Vishing: New breed of phone scams hook UK customers
The death threats Simon Woodhead has been receiving all seem sincere. People want revenge. Woodhead has been the target of a fast-growing number of angry UK phone customers who are victims of voice phishing, or "vishing" − a form of telephone fraud where scammers pose as an insurance company or bank representative to seize financial information and defraud their victims.
"I've had a number of experiences with angry mobs," said Woodhead, CEO of Simwood, a UK telecoms company, "from people threatening to come around and kill me one Christmas, through to people posting my personal details and those of charities I'm involved with online."
It might sound like a classic swindle, but these scammers now cover their tracks with an advanced phone hacking technique called "spoofing" whereby they obscure their identity by hijacking another caller's ID.
The terms are reminiscent of Dr Seuss, but spoofing in combination with vishing is "a growing problem in the UK," a spokesperson for communications regulator Ofcom told IBTimes UK.
Due to the technical sophistication of this new breed of scam, however, it's nearly impossible for authorities to catch the cybercriminals behind it. Through late 2015 and early 2016 thousands of phone customers in the UK have experienced a barrage of spoofed caller ID vishing calls.
The Big Vish
According to Action Fraud, the UK's national fraud reporting centre, UK phone customers were scammed of £23.9 million by vishing ploys from December 2013 to December 2014. That's a big jump from £7m the previous year.
Where all this money is going remains a mystery, although in 2015 proceeds from some of these scams in London were traced to jihadist groups, including Isis.
Woodhead is certainly not benefiting. His company Simwood, a telecoms wholesaler that runs the networks for major retail phone companies on the scale of BT, TalkTalk and Three, is itself a spoofing victim. Angry customers trying to call their scammers back find themselves connected instead with Simwood, and hear a message explaining the number has been spoofed.
"The disguised calls are often routed via the internet and/or a number of different international networks," said Ofcom's spokesperson. This exacerbates the problem, making it nearly impossible to trace the cybercriminals. And even when they can be traced, they are often found in another country, far from the reach of UK law.
Many who receive scam calls take to online forums and social media to warn others. "Just had cold call from 'Action Claims Bureau' asking about accident I haven't had," wrote John Hyde, deputy news editor for the Law Society Gazette, on Twitter last November, noting the message was an obvious attempt at vishing and "totally unacceptable".
Just had cold call from Action Claims Bureau asking about accident I haven't had. Obviously fishing, totally unacceptable.
— John Hyde (@JohnHyde1982) November 9, 2015
"Asked me if I had been involved in a car accident that was not my fault," wrote user Chris on the forum whocalls.me.uk last November, referring to the same 'Action Claims Bureau' vishing scam. "I asked who reported it and she hung up." Other forums that gathered similar complaints about the group include who-called.co.uk, tellows.co.uk, telspy.org and a host of others. They show thousands of searches from customers for the offending numbers.
Action Fraud's online fraud reporting tool is where customers should report vishing. But the tool doesn't provide a searchable database of numbers to avoid, or a forum where users can share their experiences.
Deep Sea Vishing
The volume of spoofed vishing calls in the UK is unknown. Ofcom suspects many are coming from overseas. Even the extent of complaints about vishing is difficult to determine.
Action Fraud, for instance, recorded more than 5,000 vishing crime reports between April 2014 and March 2015. But the UK's Information Commissioner's Office (ICO) does not separate out vishing-specific complaints from the 14,343 complaints about nuisance calls it receives on average each month.
Action Fraud has estimated a quarter of people in the UK are at risk of vishing scams. It's simply a question of volume: perpetrators can place millions of calls a day using digital dialing technology.
Woodhead wants more to be done to educate the public about the dangers of vishing. In 2013 Simwood responded to a parliamentary report investigating what could be done about the swell of phone fraud.
Public awareness "that people cannot trust the caller ID that appears on their phone isn't there at the moment," Woodhead said.
In a number of cases, he added, retail phone companies have given victims "our name as the perpetrator, [denying] that the call origin can be spoofed".
One particular victim sticks in his mind. Woodhead recalls a 90-year-old woman on oxygen tanks who was "transferred to my direct line by BT with no introduction." She was in floods of tears, he said, "because she had to keep rushing to the phone to get what was a pointless call, undergoing significant medical disruption to do so."
More than 50% of vishing fraud affects seniors over 65.
A Hard Vish To Catch
According to Woodhead, the current investigative process used by Ofcom and the ICO doesn't focus on the origin of the calls, but rather who owns or operates the spoofed number.
"So you have a scenario where a complete third party is making calls with a falsified caller ID," he said, "and the whole investigation process trundles on in completely the wrong direction."
But regulators are increasingly working to bring nuisance callers to justice. Fines for nuisance calls increased dramatically in 2015. A company called National Advice Clinic was fined £850,000 − the highest financial penalty yet for nuisance calls − in late 2015.
However, developing the ability to trace spoofed numbers remains a challenge. Last year Ofcom placed 30 traces on spoofed calls using a brand-new investigation process. But it was able to identify the source of the calls in just 10 of those cases.
The findings, published in December 2015 in an Ofcom and ICO annual review, also show the ICO made only one successful trace last year.
Last April regulators rallied the likes of BT, TalkTalk, Virgin Media, Sky, Vodafone, Telefonica/O2, and four others to put in place better tracking mechanisms.
Still "call tracing is not always successful, for a number of reasons," said Ofcom's spokesperson. "For example, communications providers outside of the UK may not be responsive to call-tracing requests."
New technical standards on internet traffic that would thwart number spoofing is in the works at the global Internet Engineering Task Force (IETF). But this will require global agreements between standards bodies, equipment vendors and communications providers, and "may take a number of years," according to Ofcom.
So for now, Woodhead says, "this is a real issue that really hurts people," and in which "we are powerless to intervene".
© Copyright IBTimes 2024. All rights reserved.
