Be Aware: Cybercriminals Are Collecting Information Through Phone Scams
Learn how criminals are attempting to collect your sensitive information.
Recently, the FBI notified us about a pervasive information security threat that's causing considerable financial losses across the globe. We've learned that cybercriminals are conducting phone reconnaissance as an early exploratory step in staging more complex email fraud schemes. Perpetrators contact individuals and organizations by phone under false pretenses. They use manipulative methods to collect information that they use to carry out targeted email attacks on the individuals and businesses whose information they obtain.
It's important to understand these tactics so you don't unintentionally help cybercriminals and put others at risk when you answer a seemingly ordinary, but unsolicited, phone call at your home or workplace.
Predatory Phone Calls
These targeted attacks are known as business email compromise (BEC) schemes. According to the FBI, these schemes have cost U.S. victims more than $3.6 billion in fraud losses over the last five years. Perpetrators may call a company's customer service or help number and employ social engineering tactics like pressuring or rushing the person on the phone as they inquire about the business and seek to obtain other information like employee names and contact information.
Social engineering, as it relates to this type of threat, means psychologically manipulating people to share confidential information or to unknowingly perform actions that help cybercriminals carry out attacks. They use the information to more effectively impersonate a trusted sender. These personalized emails have a better chance of success because they contain details that make them appear legitimate and are less likely to raise suspicion until the damage is done.
Callers may impersonate someone, like a loan officer at a financial institution, who is seeking to verify employment information for someone who works at your company. In this example, an individual's coworker or manager could inadvertently provide information that's later used to stage a believable scam aimed at the employee in question. Individuals are vulnerable to the same risks when they receive unsolicited phone calls at home.
Although the information a caller asks for may seem harmless and non-sensitive, it's important to be aware that it can be used to build a convincing cyberattack.
Precautions for Avoiding Phone Scams
- Contact requestors by phone before complying with email requests for payments or personnel records.
- Verify the source of the phone call from a list of approved vendors or by calling the government agency's public access number (e.g., the IRS).
- Do not provide payment information over the phone.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Be suspicious of requests for abnormal payment methods, such as through a gift card.
- Learn about spear phishing emails and how to recognize them.
- Limit the information you provide on your social media accounts.
- If you are an employer, make sure to alert your staff about these tactics and remind them not to give out information.
The FBI has requested that victims of these cyberattacks file a complaint with IC3, regardless of how much money is lost or when the incident occurred. File IC3 complaints at IC3.gov and include the following details (if applicable):
- Any messages pertaining to the attack. Save the email in the original, un-forwarded format
- Victim information
- Overall losses associated with attack
- Transaction details for any payments made that were associated with the attack
- Victim impact statement
- IP addresses used to send fraudulent emails
You'll be better prepared to guard against this persistent threat if you understand the tactics being used against you. Our Security Resources page provides additional information to help you reinforce your personal security. If you have any questions, please contact a BECU representative at 800.233.2328.