Written by: Alexander T. Hintlian, CISA, CCSFP
We’ve all heard that urban legend of the unwitting babysitter receiving the creepy phone call, only to find out when the phone company traces it, that it’s coming from inside the house. What if this isn’t just confined to in the house? With Voice over Internet Protocol (“VoIP”) technology, receiving a bogus call designed to look like it’s coming from within your institution is now more of a reality than fiction. VoIP technology has made it much easier for scammers to spoof phone numbers and trick people into divulging confidential information. This act of “neighbor spoofing” is just one more way scammers are trying to socially engineer their way into your organization.
What is Neighbor Spoofing?
Neighbor spoofing calls are new method being used by fraudsters, telemarketers, and robocallers to disguise their actual phone numbers with a fake number that matches the area code and first three digits of their intended recipient’s phone number. This can be effective in getting through to a target because recipients are a lot more likely to answer a call from an unknown number if it appears to be local.
How to Stop Neighbor Spoofing
Here are some things you can do to protect yourself and your institution from falling victim to neighbor spoofing:
- Train your employees to not answer! If they don’t recognize a number and aren’t expecting a call, they can simply let it go to voicemail. By answering, we’ve let the scammers know they have a valid phone number and that you’re likely to respond to calls from unknown numbers. As a result, the phone number may be added to a list and sold to other scammers.
- Remind employees to never give out personal or confidential information in response to an unexpected call. If they are worried it is legitimate, they should hang up and call the phone number listed on the supposed caller’s website to confirm that the caller is genuine.
- Educate your employees to not get bullied. Scammers will try to employ urgency to pressure you into divulging information immediately.
- Train employees to be skeptical regardless of what the caller ID says. Phone numbers can be spoofed just like email addresses can.
- Educate customers on this threat and reaffirm the methods that your institution uses to communicate with them.
Although neighbor spoofing scams are prohibited by The Truth in Caller ID Act of 2009, the Federal Communications Commission (“FCC”) has little recourse with the exception of issuing fines up to $10,000 for each violation. Earlier this year, the FCC proposed “Advanced Methods to Target and Eliminate Unlawful Robocalls” which would allow service providers to block spoofed robocalls; however, the proposed rule has not yet been implemented. In the meantime, remain vigilant in your security policies and procedures, and be careful of this new tactic!