How do you know that the person on the other end of a phone call is really who they say they are?
Earlier in July, a Ferrari executive was flooded with a barrage of WhatsApp messages that appeared to come from his boss, the carmaker’s CEO, Benedetto Vigna. But the Ferrari executive didn’t recognize the number, and he couldn’t be sure it was really his boss.
Suspicious of the flurry of messages from the unknown number, the Ferrari executive still took a call with the person who claimed to be Vigna. Despite the fact that the purported CEO had Vigna’s southern Italian accent, the executive still felt something was off, so he asked the caller something only Vigna would know, something the two personally discussed days earlier.
“Sorry, Benedetto, but I need to identify you,” the executive said. And then the call abruptly ended, and a potentially colossal fraud was avoided, as reported by Bloomberg earlier this year.
If you think the Ferrari executive is a rare edge case for scammers, think again. For as long as we’ve had telephones, there have been people trying to trick someone into thinking they’re someone else. Now, as with the case of the attempt against Ferrari, voice AI tools make it so that scammers can clone someone’s voice and trick victims into thinking they’re talking to another person.
All of these attacks involve the phone, or rather, picking up a phone call. Once you pick up the call, scammers and fraudsters can use tactics designed to pressure and force you into acting quickly and hastily in a high-stress situation.
You’ve probably heard of some of these scams already.
Look, the police (or the feds) are not going to call you to claim that “you have a warrant out for your arrest” or to demand a payment to invalidate the warrant. If there is an arrest warrant out for you, the police won’t leave you a threatening voicemail; they will come to your house.
It’s unlikely that your healthcare provider will call you to demand payment over the phone without first sending you a letter or a paper bill. The FBI says that healthcare fraud can affect anyone and ranges from scammers impersonating healthcare providers to fraudulent claims that you owe a balance on a nonexistent bill.
And, yes, you actually should be wary of the person on the other end of a phone call who claims to be from your bank, or from your workplace, or from an online tech company calling you to “verify your personal information,” or asking you to hand over a security code that was sent to your phone.
The alternative is to stop picking up the phone. Wait, identify, then respond.
Some scams are more advanced than others, including the spoofing of phone numbers that appear as genuine on caller ID and using AI tools to manipulate a person’s voice; this is sometimes referred to as a “deepfake.” Often the scammer will try to evoke a response or reaction by pretending to be a close family member in distress. Even if you think you know the person who’s calling you, but you cannot be completely sure, this may be for a good reason. Trust your instinct, be vigilant.
Take the case of Ferrari’s near miss. On the call, the Ferrari executive asked the purported CEO a question that only the real boss would know, the title of the book the two talked about a few days earlier. On a smaller scale, some friends and families have agreed-upon safe words or phrases that they can use in the event they need to prove that it’s really them. (Going one step further, having an alternative phrase used only if the victim is speaking under duress can help notify others of an unsafe or dangerous situation.)
If someone calls you seemingly out of the blue to ask for your information, how can you know that the person calling you is in fact legitimate? You may only have the caller’s phone number to rely on, and you may not recognize the digits.
If your bank claims to call you, call the number on your bank card to verify for yourself.
If a company or organization you might recognize calls you and asks for information that arouses your suspicions, hang up the call, go to the organization’s website or official app, and call them back directly. Don’t just rely on Google search for a phone number, since scammers can trick search engines into displaying false customer service phone numbers run by the scammers.
If you get a phone call claiming that someone has logged into one of your online accounts, go to the website or app for your online account and verify for yourself before you take any further action. Most companies, such as Google or Facebook, do not call you but rather rely on their official customer support portals.
Be like that Ferrari executive. Take a minute to breathe and think, and take control of the situation. And next time your phone alerts you to an incoming call, maybe just let it go to voicemail.
Keep reading the article on Tech Crunch
Plus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.
Transport for London, the government body overseeing the U.K. capital’s public transit system, said it is experiencing online outages due to an “ongoing cyber security incident” set to drag into the weekend.
TfL, which runs the London Underground (known as the Tube), buses and trams across London, said that while the city’s public transit system is “operating as usual,” several customer-facing systems are offline, including some ticketing systems and its online real-time Tube arrival information.
Details of the incident remain scarce. TfL disclosed the cyberattack on September 2, and said that it took action to “prevent further access to its systems.”
In a brief update on its website on Friday, TfL said it has no evidence yet that any customer data was compromised in the cyberattack.
TfL spokesperson Princess Mills declined to answer TechCrunch’s specific questions about the incident, including what evidence, such as logs, the organization has to determine if any data was stolen. TfL also declined to make the executive who oversees cybersecurity available for an interview.
In a brief statement attributed to TfL’s chief technology officer Shashi Verma, the transport network confirmed it “identified some suspicious activity on Sunday and took action to limit access.”
According to the cyber incident page as of Friday, TfL says, “many of our staff have limited access to systems and email and, as a result, we may be delayed or unable to respond to your query or any webforms previously submitted.”
According to sources speaking to BBC News, TfL employees have been told to work from home, as much of the organization’s back-office systems at its headquarters are affected.
A review by TechCrunch of TfL’s public-facing web infrastructure shows much of the organization’s systems are no longer online, or have been restricted from accessing the public internet, likely in an effort to isolate the intruders and prevent further access.
At the time of writing, TechCrunch found several TfL systems, including its employee log-on portal, were still accessible from the internet.
Updated with post-publish comment from TfL.
Keep reading the article on Tech Crunch
The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod’s actually worth a listen.
Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.
Security researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack.