A day in the life of a prolific voice phishing crew
112 comments
·January 7, 2025EvanAnderson
anotheruser13
Voice phishers are looking for people to say "yes" and read numbers. Just say no!
ksenzee
Does that really even matter anymore, now that we can generate anyone’s voice saying anything?
shkkmo
Follow the same steps for callers whose voice you don't recognize, before giving any financial information or reading any codes, call the person back using a verifiable good number.
nullc
There are some idiotic banks now using "voice verification" such that capturing your voice may be of value to fraudsters.
Unfortunately it's generally impossible to get your bank to stop using insecure authentication mechanisms except by changing banks, and good luck with that because it sure seems like practically all banks can eventually be convinced to give away your funds to someone with your personal information and the ability to sim swap you.
ge96
It is neat like with Twilio you can produce that audio file for the voicemail with XML but yeah I have no drive to screw someone over myself
ChrisMarshallNY
I have gotten a few of those "Apple" phishing attempts. They really look legit. My Apple ID got compromised, many years ago, and people try to use it, from time to time.
However, I am pretty up on the state of my accounts, so I won't follow up on them.
The only people who ever call me, from Apple, are the Developer Support folks, and that's usually to castigate me, for stepping on some soft spot, or in response to me reaching out to them. I totally ignore calls from numbers that I don't know; a rare privilege.
jimt1234
I got a vociemail from Kaiser Permanente just yesterday, telling me I owed for a recent medical visit. The voicemail went on, citing some (probably fictional) laws that allowed them to start garnishing my wages immediately for unpaid medical debt. ... I've never been to Kaiser in my life, not even the parking lot. LOL
olyjohn
Wait until you get a medical bill after an expensive procedure. You'll get 6 bills from a bunch of different doctors and facilities, you'll have no idea who any of these people are, and none of the amounts billed match up to what your insurance says is owed or was paid. They can't or won't explain what the costs were, or why some portion of it was covered or not. It'll take a whole day to reconcile everything after talking to multiple billing departments, and your insurance company.
And that's why the scam they are trying to pull on you works for a lot of people. It's too much headache to deal with all of it and fight it, and usually you're still sick or recovering and won't have the mental power to deal with it, or notice that it's even a scam.
eru
> I totally ignore calls from numbers that I don't know; a rare privilege.
When I am not totally busy, I usually accept them and put myself on mute and put the phone down.
They typically waste a minute saying 'hello, hello?' before hanging up, while I keep working. (Alas, I get a lot of spam calls.)
IncreasePosts
Your method probably leads to more calls since your number will be marked as active if you pick up
suprfsat
They usually spend a minute cursing my mother in a language I don't understand, but they aren't organized enough to note that my number is a huge waste of time.
eru
Occasionally, when I'm bored, I actually tried to engage with them, but they immediately hang up, when they notice I don't speak Mandarin; and my attempts at Nihao haven't convinced anyone so far.
For context, I'm in Singapore, and I suspect the vast majority of these spam calls are manned by PRC people.
Scoundreller
I have two numbers in the same area code, one work and one personal.
I mess with them on the personal line but never the work. (Ok, that’s slightly different than answering vs not).
Informally, I don’t see a difference and this is after years of this hilarious activity.
SkyBelow
Pickup but silence might end up being better than letting one's voicemail grab it. Would make for an interesting study.
hoseja
I think if you pick up but are silent it's still (mostly) fine.
paul7986
I would think those who answer the calls are automatically placed on a list as this person answers and your number is sold as such.
Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
Overall if I dont know you well your not in my iPhone contacts ..getting to know new folks they are given my Google voice number which is only for texting.
pavel_lishin
My phone number is already on multiple lists like that; I get a minimum of three spam phone calls a day. I don't think that answering or not-answering is going to make a significant dent.
> Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
I have a young child, in school and after-school activities; I don't want to risk missing a relevant phone call, as well as phone calls from actual doctors & such who need to get in touch with me. (And I can't easily whitelist every phone number some given office/person might end up using to reach me.)
avh02
I'd love to do this but too often a call is made by an unknown number to me in response to an action, e.g i requested a dishwasher repair via email, i was called to schedule it by the contractor it was assigned to by my landlord. If i ignored that call it's likely a game of chasing them back up and potentially navigating PBX systems, etc
renewiltord
I just have a number with a rare area code and then block everything from that code using NumberShield, the iOS app. I usually have a few voicemails to delete but I don’t really notice the calls.
I do have to laugh at security, though, since many banks and trading companies just call you direct. I’ve definitely received incoming calls that I hesitate about not continuing. Fortunately, I’m not too confident in my skill to detect a phisher so I always go online to find the official account to call.
If they can redirect my call then I’m doomed but often it’s exactly a completely normal call. They were just calling to make sure the wire I set up was intentional. Come on, dude!
IG_Semmelweiss
There are so many non-techy folks that are getting run over by phishers. If tech workers can also be targeted, the rest really have no hope.
I really wish someone would make movies or enticing thriller series out of these post-mortems. There are some good stories to be told, plus it would help the most vulnerable to be better prepared..
acomjean
We’ve lost control of the telecom system. The fact you can’t trust caller id and bad actors aren’t banned still astounds me.
miohtama
Finland passed a law that simply forbids forging caller IDs and forced telecoms to implement it in 2024.
https://ficom.fi/news/combatting-scam-calls-and-smss-how-fin...
doix
Yep, we need the equivalent of DMARC, DKIM, and SPF for the telecom system. We solved it for email, feels like we should be able to solve it for telecom.
I really hate any system that relies on the telecom system for any sort of verification. I hate every website/app/whatever that doesn't let you disable SMS verification as a "backup". So many places that offer (and even force) 2FA just let you bypass your authenticator with SMS verification.
ceinewydd
This exists. https://en.wikipedia.org/wiki/STIR/SHAKEN
anotheruser13
STIR/SHAKEN isn't helping much either. The carriers are all about that sweet, sweet revenue...
ForHackernews
The FCC is fixing this: https://www.fcc.gov/call-authentication
BurningFrog
This is really a case where PSAs/ads could actually help.
The targeted old people still watch TV, and * hearing* the actual fraudulent pitches will be far more educational than reading about it.
MetaWhirledPeas
You're totally right, but I also wonder what you could even say in 30 seconds? Don't trust the person on the phone who sounds exactly like your grandson? There's so much nuance to explain.
etc-hosts
"The Beekeeper"
voidpointer
The relative ease with which called-IDs can be spoofed seems to be one of the major "tools" with which scammers can gain the trust of their victims (or trick other systems into believing that they are the victim). Most of the non-technical folks I know will also more or less blindly trust a caller-ID. Fortunately, many scammers (at least here in Europe) are still calling you claiming they are interpol following up on your Paypal account being breached whilst a +233... number shows on your phone.
burningChrome
>> In Tony’s ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations.
This type of scam has been going on since the early 2000's.
Back in the day when I was a fresh faced high school kid working for a mom and pop wireless shop, criminals would use the NAD rely system to call dealers like the one I worked for. They'd offer credit card payment for phones without any service on it ask for it to be mailed to a PO Box. Back then, companies like Verizon subsidized their phones so to buy a phone without any service on ran $500+ and we rarely, if ever sold phones without service on it since that's how me made our money.
As soon as a new model phone would come out, it was like clockwork. We'd start getting relay calls everyday for about a week. Once they figured out we weren't a mark, they'd stop.
Kind of interesting thieves are just utilizing newer technology for the same type of scam.
somerandomqaguy
True the underlying scam is the same, but the operating costs have gotten quite a bit cheaper. Before one person could only call one target at a time, today with a good SIP trunk a single person can target thousands of numbers a day and not even have to be present. It can be just a background task running on their desktop while the scammer goes to their normal 9 to 5.
abhayhegde
I have been receiving various spam texts under the pretext of USPS has lost my mails and would like to reaffirm my address to them. The scammers are pretty smart to build an identical looking to site USPS (pretty easy if they copy CSS but change the endpoint for form submissions). Those with the keenest eyes and a bit of commonsense can dodge these types of phishing.
ipython
Tbh at least iPhone iMessage protects even the less knowledgeable from just blindly clicking through these links.
I’ve received at least a half dozen of these in the past week. Every time, the link is disabled so you actually have to copy and paste the url into safari. In fact the scammers even helpfully include instructions for someone to scam themselves in the text message. Here’s one of the most recent ones:
> (Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it, and get the latest logistics status) Once your verification is completed, we will arrange delivery again within 24 hours. Have a great day from the USPS team!
anotheruser13
Any time you get a message purporting to be from the USPS saying there's a delivery problem and you need to pay a small fee to fix it, it's a scam. Block and report.
razakel
Royal Mail legitimately use a custom link shortener at ryml.me, which doesn't help confusion.
null
nottorp
> Included in the message was a link to a website that mimicked Apple’s iCloud login page — 17505-apple[.]com.
So... the main culprits are the idiots that hide the page URL in the name of user friendliness?
lilyball
Presumably this is more relying on the prevalence of subdomains and for users to not notice that 17505-apple[.]com is not the same thing as 17505.apple[.]com
jmward01
I am glad this kind of reporting happens but I am sad it is needed. This type of crime is violent in nature. I would rather be mugged than have this happen to me. Being mugged just gets you hurt but this can destroy you and your family.
dcrazy
It’s worth pointing out the incongruity of calling online theft “violent in nature” and then directly comparing it to mugging, which works off the threat of implied violence.
You clearly understand the difference between violence and mere deceit. The fact that this isn’t a violent crime is probably relevant to its popularity, since recruiters don’t have to filter for people who are willing to resort to violence in the face of resistance.
lifeisstillgood
My takeaways
1. The prime target list is people with crypto accounts. You can steal from them much more easily than the real banking system. The guys who got Mark Cuban must have been super pumped until they only got 40 grand.
2. Remote Teams of thieves who scam remote people over the phone tend to be morally lax enough to steal from their teammates and so the teams only last a few weeks. Which is weirdly opposite to the advice for bankers which is crimes occur less when WFH
3. Why did I not get the domain “commandandcontrolserver.com” - that’s cool!
4. This is so easy to fall for. But it’s fairly hard to steal “real” money, and honestly we should pressure banks to make it even harder - something along the lines of “want a loan, visit a branch in person” and similar fraud reduction choices. Criminals are showing us the way - they target easy to steal / easy to get away crypto - so run in the opposite direction
nullc
The FTC estimates overseas internet/telephone scammers stole an estimate $122 billion dollars from Americans in 2022, virtually all of it in traditional banking.
Have any data to suggest that these 'crypto' attacks are within two orders of magnitude of that?
This particular scam is targeting crypto users, for sure, but to some extent that's a "who has money" proxy. Other scamming groups do things like use property records merged with personal information leaks to target people who own expensive real-estate.
I don't intend to argue that a bunch of crypto stuff and practices aren't gravely insecure, but if you think you're going to be safe by not using it... you're just wrong. And good practices, e.g. with Bitcoin, may be significantly more secure against these kinds of remote scammers than a bank account is.
I think a better lesson is that any inbound communication is a danger and should be avoided when possible and treated with great scrutiny otherwise.
kazinator
I see they carefully avoided the cringy word vishing.
Is that something only taught in those lame corporate security training videos?
Phishing over styrofoam cups connected by thread: styshing.
Phishing over carrier pigeons: poopshing.
Phishing over SNMP fault messages from a router: switshing.
Phishing over telegraph: morshing.
Phishing using smoke signals: smoshing.
Phishing using interpretive rhythmic movements and postures: danshing.
Phishing over apartment entry system: buzzhing.
Phishing future generations using malicious messages locked in a time vault: fyushing.
Phishing using a conventional rod, nylon line, bait and hooks: unironically, fishing.
... and other attacks you should watch out for!
joeyagreco
Some of these tactics are really clever.
fortran77
For now, much of this can be avoided by always hanging up if you receive a call from google, apple, etc, and then--if you really thing there's something going on--contact them via an official way documented on their website.
Of course, they try to catch people off-guard as they did Mark Cuban.
When I tell my bank or broker if I should get a call that I'm going to hang up and call back on their main number, they always understand and support it.
razakel
My bank has an indicator on the app help page that says "yes, you really are speaking to us" or "anyone calling you and pretending to be us is a fraudster".
My parents' independent gas station in rural western Ohio (in a town of sub-1000 population, albeit on a state route that sees significant commuter traffic) was targeted for a voice phishing scam over the last week. A caller left voice messages to multiple recipients (we're not sure how many, but it seems like at least double-digits) purporting to be the gas station and asking to settle-up unpaid bills via credit card over the phone. I didn't get to hear any of the callers, unfortunately. The call-back number they left wasn't the gas station's number, nor was the caller ID the gas station's number.
At first I felt like it was probably a small-time local scammer. Then I thought about how close we are to being able to run this entire scam using fully automated means (including voice assistant software and an LLM to talk to the callers, probably with a human in the loop for handing exceptions). I assume we'll see a rash of these kinds of scams targeting local businesses once the tool kits to run them become widely available.
The idea of building up the automation to run that scam sounds like fun. I wouldn't actually do it but somebody with fewer moral scruples absolutely will (or, rather, probably already has).