Hello, are you looking for me? How scammers get your phone number

Scam

Your humble phone number is more valuable than you might think. Here’s how it can fall into the wrong hands – and how you can help keep it out of the reach of fraudsters.

July 15, 2024
•
,
7 minutes. read

What could be one of the easiest ways to cheat someone out of money – anonymously, of course?

Could it involve stealing their credit card information, perhaps through digital skimming or after hacking into a database containing sensitive personal information? While effective, these methods can be resource intensive and require some technical skill.

What about stealing payment information through fake websites? This may indeed fit the bill, but spoofing legitimate websites (and email addresses to “spread the word”) may not be for everyone either. There is also a good chance that such tricks will be noticed in time by the security-conscious among us or will be thwarted by security controls.

Instead, bad actors are turning to highly scalable operations that rely on sophisticated social engineering tactics and cost little to operate. With the help of voice phishing (also called vishing) and message fraud (smishing), these operations have been developed into a scam call center industry worth billions of dollars.

For starters, these tricks may not require a lot of specialized or technical skills. A single person (often a victim of human trafficking) can simultaneously ensnare several unwitting victims in various forms of fraud. This often involves pig slaughter, cryptocurrency fraud, romance scams, and tech support fraud, all of which create a compelling thread and prey on some of what actually makes us human.

Figure 1. Would you take the bait? — *Would you take the bait?*

Hello? Is this thing on?

Imagine getting a call from your bank informing you that your account has been compromised. To keep your money safe, you need to share your sensitive data with them. Indeed, the urgency in the voice of the bank’s “employee” may be enough to prompt you to share your sensitive information. The problem is that this person may not be from your bank, or may not exist at all. It could just be a made-up voice, but still sound completely natural.

This is not at all unusual and cautionary tales from recent years abound. A CEO in 2019 was scammed out of almost $250,000 by a convincing voice, deepfake of the head of their parent company. In the same way, a financial employee was deceived via a deepfake video call in 2024, costing their company $25 million.

AI, the enabler

With modern AI voice cloning capabilities and translation capabilities, vishing and smishing have become easier than ever. ESET Global Cybersecurity Advisor Jake Moore demonstrated the ease with which anyone can create a convincing deepfake version of someone else – including someone you know well. Seeing and hearing are no longer believing.

*Example of a first contact. This message, which is making the rounds in Slovakia, has been duly translated into Slovak (it reads “Good morning”).*

AI lowers the access barrier for new adversaries, serving as a versatile tool to collect data, automate tedious tasks and globalize their reach. As a result, phishing using AI-generated voices and text is likely to become increasingly common.

On this note, one recent report from Enea noted a 1,265% increase in phishing scams since ChatGPT launched in November 2022 and highlighted the potential of large language models to fuel such malicious operations.

What’s your name, what’s your number?

As shown 2022 Consumer Reports survey, people are becoming more privacy conscious than before. About 75% of survey respondents were at least somewhat concerned about the privacy of their data collected online, which may include phone numbers, as these are a valuable source for both identification and advertising.

But now that we are well past the age of the Golden Pageshow does this connection between phone numbers and advertisements work?

Consider this illustrative example: A baseball fan placed tickets in the cash register of a special app, but did not complete the purchase. And yet, shortly after closing the app, he received a call with a discount on the tickets. Naturally, he was baffled because he couldn’t remember providing his phone number to the app. So how did he get his number?

The answer is: via tracking. Some trackers can collect specific information from a web page, so after you enter their phone number into a form, a tracker can detect and store it to create what is often called personalized content and experience. There’s a whole business model known as “data brokering,” and the bad news is that it doesn’t take a breach for the data to become public.

Tracking, data brokers and leaks

Data brokers suck your personal data from publicly available sources (government licenses/registrations), commercial sources (business partners such as credit card providers or stores), and by tracking your online activity (social media activity, ad clicks, etc.), before disclosing your data to others to sell.

Still, the question on your lips may be: How can scammers get other people’s phone numbers?

Searching for victims via WhatsApp — *Looking for victims*

The more companies, sites and apps you share your personal information with, the more detailed your personal ‘marketing profile’ is. This also increases your exposure to data breaches, as data brokers can do that themselves experience safety incidents. A data broker can also sell your data to others, possibly including bad actors.

But data brokers, or breaches that affect them, aren’t the only source of phone numbers for scammers. Here are some other ways criminals can get your phone number:

Public sources: Social media sites or online job fairs may display your phone number as a means to connect. If your privacy settings are not entered correctly or you are not aware of the consequences of disclosing your phone number on your social media profile, your number may be available to anyone, even a AI web scraper.
Stolen bills: Several online services require your phone number, whether to confirm your identity, place an order, or serve as an authentication factor. When your accounts are brutally compromised due to weak passwords or when one of your online providers suffers a data breach, your number can also be easily leaked.
Automatic dialers: Autodialers call random numbers, and once you answer the call, you may become the target of a scam. Sometimes these autodialers call just to confirm that the number is in use so it can be added to a list of targets.
Mail: Check all your recent deliveries. Your address is usually visible on the letter/box, but in some cases your email address or telephone number may also be printed. What if someone stole one of your deliveries or rummaged through your recycling pile? Since data breaches usually contain the same information, this can be very dangerous and give rise to further exploitation.

As an example of a massive phone number breach, AT&T recently revealed that millions of customers’ voice and text messages were exposed in a massive data breach in mid-to-late 2022. Nearly all of the company’s customers and people using the mobile network have their numbers, call durations and number of call interactions known. Although call and text message content is reportedly not among the leaked data, customer names and numbers can still be easily linked reported by CNN.

Reportedly, the blame could be placed on a third-party cloud platform, which a malicious actor had gained access to. Coincidentally, it had the same platform several cases of massive leaks associated with this in recent years.

How to secure your phone number

So, how can you protect yourself and your number? Here are a few tips:

Be aware of phishing. Never answer unsolicited messages/calls from foreign numbers, don’t click random links in your emails/messages and remember to stay calm and think before responding to a seemingly urgent situation, because that’s how they get you.
Ask your service provider about them SIM security measures. They may have a card lock option to protect against SIM swapping, for example, or extra layers of account security to prevent scams such as call forwarding.
Protect your accounts with two-factor authentication, ideally using special security keys, apps or biometrics instead of SMS-based authentication. The latter can be intercepted relatively easily by bad actors. Do the same for service provider accounts.
Think twice before providing your phone number to a website. While it can be useful to have this as an additional recovery option for your various apps, other methods such as secondary emails/authenticators can provide a more secure alternative.
For online purchases you may want to consider one prepaid SIM card or a VoIP service instead of your regular telephone number.
Use a mobile security solution with call filtering, block third-party cookies in your web browser, and discover other privacy-enhancing tools and technologies.

In a world that increasingly relies on online record keeping, it’s unlikely that your number isn’t being held by a third party somewhere. And as the AT&T incident suggests, relying on your own carrier’s security is also quite problematic. However, this doesn’t mean you have to remain in a state of constant paranoia.

On the other hand, it highlights the importance of ensuring good cyber hygiene and being aware of your data online. Vigilance is also still crucial, especially when we consider the implications of this new AI-powered (under)world.