted retailer to be aware of and also, they never shared the OTP gave them false confidence. During the interview with the victim, it did come out that they saw the messages from the bank regarding money transfer. But they were confident that no one could take the money out as long as they didn’t tell the OTP to another person, this caused them to ignore all the red flags and still continue on call and support the scammer trying other accounts. We know there is a lag between training start and its impact on the general population. These are generally multi-year cycles. It becomes even more hard when you have to change the original training and those old teachings start to become a problem. Another aspect around user training is that it is important but not foolproof. Some users in certain tricky situations will always fail. So, we will have to think of quickly updating the user security training content, fast distribution. But will still have to assume that this link can fail, and we need to tighten other parts of the flow as well.
2. Retailers can take multiple actions to address this. First is to make sure the orders don’t just disappear. We can understand that even retailers would not like this to happen. But the checks on their side need to be more stringent. As of now it is obviously a big known gap that scammers are trying to utilize. Second aspect is to provide contact information in easily accessible ways to force misinformation to be reduced. One of the ways they can use it is to provide contact information in EV certs. If the information is easily available, the search engines of the world can utilize this and mark this verified information.
3. Search engines can utilize EV certificates or some other reliable sources of contact information. There is lot of talk about Digital Public Infrastructure. A clean and vetted contact information for business entities seem good candidates for this Digital Public Infrastructure as a home. Search Engines can utilize those in case information is not present in EV certificates.
4. 
   Banks/Financial institutions have important role to play here. For one, they employ strong fraud control technologies on the credit card side of the business than the bank account side. Even in case I interviewed, when the scammer tried to charge on credit card account, that was immediately declined. That means from technology perspective, there are tools to help on this problem in terms of fraud that are effective but are not being utilized fully. Another aspect is that use of SMS for OTP got developed as second factor in multi-factor authentication schemes. But with smart phone where caller is using the phone to talk and also get SMS on same phone that is now compromised is not adding much value. Banks need to switch from SMS to towards either hardware token devices or Authenticator apps on the phone. Hardware token devices can present operational challenge in terms of how many devices one will carry in case of multiple accounts at different financial institutions. An Authenticator App on the phone still presents a nice compromise where in order to get the token, there is additional user action required so use does know that token is being generated explicitly and is more difficult to just read the SMS on compromised phone. 
   

Whatever be the combinations that are picked as part of solution, there is an urgent need to address this. The issue is that what looks like just a financial crime/fraud is not limited to finance only. Financial aspects can sometimes be taken care of by insurance or other ways. The bigger issue I have observed is loss of confidence specifically in elderly who went through this experience. That emotional blow is hard to come out off, neglected, not spoken about much and feels like shame to victim forever. The other argument for urgent action is that even if we leave any morality aside, people in the higher age group generally hold lot of wealth. If some of them loose confidence in dealing with money, they will avoid dealing with the actors in the system and that will cause more financial issue to the system than the original amount that was fraudulently taken away.