A friend just got in touch with me to ask me how it is possible that scammer can pretend to be calling from his bank’s number, and I believe it is important for everyone to know about this as it could save them from being scammed.

This is what he told me:

Phone number spoofing is a tactic commonly used by scammers. Spoofing is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. This is typically done using Voice over IP (VoIP) services and specialised software or web services that allows the caller to appear as though they’re calling from any number they choose.

Here’s a basic, non-technical explanation of how it works:

VoIP Services: VoIP technology allows for the making of calls directly from a computer, a VoIP phone, or other data-driven devices. It essentially converts your voice into a digital signal, allowing it to travel over the Internet.

Caller ID Spoofing Software or Services: There are software and services available that allow users to input any number as their Caller ID. These services connect to VoIP technology. When a call is made, the VoIP service transmits the chosen number to the recipient’s caller ID. This is not easy to achieve in non-VoIP networks as it requires compromising well-defended telecoms infrastructure.

Making the Call: The scammer dials the victim’s number using this technology. On the recipient’s end, it appears as if the call is coming from the number the scammer chose, which in this case, was his bank’s number.

This kind of spoofing is commonly used in scams because it gives the scammer an air of legitimacy. If you see your bank’s number calling, you’re much more likely to pick up and trust what the caller is saying, and with Machine Learning going through an explosive growth phase, it is only a matter of time until other safeguards, including being put through to a Maltese-speaking colleague, who is no colleague at all, becomes possible.

To protect yourself against these scams, remember that just because a call appears to come from a certain number doesn’t mean it’s genuinely from that number. If you’re ever unsure, hang up and call back the official number of the organisation the caller claims to represent. It is important never to give out personal information over the phone unless you initiated the call and you’re sure you’re speaking with a legitimate representative.

His next question was:

This is what we usually refer to as a man-in-the-middle style attack. While it’s technically possible to execute a man-in-the-middle attack on a telephone call, it’s very unlikely and significantly more complicated than a simple number spoofing attack on a VoIP network. Such an attack would require a very high level of technical skill and resources, and it would also likely involve compromising the phone networks or systems themselves, which is usually heavily guarded against.

This sort of attack is less likely because:

It requires control over telecom infrastructure: To reroute a call, an attacker would need access to the telecom infrastructure, which is controlled by service providers. Gaining unauthorised access to these systems is (besides being illegal) extremely challenging due to robust security measures in place.

It necessitates real-time interception: Unlike data transmission over the internet where packets of data can be intercepted, altered and re-transmitted, voice calls require real-time interception and rerouting. This adds another layer of technical complexity, which while surmountable is not within everyone’s reach.

Encryption is utilised: Modern phone systems often use encryption, which makes intercepting and tampering with the calls even more difficult.

Regulations and Monitoring: Telephony service providers are regulated by government entities and have strong security protocols in place. Suspicious activities are more likely to be detected and stopped.

That said, it’s always good to be vigilant. If you have any reason to suspect a call isn’t legitimate, even if you initiated it, you can always hang up and try again, or find another way to contact the bank, like through their official website or app. If you’re calling a number you found online, make sure it’s the bank’s or that it belongs to whatever organisation you are trying to get in touch with, as site replication has been known to have happened.

His next question then was:

A man-in-the-middle (MitM) attack on a telephone call would require a significant breach of the telecommunications infrastructure, likely involving both cybersecurity and potential physical access breaches.

Here are some possibilities (caveat: this is not an exhaustive list):

Cybersecurity Breach: A MitM attacker might be able to breach the cybersecurity defenses of a telecom provider. This would involve hacking into their systems, compromising their software, and gaining unauthorised control over their call-routing infrastructure (typically the soft-switch). This is a highly-complex task and is also heavily-guarded against by the telecom service providers. It would require advanced hacking skills and hacking resources that are typically available only to government-backed cyber-offensive programs, where hacking tools are also known to include hardware backdoors that are almost impossible to detect, let alone to protect against.

Physical Access Breach: Physical access to the telecom infrastructure might involve tampering with telephone exchanges, cellular towers or other critical hardware. This would also be extremely difficult due to the physical security measures in place, and for this reason, if successful, it would likely only affect a small, localised area.

Device Compromise: Another possibility could be the compromise of the individual devices (like your personal phone). This is much easier to pull off. If an attacker can install malware on your device, they could potentially intercept your calls. This wouldn’t typically involve breaching the telecom infrastructure but would still be considered a form of MitM attack.

Network Spoofing: In this scenario, an attacker could create a fake mobile tower (also known as an IMSI catcher or Stingray) and trick nearby mobile phones into connecting to it. The attacker could then potentially intercept calls and reroute them as necessary. However, this requires specialised equipment and is usually detectable by telecom providers.

In all cases, call rerouting methods are technically challenging, and typically within the capabilities of only the most resourceful and determined attackers, such as state-sponsored actors. For an everyday individual, the risk of being targeted by such an attack is extremely low, so until the situation changes, it is still a safe bet to hang up on calls of suspected scammers and to call back the entity from which the scammers claim to have originated.

His last interjection before thanking me for my insights was:

Yes, there are off-the-shelf VoIP services that can be used to spoof Caller ID information. Some of these services are legal and have legitimate uses. For example, a business might want all outgoing calls to display the same callback number, or a doctor might want to display the office number when calling patients from a personal phone. However, these services can be – and are – misused by scammers to impersonate others.

Detecting a spoofed call can be tricky because the technology allows the false information to be transmitted through the phone networks as if it were genuine. However, there are some strategies and tools that can help:

Your Own Judgment: If the caller is asking for sensitive information or trying to collect seemi9ngly-genuine information, that’s a red flag. Legitimate businesses usually don’t ask for sensitive information, like your password or your social security number, over the phone.

Call-Blocking Apps: Some smartphone apps try to identify and block spam calls. These apps may use databases of known scam numbers, user reports and other information to help filter out unwanted calls.

STIR/SHAKEN Framework: This is a new technology that the telecom industry is in the process of implementing to ensure the Caller ID information is accurate. The STIR/SHAKEN framework involves digitally signing calls as they pass through the networks. This doesn’t prevent spoofing, but it allows for verification that a call is genuinely coming from the number it claims to be. Unfortunately, this depends on your telecoms service provider, as it is the service provider that needs to implement this technology in order for you to be able to use it.

Check with the Supposed Source: Again, if you receive a suspicious call from a number that you know (like your bank), hang up and call the number you have for them. Don’t call back the number that called you, as it could lead to the scammer.

Unfortunately, there is no foolproof way to detect a spoofed call every time. Your best defense is to be cautious, especially if the caller is asking for sensitive information. It’s always okay to hang up, look up the official contact number for the entity they’re claiming to represent, and call them back yourself to verify.

Moreover, if you’re looking for protection from such spoofed calls, consider installing an app or service like Hiya, Nomorobo, Truecaller, Call Control, YouMail and RoboKiller, which aim to help identify and block spam and scam calls. However, none of these can be 100% effective, so always remember to verify the identity of a caller independently if they are asking for personal or sensitive information.