As part of attempts to gather financial information from customers, cyber-criminals are reserving phone numbers that are similar to the contact numbers of banks, credit unions and other financial institutions, according to security firm Pindrop Security.
In a study of phone numbers for some 600 institutions, the company found close variants used in fraud against 103 organizations, suggesting that attackers had targeted at least 17 percent of financial firms by selecting phone numbers designed to fool customers. The strategy, which Pindrop dubbed a “misdial trap,” could be designed to catch unaware consumers who incorrectly dial their financial institution’s number, the security firm said.
The company looked at numbers with variants whose last four digits were adjacent to the last four digits of the actual number, Scott Strong, a data scientist with Pindrop, told eWEEK.
“We were able to look at a large volume of phone numbers and compare them to variants of the financial institution’s phone number,” he said. “If a phone number is very similar and they are purporting to be that financial institution, then we considered it part of an attack.”
The strategy closely resembles typosquatting on the Internet, a technique used by online attackers to catch mistyped email addresses and Website URLs. In those cases, researchers have found that creating a server to intercept mistyped domain names in email addresses actually received thousands of messages containing valuable information.
Mistyped phone numbers may be a less effective technique, however. Yet other attacks using the technique are possible and, likely, more probable. Scammers could call banking customers and leave a message to call back at a fraudulent phone number, or the number could be included on a site created as part of a phishing scam. The closeness of the number to the actual financial institution’s number would make the victim put more trust in the scammer’s claims, Strong said.
Similar phone numbers using a different prefix, such as 866 rather than 800, accounted for about 20 of the 103 numbers, according to the firm. Those numbers are not likely designed to take advantage of mistyped digits, but to fool credulous users, Strong said.
Customers should call the phone number listed on their bank’s Website, or at least double check any phone numbers to see if they are connected to fraud complaints, Pindrop recommended. Financial institutions, on the other hand, should be more proactive and take the time to scan the Web for sites that may use phone number similar to their number and test variants of their numbers by dialing them, Strong said.
“This is something that is worthwhile exploring if you are a financial institution,” he said. “You might want to spend some time and interns to look into numbers that are similar to yours.”