Fraud Gets Its Own Caller ID
Caller ID isn’t the crystal ball that it used to be.
Revered for years by persnickety consumers who like to screen their telephone calls, the premium service is being appropriated by identity thieves.
Such scams are made possible by technology that enables con artists to manipulate the phone number and even the name that shows up on the unsuspecting recipient’s caller ID, allowing scammers to masquerade as officials of churches, banks and courthouses.
Known as spoofing, the aim is to persuade consumers to reveal their Social Security numbers or other sensitive information. Spoofing is the phone industry’s version of phishing, in which criminals use fake e-mails to fool computer users into divulging personal information. But phishing is so yesterday compared to spoofing, one security expert says.
“Phishing started about three years ago, and now many people know it’s a scam, but the use of caller ID” as a crime tool is becoming more prevalent, said Jack Vonder Heide, president of Technology Briefing Centers Inc., an Oak Brook, Ill., technology consultant to the financial services industry.
“A year ago, I wasn’t aware of any incidents [involving caller ID], but now I speak at banking conferences all over the world and this is one of the main topics they want to hear about.”
In June, the House of Representatives passed the bipartisan Truth in Caller ID Act, which makes it a crime to transmit misleading caller ID information with the intent to defraud or harm.
In May, AARP’s monthly bulletin alerted members to the practice. The same month, the Federal Trade Commission filed its first case alleging the transmission of bogus caller ID information against a mortgage loan provider. The business, the FTC alleged, violated telemarketing rules by, among other things, transmitting a phony caller ID, which made it impossible for consumers to stop the unwanted pitches.
Spoofing doesn’t require a great investment, and there are a number of companies that specialize in it.
With its motto, “Be who you want to be,” SpoofCard.com, for instance, sells calling cards for as little as $10 for 60 minutes of talk time.
This is how it works: SpoofCard has a dedicated toll-free number where a user enters a personal identification number, their desired caller ID and the number they’d like to call.
SpoofCard users also have the ability to select a male or female voice. Although the caller speaks normally, the person on the other end hears the altered voice.
In particular, scams in which caller ID indicates the call is coming from a court official have been flourishing, said Sid Kirchheimer, author of “Scam-Proof Your Life.”
“In the last couple of months, they’ve hit 15 or so states,” he said. “The majority of the cases use caller ID to make it look as if the call is coming from the courthouse.”
A phone-scam alert even appears on the website of the U.S. District Court in Washington.
“If you are contacted by a person claiming to be from our jury office, with caller ID showing a courthouse number, requesting that you pay a fine because you missed jury duty, do not give that person any information,” the court warns.
But it’s not just courthouses whose phone numbers and names are being purloined.
In Fairlawn, Ohio, St. Thomas Orthodox Church received hundreds of calls from August 2005 until January 2006 from people saying its phone number was popping up on their caller ID. The caller would say he was owed money and would ask for a bank account number.
“It went on for months,” Dave Zampelli, a Fairlawn police detective, recalled in an interview. Some of the people receiving the calls weren’t even church members.
“These were random people. A couple of people gave out their account information, but I’ve not heard that they lost any money,” because they caught onto the scam quickly enough to freeze their accounts, Zampelli said.
Police suspect the caper originated overseas, but the case was not solved, he said.
A SpoofCard representative said its markets included legitimate users such as private investigators, law enforcement, insurance agencies and lawyers.
“There are very legitimate uses for caller ID modification,” said Vonder Heide of Technology Briefing Centers.
If someone is making a call from their cellphone, for example, and doesn’t want the recipient to have the cellphone number, the caller could use spoofing technology to display their office number instead, he said.
Or if a law enforcement officer is trying to find a suspect and has reason to believe that person is at a particular residence, the investigator probably wouldn’t want to place a call with telltale police department information showing up on the caller ID, Vonder Heide said.
“If used illegally, we work with law enforcement to help them prosecute,” said a SpoofCard representative who would only give his name as George.
“We’ve spent lot of money and time to prevent fraud from happening on our system,” he said.
SpoofCard also is “in the process of compiling a list of every financial institution and law enforcement phone number to block the numbers from being called through the service,” George said. That way, SpoofCard users won’t be able to call a bank and order a credit card as an impostor.
SpoofCard prohibits users from dialing toll-free numbers or 911.
But there’s already a precedent for emergency services being deployed during a spoof call.
In March 2005, a SWAT team descended on a New Brunswick, N.J., neighborhood for six hours after police received a call from a female claiming she was handcuffed and being raped in an apartment. In fact, a Texas woman made the call as part of a prank, the Newark Star-Ledger reported. Caller ID was spoofed to appear to come from the apartment, the Associated Press reported.
One technology security research firm thinks that harmless or legitimate uses of caller ID spoofing are the exception rather than the rule.
Lance James, chief technology officer for San Diego-based Secure Science Corp., testified before Congress in May that more than 75% of spoofed calls had a malicious intent.
The House bill, now in the Senate, would still allow legitimate changes to caller ID data, including those by law enforcement officials and domestic violence victims.
“A criminal can pretend to be a person’s bank and try to convince a person to give out credit card numbers, personal bank information or simply cover their trail as a telemarketer,” said Rep. Eliot L. Engel (D-N.Y.), who introduced the bill with Rep. Joe L. Barton (R-Texas).
Some members of Congress can speak from experience.
In late 2005, Rep. Tim Murphy (R-Pa.) began hearing from constituents who said they were receiving calls about the Pittsburgh-area congressman’s association with former House Majority Leader Tom DeLay.
The calls, which Murphy said numbered in the thousands, were showing up on constituents’ caller ID as coming from his office.
In May, Murphy introduced his own legislation. Currently in the House Judiciary Committee, it calls for strict penalties for those who commit caller ID fraud. It’s called the Preventing Harassment through Outbound Number Enforcement Act.
It is doubtful such laws will derail companies like SpoofCard, Vonder Heide said. They “may see [a] little dip in revenue, but my guess is the publicity” that any new law would generate would raise the consciousness of people who didn’t even know spoofing was possible and might like to try it.
Besides, he added, “Criminals who make their living breaking laws really don’t care if there’s a law against something. There are already laws against bank fraud, but people are ready and willing to break those.”
If nothing else, SpoofCard works. When returning two phone calls to the Chicago Tribune, George used a reporter’s office and home phone numbers as his desired caller ID.
