Tuesday, December 18, 2018

How to spot “ID Spoofing” and “Spear Phishing” scams before you take the bait


Scammers are getting smarter every day, using two very convincing tricks to gain your trust: ID spoofing and spear phishing.

Here's how:

Your phone rings and you check the caller ID. It appears to be someone you know or a business you can trust, so you answer. Unfortunately, scammers can fake their caller ID to get you to pick up. It’s called ID spoofing. And, once they have you on the line, they might use specific things they’ve learned about you to earn your trust - then ask you for more detailed information. This is known as spear phishing.

Take a look at this spear phishing script from the Federal Trade Commission (FTC) Consumer Information web site. It demonstrates a common approach:

I’m calling from [pick any bank]. Someone’s been using your debit card ending in 2345 at [pick any retailer]. I’ll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity...”1

It can be pretty convincing, because they make it seem like they’re from a legitimate business. And the fact that the caller knows some of your information already — makes it more likely that they’ll be able to get you to “verify” the information by providing it in full. They may ask for your full legal name, social security number and home address. They may even get as in-depth as to ask you to verify bank account numbers, online banking login credentials, your mother’s maiden name and secret questions and answers for your online banking or other accounts.

Here are 4 things you can do to avoid taking the bait:

  1. Don’t rely on caller ID to identify your caller.
  2. Don’t give out any financial information on the phone, through email or by text message. If the contact is not initiated by you, it is best not to provide bank account, credit card or other personal information over the phone unless the identity of the caller has been thoroughly verified. This can be done by asking the caller for their name and phone number and tell them you will call them back. Then verify the person and request via other means (e.g., call the bank or credit card company using a known number) to confirm that the person really works there and that the request is legitimate.
  3. Don’t get hooked just because the caller already knows some personal information about you. Scammers have many different ways to access your information.
  4. Trust your instincts. If something doesn’t feel right to you, hang up. Then, call the business back by using the phone number that you know the business owns. It’s a smart way to find out if the call was legitimate.

If you think you’ve been a phishing victim, go to IdentityTheft.gov and learn what to do if the scammer has gained access to your accounts. Even if you have not provided your information, FTC advises that you report the scam to them. It helps them learn the latest scams which might lead to investigations or even legal action targeting the scammers. And remember… OneWest Bank will never call, email or text you asking for your account number or password.


1 Federal Trade Commission Consumer Information (February 23, 2018).