By now, most people who use the internet more than occasionally are familiar with “phishing.” Phishing is an attempt to obtain personal identifying information, usernames, passwords, and credit card numbers by people who disguise themselves as a trustworthy organization in an electronic communication.
Perhaps because of the public awareness of phishing, people who attempt to steal your personal and financial information have developed some new tricks. One of these is called “spear phishing.” Think of it as a cleverer, more targeted way of phishing. It most often combines phishing with caller ID spoofing. Here’s how it works.
One day, your phone rings. The caller ID displays the name of your bank, so you answer. The voice on the other end says something like this:
“I’m calling from [pick any bank]. Someone’s been using your debit card ending in 2345 at [pick any retailer]. I’ll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity...”
Sounds pretty serious, right? And it seems credible. After all, the person on the phone already has some of your personal identifying information. The caller ID clearly says it’s your bank calling. It’s scary to think that unless you act right away, someone might vacuum out your checking account. So of course you cooperate and give your full Social Security number, your credit card number, and maybe other info too.
Bad move. You’ve just been phished and speared. The scammers now have all the info they need to do what they said they were going to protect you from.
Information about you such as the last digits of your Social Security Number, the last digits of your debit card, and your address and phone number might be available on the so-called “dark web,” a hidden network of websites that aren’t normally viewable by an ordinary web browser. Criminals buy and sell stolen personal information there, which may include full or partial Social Security numbers, account numbers, names, and addresses. The going rate for a full package of identifying information on a given person is about $10.
From the criminals’ perspective, the problem with partial Social Security and account numbers is that by themselves, they aren’t all that useful for opening new accounts in the name of the person whose ID has been stolen. But again from the criminals’ point of view, even partial numbers are enough to establish trust. They are the spear that they use to complete their phishing scam.
In one variation of this fraud, unsuspecting victims receive calls that seem to come from the Social Security Administration. Caller ID even displays the real SSA phone number. The callers pretend to be Social Security employees. They tell people they can get an increase in their benefits and then ask for personal identifying information to make that happen. Or they tell people their benefits are about to be cut off and ask for personal identifying information to ensure that won’t happen.
These are tough scams to protect against. Banks really do contact their customers when they detect suspicious activity on an account as part of their fraud prevention efforts. But you need to stay vigilant. Just because your caller ID says that a call is coming from your bank doesn't mean that it really is. Caller IDs can be spoofed. And if someone asks for more of your personal information—even if it's clear they already have some of it—don’t do it. Instead, verify that the request is legitimate by calling your bank yourself. If the caller says he’s from the Social Security Administration, get as much information as you can, then hang up and call the SSA yourself.
If someone tries to trick you this way, report the attempt to the FTC. This will help them detect patterns of fraudulent activity and make it easier for them to catch the scammers. And if you do release your personal identifying information, report it to IdentityTheft.gov, a government site that can help you limit your losses from identity theft and figure out how to recover from it.