Letter from the CISO, Vol 4 Issue 1
Washington University Community:
An enormous amount of fraud is still being perpetuated via phone calls even though many people don’t use telephones very much. Cybercriminals seek your credit card or bank account numbers, access to your online bank accounts, and to install malware on your computer.
But you can be a telephone fraud prevention hero—maybe even a superhero—in just a few easy steps for yourself, your parents, and your grandparents.
The easy case – protecting cell phone users
For iPhone or Android users, it is easy to dramatically reduce the risk of phone fraud simply by silencing all unknown callers.
With this feature turned on, if an incoming phone number isn’t in your contacts, your phone sends them directly to voicemail. Most scammers and marketers don’t bother leaving messages. If they don’t care enough to leave a message, it must not be important. If they do leave a message, I get to decide if it is important.
Here is a link to straightforward instructions for blocking unknown callers are available for Androids and iPhones.
An important warning!
Some scammers will fake the number of someone in your contacts list, whether it is a loved one, bank, merchant, or healthcare provider.
I’ve written about the importance of establishing code words or phrases – in advance – to verify that the caller is really who they say they are, even in very distressing situations. See Keeping Information Security Simple – “Using Code Words to Defeat the AI Menace”, February 29, 2024.
Should your bank, merchant, or healthcare provider call, it is vital that you verify their identity—not the other way around!
Do not allow a caller to trick you into believing they are legitimate because they know a lot about you. Instead, get a case or incident number then find a trustworthy phone number (from the app on your phone, the back of your ATM or credit card, or an old statement.) Be very careful searching the internet for the number as cyber criminals advertise well-crafted fake websites to lead you to a bad end.
An inferior method for old phones
Silencing unknown callers requires a reasonably up-to-date version of a phone’s operating system. If you have an older phone that doesn’t support it, you can block numbers one at a time as they call you. This is grossly inferior and arguably a strong reason to upgrade to a newer device. But until you do, here is how iPhone & Android users can block calls one at a time.
The hard case – protecting landline users
It is relatively difficult to protect landline owners (like parents or grandparents) who can’t or won’t switch to using a cell phone.
There is a similar pair of good and bad choices for this situation.
The bad option requires the landline owner to manually block numbers using a device like the ones described here. Some phone companies, including Spectrum, allow you to create a permitted callers list via their portal. When I tried to use it a year ago, I was limited to just 50 numbers! It’s a good option if 50 is enough, but otherwise, it’s infeasible.
The good option uses a cell phone configured to limit calls to numbers in its contacts but then bridges that into the legacy phone using a Bluetooth connection and a Cell2Jack device. The landline number should be ported to the cell phone so the inbound number and the outbound caller ID remain unchanged. If you set up a Gmail account for the user, you can also remotely administer the contacts list from your personal device.
It is possible to simply forward the old number to the cell phone, but that doesn’t preserve the outbound caller ID.
In my December 7, 2023, Letter from the CISO, Vol 3 Issue 7, I wrote about the 20-30 phone calls a day – almost entirely scams – that my elderly mother was receiving on her landline. I wrote:
“I wanted to switch her to a cell phone and block all unknown numbers, but she was unable to learn how to use one. Making the situation worse, she was unable to ignore calls, even ones that clearly identified the caller as “SPAM.” And then she would talk to them, sometimes at great length, even going to her computer and trying to follow their instructions so they could help her with whatever scam pretense they were using!”
Now, visiting her isn’t a nightmare of constant ringing, and being away from her isn’t a nightmare of not knowing who will con her out of her credit card or bank account number, convince her to give them access to accounts, or gain remote control of her computer.
Call to action
I recognize that many younger people simply don’t answer their phones. The techniques above should make it possible for you to take calls without being crushed by a flood of inbound useless crud.
You can be a hero by helping your colleagues, friends, and family members configure the appropriate settings.
While you are helping them, establish a code word or phrase and remind them that you are their cyber security buddy: someone they can always call for help thinking things through. Also, remind them that the more emotional stress they’re feeling, the more they need to check with their cyber buddy, especially if the person on the phone (or another communication medium) is telling them not to talk to anyone about the situation.
If you need help with any of these ideas, please contact the Office of Information Security at infosec@wustl.edu.
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO