Trusting an apparently genuine email asking us to click to confirm bank details and codes? Now only a few incurable goofballs fall into it. But the technology of phishing (fishing for the more or less innocent victims of web-based cheating) is advancing. The new frontier of telematic scams is called "caller id spoofing". The cheater sends us a text, WhatsApp message or just calls us on the phone. On our display appears the number of the bank, of our financial institution, of a charity or of a company that we know very well and with which we have consolidated relationships. We answer, we trust, we execute. It can be a scam. It takes place with a truly refined procedure, which is sometimes combined with another very latest generation technological trick: the cloning of our mobile phone number (or more precisely, its transfer, perhaps momentary and only for the time necessary to cheat) on a Sim in the hands of the fraudster, who will thus be able to replace us even in the final ok of a banking transaction, simulating the by now widespread security procedures which provide for the generation of a disposable pin. But how does the new fraudulent technique work in detail? How to recognize it? How to defend yourself?
Spoofing and sim swapping
To change the calling number that appears on our display by posing as our bank that needs verification, or perhaps a charity that asks us for a contribution, cheaters resort to procedures allowed by IP-VoIP switchboard systems ( those who only use the Internet and not the old telephone systems also for voice calls) manipulated with normal applications accessible to non-professionals as well: anyone can verify this by doing a normal search on Internet stores. The procedure is relatively easy, so much so that even cheaters who are not particularly masters of technology, and even a little messy, are starting to use it.
An example: a company that sells household appliances for water purification has been masking itself in recent weeks behind the telephone number of a restaurant-pizzeria in the province of Naples. What connection there was between the two is unknown. More disturbing are two other examples of "spoofing" scams implemented in recent months. The first concerns a credential theft to connect to the sites of the Italian Post Office, in particular those connected to PostePay (banking services). In an SMS, cheaters on duty inform users of a problem with the personal data of their account, inviting them to repeat them or correct them by clicking on a link which shows an apparently probable screen. To have time to act, the criminals invite you not to access the account, which would remain blocked for a few hours until the error was corrected. Very similar in its dynamics to the cheating carried out under the guise of the Revenue Agency through elusive "debt collection office", which invites (again masking itself behind a more than likely telephone number that appears on the display) to settle an arrears tax debt in a facilitated way by communicating our confidential financial data or by clicking on a specific link that will have been sent to us at the postal address electronics that we will have incautiously indicated to our interlocutor.
In all these cases there is also the second trick, the "sim swap", that is the perhaps temporary replacement of our Sim, allowing the cheater to directly validate our payments in his favour. A practice that fortunately is only possible if the scammer is in possession of the serial code of the SIM to be cloned, which theoretically should be jealously guarded by our telecommunications operator. Theoretically, because in recent months more than one leak of these lists has made headlines, which then fell into the hands of criminals. In some cases, the most scrupulous telephone operators immediately informed customers, remotely regenerating the SIM serial code or physically replacing it. But no one rules out that some lists may still be in circulation, available to cheaters.
How to find out the trick and what to do
First rule: never provide our personal data responding directly to a request, be it a phone call, an email, a text message, a WhatsApp message. Being aware of the scams that are circulating, no serious bank in the least would ask for confirmation of personal data by telephone. The counter-move in this case is trivial and effective: call your bank back asking for confirmations, explanations and indications in the event of a confirmed attempt at fraud. The same caution is also necessary to deal with the barrage of phone calls that each of us receives to convince us to change telecommunications or energy services provider.
Second rule: in any case, we verify with certainty the identity of those who contact us by sifting through the address from which the email is sent to us, or even more so the telephone number that we see appearing on the display. For verify authenticity of the email received, or the sms or WhatsApp message that contains a suspicious link, those who are experts in information technology have many weapons at their disposal, starting from the verification of the digital certificates that accompany complex messages. The mere mortals to whom this tutorial is dedicated have to make do with less sophisticated procedures. As?
First of all, they can carry out a rough check by defining with the mouse the email address that appears with the mouse and then copying it to a word file with the "keep only the text" mode: if the address that appears after the operation is different, it will say that it is one disguised email and therefore misleading. But even if it appears as it is, we cannot rest assured. In this case we send an email to the same address, which we will carefully fill out in full (no "cut and paste", especially in this case) in our email program, asking for confirmation of the contact received.
To check the authenticity of the telephone number that appears on the display, the procedure is easy and immediate: we call back the same number, possibly from a mobile phone (to avoid any very remote manipulation of our fixed line by the area switchboard). The answer will immediately reveal how things are.
In case our first line of defense hasn't immediately revealed a scam, do we want to examine the proposal they want to give us? We still ask that you come formulated in writing via e-mail or ordinary mail, without however providing any reference: if they have called us they must also have our address or our e-mail address, otherwise it is likely that they are scammers or in any case the plethora of dealers who work on commission using too often unfair practices.
A good rule would even impose attention in pronouncing some terms during a conversation with our unidentified interlocutor: the simple word “yes” can be extrapolated (this also happens) to prepare a vocal assent to the proposal of a contract for the shipment of goods or for the change of manager. And in the meantime, seriously consider whether to subscribe to the register of oppositions to any commercial call, which in days should finally be extended to cell phones as well, as established by a legislative provision passed last January.
Last recommendation: if you have sufficient evidence of a scam or an attempted telematic scam, report it directly to the police authorities. You can also via the web.