Željka Jurić, Product Manager at ASEE, clarified how the fraud known as “spoofing” works and how we can protect ourselves from it, whether we are end-users or developers creating applications for them.
“Your package could not be delivered. Click on the link to update the address information.” –you click and fill out the requested information, moreover, you are also asked to pay a small fee. This “small” fee turns out to be significant, and your account details are stolen through a fake form on the website. Within minutes, you’ve become a victim of spoofing fraud.
This is a major issue in the EU countries - and a costly one for banks, delivery services, and payment providers. Millions of euros are spent annually to compensate and refund amounts lost in actions where a fraudster impersonates a trusted institution and requests personal information from users.
Some EU banks have already launched campaigns to raise awareness about fraudulent messages and calls directed at their customers. Željka Jurić, Product Manager in the Security&Compliance department, explained how ASEE, works on security solutions to tackle this new issue.
Can you provide more technical insight into the issue of spoofing fraud?
There are actually two methods. The more common and frequent, and thus easier for users to notice, involves someone sending you a message (known as smishing) or receiving a call (vishing) from a random number that looks like any other unknown number. You might think a friend or someone from work is calling, but once you answer, they start telling a story. For example, they tell you that you have a lot of money in cryptocurrencies and it’s time to cash it out. They call you to get your account details to transfer the money. It’s similar to SMS. The message comes from an unknown number or even an email address. In such cases, the fraudster is not doing anything technically demanding; they might have bought many different SIM cards to call from or send messages through an SMS platform.
With ''true'' spoofing, the number displayed on your screen is indeed the number of a bank or some other well-known institution. The caller ID is something you can never trust because it can be easily spoofed using software that fraudsters share freely online. Your screen usually shows the phone number and the name associated with the line calling you. But there are services that allow any fake caller ID to be displayed. Some Voice over IP (VoIP) providers allow the user to configure the displayed number as part of the service provider's web interface settings.
How do fraudsters obtain the contact numbers of victims?
Fraudsters get contact numbers in various ways. One way to obtain sensitive data is the dark web, where data that has been stolen and published. However, it’s also easy to obtain personal data from social networks or job ad sites. This way, fraudsters can gain the user's trust more easily because they already know a lot about them.
They usually send fake SMS messages to random numbers. So, out of 20.000 numbers, they might hit yours just when your package from the post office is delayed. You receive a message from the fraudster that your package could not be delivered, and you need to fill out information for the courier to contact you. Naturally, you'll act accordingly as you were indeed expecting a delivery.
How did you counter these malicious practices by fraudsters?
Since we have been working with banks and financial institutions for many years, we knew what was happening. For over 20 years, we have been developing security solutions and are well-versed in mobile applications and additional features that can be integrated to protect mobile applications and their users. The logical step was to continue helping our clients and create something innovative to solve this big current issue. We utilize existing security mechanisms which we adapted , and applied to this matter.
How does Spoofing Protector work, and what technologies does it rely on?
Our solution, Spoofing Protector, is actually an SDK that integrates into the mobile application of a particular institution. It is essentially a B2B solution that protects the end-user. Each user will receive a notification before they receive a legitimate call from a particular institution. This is one of the first ways a user can know that the call is genuine. In the case of a fake call, there will be no notification. Our solution will immediately terminate the call before it even reaches the end-user.
For SMS messages, every message sent by a particular institution will contain a secure signature generated by our solution. This way, we can verify that the SMS is legitimate. If the SMS does not contain a secure signature, or the signature is not successfully verified (or is suspicious for other reasons such as the sending time or sender's name/number), the SMS will be flagged as a spoofing attempt.
What happens from the end-user's perspective when they receive a spoofed call or message?
To the user, it looks like they are receiving a legitimate call. It might even seem like the bank is calling them. In reality, the fraudster is calling the victim, saying they work at their bank or another institution, and informing them about a problem with their account or credit card. A fake alert can also arrive via SMS initially, asking the person to call a number to resolve the issue. Another tactic used in vishing scams are links offering opportunities to pay off debts below the original amount or high-return investments. These “offers” usually have a limited time, so the person needs to act immediately.
If it is a true spoofed SMS, it will contain the bank's or delivery service's name or number. In the SMS, they usually send a fake link directing you to check your details or redirect the package. You can easily spot that the link is fake. The URL contains a mix of letters and numbers or even some symbols, or it is just a single page with no content, and the links lead nowhere except to that page.
Because of all this, the implementation of Spoofing Protector by institutions and companies will not only help protect the company's reputation and reduce costs caused by this type of fraud. It also protects its end-users and restores trust in the institution.
Who is liable for damage caused by spoofing scams, institutions or the end-user?
It depends on the type of spoofing. If it is real spoofing where the fraudster calls from the number of a particular institution, the institution is entirely responsible for protecting its number and its users. However, if it is a random number from which calls are received, the responsibility lies with the user, as they decide how they manage their data and with whom they share it. In practice, though, institutions often try to compensate and refund money to their users to maintain their loyalty.
What can users do themselves to protect themselves?
Be careful where you leave your personal information such as email, phone number, name, and address. Prevent anyone from getting your number and making you a victim of spoofing scams. Always use multi-factor authentication for login to protect the data you have stored anywhere on the internet.
Always check the source from which you receive a message or call. If anything seems illogical or strange, do not respond or click on links. Often, fake calls are made from automated voice tools, so it feels like you are talking to a robot.
No institution will ever ask for your account details to pay you or deposit money into your account.
If you notice a fake call or message, it is best to report it immediately to the institution being impersonated to prevent any future fraud attempts.
HOW CAN ASEE HELP?
Are you experiencing issues with social engineering attempts targeting your clients? We'll gladly offer guidance and help you protect your business and your customers.
eBook: Spoofing Protection for Combating Vishing and Smishing Fraud in the Banking Sector
If you're struggling to prevent vishing and smishing fraud targeting your customers, this eBook will help you make informed decisions regarding social engineering fraud. Download the ebook to learn how Spoofing Protector detects and prevents mentioned attacks.