I just called a friend using Mick Jagger’s number and sang Wild Horses to him down the phone. Then I called a political reporter from Boris Johnson’s number and leaked a new policy giving city kids free karate lessons in a bid to stop knife crime.
I did this because a couple of weeks ago, I received a batch of calls from an HM Revenue & Customs number that seems to have been hijacked by an offshore financial firm using a technique known as caller ID spoofing, to give their operations a veneer of legitimacy.
While I didn’t get lured into depositing any money, HMRC may find it collects more tax from the fiscally evasive by using the same technique, pretending to be a dodgy financial firm in Cyprus. Because unlike collecting tax, it’s depressingly easy and cheap to do, and very difficult to thwart.
Caller ID spoofing is a favourite technique of fraudsters and other dodgy businesses. Until recently tabloid reporters used it to access the voicemails, bank details and medical records of celebrities, politicians and dead children, so it has form.
By visiting a site such as Crazy Call, all you need is the phone number of the person or organisation you’d like to impersonate. (Don’t ask how I got the two numbers above.)
The site then provides a code and the connection is made to the victim within seconds, whose caller ID displays the number of Mick Jagger, Boris Johnson or an unsuspecting government department.
It works best if the victim has the number saved in his phone, so the name flashes up with the number. Although classic ‘boiler room’ scams work using a company number – British Gas or Microsoft, for instance – which is verified when the recipient Googles it.
One in five UK households were targeted by a variant of this wheeze, the ‘Microsoft support scam’, in 2013, which defrauded people of £745 on average and wrecked their PCs as the caller – who wasn’t a Microsoft representative – convinced people to give them access to their computer.
The company I used to sing Wild Horses to my friend markets itself as “The ultimate tool for making prank calls and fooling your friends.” There are hundreds of similar sites out there offering the same service, some of which allow callers to disguise their voice like in the Scream films, while others provide ambient background noises.
According to telecoms forensic specialist Jason Coyne at IT Group, “Three quarters of these calls are an abuse of the technology.”
In a depraved escalation of caller ID spoofing known as “swatting,” people in the US have called the police using a victim’s phone number, claiming to be in the middle of a murder spree, which had led to SWAT team descending, guns loaded, on the real person’s house.
Clamping down on fraudulent calls is remarkably difficult. Spoof calls are easy and cheap to make but very labour-intensive to trace. In countries with data protection laws, network providers aren’t allowed to disclose details of who scrambled the call without a court order.
Even this would only disclose the company being used to spoof the calls. Since companies such as Crazy Call don’t reveal that kind of information – their business would collapse if they did – another court order would be required in the country where the company is based to reveal who makes the calls.
Jason Coyne is helping to compile a case for a FTSE 100 company whose phones were recently hijacked to abuse its customers. With their resources it may be possible to track the culprit, which would be one of the first — if not the first — case of its kind in the UK.
But that’s probably just one foul-mouthed individual acting alone, whom it will take thousands of professional man-hours to identify.
For everyone else, don’t believe it’s Mick Jagger or the gas man until you’ve heard him sing.