Mauricio Tavares (Main Phish)
Mauricio Tavares (Main Phish)
3 min read

Categories

  • blog

Tags

  • content
  • phish

Contrary to popular belief, phishing attacks do not only take place through emails. While that is the cheapest way, specially if trying to reach as many potential victims (the marks) as possible, there are other ways.

Phone calls – be them voicemail messages or real time interacting with the marks – can provide better returns per potential victim. Some of the reasons are

  1. People, including those reading our posts in this very site, expect phishing emails. They may not be trained to react to a call.
  2. Given the more interactive/dynamic aspect of a phone call, phishers can exploit one of their favourite tools – causing a sense of urgency – so the marks are compelled to react instead of stopping and thinking.

Today’s example is a voice email claiming to be from the Federal Trade Commission (scary!). If you want to hear it, I made a mp3 version of it. If you do not want to hear it, can’t hear it, or do not trust my file, here is the best transcript I can do (no, I did not use a tool to transcribe it):

Hey
This is Anna with Federal Trade Commission
This call pertains to an ongoing investigation about an award which you have
won with Publisher's Clearinghouse.
For further information call us back at XXX XXXXXXX.

Why is it a phishing call?

Like most of the phishing emails we mentioned, it expects you to interact with them so they can collect your personal information and con you to download some malware while they have you hooked on the phone. If that is not phishing, I do not know what is.

Identifying this as phishing in easy steps

  • Scare tactics: “I am with the government! You better do as told or else!” In this case the robocall voice (chatGPT; is that you?) claims to be from the Federal Trade Commission; that may not sound as bad as the IRS but it will make people’s heart beat a bit faster.
  • Scare tactics 2: “We are investigating you!” Have you ever won something from the Publisher’s Clearinghouse? Do you even know what it is? Well, the desired knee-jerk reaction here is to make you want to contact them to find what is going on. “It must be a mistake,” you think. “Someone with a similar name must be involved!” How do you clear things out? You call them! Oh, do you see the trap now?
  • The phone number. I actually looked it up and found it has been associated with other scams. If you do not recognize a phone number, always, always, always check it up before calling it back. But, make sure not to use a reverse number lookup service/site which wants you to register with them or otherwise provide money or info to work.
  • One thing that really hurt my years was the way the phone number was pronounced. Yes, they are using an automated system but the last 7 digits were read as a single thing, not with a pause before the last 4 digits. Maybe I am paranoid but that is not how I would expect someone who knows US phone numbers to read them.

Would this call work?

Probably. For someone like me it would be a bit harder since I have a habit of never answering an unknown number; let voicemail catch it and then listen to it. If the other person does not want to leave a message, maybe it was not that important (old school robocallers expect to hear a voice before going into action).

But, for those whose job expect them to be answering the phone all day will be exposed to such an attack. They may automatically call the number, and then it is up to how persuasive the voice on the other end is.