Jonathan Jensen – Protect yourself from voice phishing

Everyone knows about email phishing and increasingly we’re being warned about the threat of voice phishing. So what is voice phishing? Your phone rings and the caller says he’s from your bank and needs to verify some transactions on your account. But first he needs you to confirm your date of birth and password. Well it might be a call from your bank but there’s no way of knowing. You’re thinking ‘you called me so why should I give personal data to someone I don’t know?’ You could hang up and call your bank direct but will you get the right department and do you even have the number to hand? From my experience these fraud prevention calls happen at awkward times and you need to react immediately.

One way to raise the level of trust in this situation is to give your key trusted contacts, like your bank, a unique phone number to call you on, rather than your usual home or office number. You can do this by signing up for a free FleXtel number and setting the Dialled Number Display (DND) feature to display the CLI (phone number) of that FleXtel number when you receive a call on it, rather than the CLI of the caller. So your phone rings, you see 0870 xxx xxxx on the display and you know that’s the number you’ve given to your bank (you can save it in your mobile against the name of your bank). No one else has it, so unless it’s a very random call from someone who correctly guesses you have an account with XYZ bank, the call is likely to be a genuine call from your bank. It’s not a guarantee but improves the probability of the call being genuine.

FleXtel offers a range of number types. I use 0870 and have it routed to a landline that diverts to my mobile if I don’t pick up the landline. If you use a 0701 number the call can be routed direct to your mobile but the caller pays a bit more. Whilst lots of companies offer 0870 and 070 numbers, the additional features from FleXtel make their numbers unique. There are lots of other uses for DND like differentiating between personal and business calls or different types of business call. Another trick I use is having a unique FleXtel number for my home alarm system to auto dial me on if it’s activated. I’ve stored the FleXtel number in my mobile with a suitable name so if I receive a call I know instantly it’s the alarm and not someone else at home calling me.

Using DND means you don’t see the CLI of the caller but the FleXtel Call Notification feature means you receive an email from FleXtel showing the number of the caller which you can check later. Even ‘withheld’ numbers display part of the caller’s number (minus the last three digits) allowing some identification (e.g. approximate location) of the caller.

This strategy can be adapted to work with both mobile and landline phones by selecting the most right FleXtel number and diverting calls as appropriate.

Jonathan’s also at Sevendotzero.

4 replies on “Jonathan Jensen – Protect yourself from voice phishing”

Hmmm…nice for the geek crowd, waaaay too complex for my mum.

Me? I ask THEM to provide ME with an item of relevant info from my account, like my last transaction location etc. If they refuse because they can't give that away to someone they don't trust yet, I put the question back to them: Why should I give critical info to them when I don't know who they are. Banks insist on this way of working because it's easy for them and puts the onus on customers. If you divulge your info to a phisher who then calls your bank, gives the correct login info and empties your account, they can claim no fault.

If we are at a stalemate, I ask for an extension to call off their main, public 0870 number. I wouldn't trust any 0870 number they gave me unless it was verifiable publicly.

I can see 2-factor authentication like an RSA keytag becoming standard, where the bank calls you, tells you what your keytag should be reading, you give them some info to ID you, and then you are both happy.

The method used by my Oz bank was to make me nominate two personal and very specific questions and answers when opened the account. Being asked a question like “In which month did we get my dog in 2003” pretty much guarentees that the person is from the bank or they have hacked the bank's systems fairly well already.

You don't even really have to remember whether the question is exactly the one you asked (the calls always come at the wierdest times) since they pretty much validate themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.