The evolving scam landscape

We’ve seen an uptick in news about increasingly sophisticated scams perpetrated by fraudsters. This article reviews a few of the common types and describes behavioral and analytics-based defenses. Let’s have a look.

Scams

Here’s a list of the more common scam tactics being used:

  • Phishing: A fake email, often impersonating a trusted entity and including links to a fake website that prompts the victim to reveal personal information, including login credentials to the trusted entity’s website.
  • Smishing: A fake text message version of phishing.
  • Vishing: A phone call, usually from a spoofed number, used as a voice call version of phishing.
  • Audio recording of the intended victim’s voice, often from vishing calls or social media videos, to develop a voice profile.
  • Artificial Intelligence (AI) using leading-edge software tools to write more realistic emails and text messages and produce audio records based on the victim’s voice profile.

Fraudsters use these tactics to collect information to profile their intended victim before they attack. Here’s a list of the more common scams being used.

  • Identity theft. Collect enough information to create accounts with other entities impersonating the victim.
  • Robocall with a recorded voice that sounds like a live caller who asks a question and records the victim’s “yes” response for use later.
  • CEO impersonation. Your boss calls (at least, it sounds like your boss), and tells you to wire a large sum to a new vendor. It’s urgent. Don’t ask, just do it.
  • Fake abduction. You get a call from a family member or spouse, and the caller ID checks out. The voice sounds like your family member, sort of, or you can hear them in the background. They want you to send a large sum to a Venmo account.
  • Ransomware. A fraudster has used a variety of scam tactics to gain access to your computer or network and demands a ransom.

Behavioral defenses

Look for clues that emails, text messages, or phone calls might be fake, such as odd misspellings, poor email design, alternate characters used to throw off spam filters, and hidden email send-from addresses that are not the spoofed entity.

Don’t click links in emails or text messages that take you directly to a website that asks for your credentials. Instead, navigate to the legitimate website, log in with your credentials, and check that the message was legitimate.

Never give out a one-time password or security code that unexpectedly appeared on your mobile device. It could be a fraudster trying to get past two-factor authentication. Banks, utility companies, merchants, government agencies, etc. will not contact you and ask for your credentials.

Agree on a codeword with family members that you would use to identify yourself over the phone. If you receive a phone call from someone who claims to have your family member and wants money to release them or who seems to be your family member but their word choice doesn’t sound right (might be a spoofed recording generated using AI), ask for the agreed-upon codeword.

Analytics-based defenses

Call authentication identifies the source of call origination, the originator’s direct, authenticated knowledge of the calling party and the calling party’s use of the calling identity.

To optimize the value of call authentication information, we must close the third-party signing loophole, which enables bad actors to hide their bad traffic more easily behind a downstream provider’s SHAKEN certificate. Voice service providers should have their calls signed with their own certificates using an appropriate attestation level.

Reputation scoring of calling numbers and SHAKEN signers. Reputation scores can be based on a variety of sources:

  • Complaints from other callers.
  • Honeypots use numbers that are not in use by real people. Calls received are mostly robocalls (perhaps a few misdials too).
  • Invalid, unallocated, Do-Not-Originate calling numbers.
  • Calling patterns with atypical bursts of call traffic, short duration calls, or calls with low answer rates. (Be careful with this type of analytics—many legitimate callers send legal and wanted calls with such patterns. The best calling pattern analytics methods learn calling patterns to minimize false positives.)
  • Identification of SHAKEN signers that sign a high percentage of robocalls and with over-authenticated calls (e.g., calls authenticated with A-level attestation by a signing provider that does not know the caller or the caller’s right to use the calling number).
  • Automated call content analysis, which transcribes robocalls received by a honeypot and uses natural language processing to perform content analysis.
data algorithm concept, filling in the missing pieces

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 25 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.