Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Phishing Scams Growing More Advanced, With Latest Spoofing Apple Phone Numbers
- Thread starter MacRumors
- Start date
- Sort by reaction score
And I had spoofers call me last year too claiming they were Molly from Apple Support from the Grand Central Station store. Both times I went to that store last year I was barraged by spoof calls (about 10 over 8 hours) on Sundays - days after I visited the store. I reported these to Apple after the second batch of calls.
Again, I always initiate calls to Apple.
Again, I always initiate calls to Apple.
I don't think they know or care. After all, how many of the folks who got a call from "Windows Technical Support" had a Mac, or no computer at all?
I don't think it's that Apple can't tell the difference, it's that the cellular networks are inherently insecure. The entire telephone system is an example of "it's insecure, but we can't fix it without breaking compatibility."
It's trivial for hackers and scammers to spoof caller ID information. There are even services out there on the Internet that will call anyone you want and provide caller ID info you specify. It is the same tactic that lets scammers appear to be "local" by copying your area code and prefix. It's a 1 in 10,000 chance within a prefix, but I once got a call that showed up as a friend's number, but was a scammer.
There is a way I could conceive that Apple could actually authenticate their own calls, however. Suppose Apple was making a legit call to you. They could use their existing secure data channel (the one that feeds push notifications) -- NOT SMS! -- to send your phone a secure message which would indicate to the phone "A legitimate call from Apple is going to arrive in the next 30 seconds." The phone doesn't have to display anything in reaction to this, but then when the call does come in, some sort of visual indicator could be used to show that indeed this call was "authorized". In fact, this scheme could be useful for any entity trying to legitimately call someone. Of course Apple would charge a fee for this service to outside entities, but I'm wondering if it's going to come to a point where a system like this is all but necessary.
In theory, the phone system could be reworked to be secure. I think one of the main reasons it isn't being done is because there have been some seriously scary incidents in the past where entire regions of the US were without basic landline phone service for hours or days due to simple misconfigurations or bugs. Since telephone service is regulated, failure to provide service can result in some severe penalties. IIRC, if you were dying and 911 failed to work - especially on a landline - you or your family could sue and likely win. Due to both the fact that it has happened before, and the fact that if it does happen the fines can be astronomical, many entities are afraid to even look at the CO switches the wrong way.
Perhaps Apple needs to start spending some of that war chest and start up it's own carrier so that they can avoid these sorts of issues.
How is it even possible to spoof a caller ID? These are issued by the network, they're not like text messages or emails where your device gives a "reply to" address. The network literally tells the receiving phone what number the call is coming from. How is it possible to interfere with that?
Spoofing calls is only allowed because the phone company makes a ton of money from the scammers and marketeers.
One quick programming changed and the phone company could provide only the real phone number. The phone company knows which number to bill the call to and therefore they know which number to show on a person's phone. They just choose not to. It will never change because there is too much money involved for the phone company. Apple has no say, they just use the API given.
One quick programming changed and the phone company could provide only the real phone number. The phone company knows which number to bill the call to and therefore they know which number to show on a person's phone. They just choose not to. It will never change because there is too much money involved for the phone company. Apple has no say, they just use the API given.
At the very least, if you get a legitimate call from your bank, they would greet you by your full name and would provide some specifics as to their inquiry. A scammer has no idea who's on the other end of the line so that they would try to get you to tell them your name, what account(s) and/or credit card(s) you have as well as verification info such as SSN, address, mother's name, etc. And yes, you are spot on for not discussing any of that on incoming calls and instead to call back the bank's number listed on the back of the card, statements, official website, etc. When I get these fraud warning calls from my bank, I never pick those calls up, but the message that they leave usually has some detailed information to verify their legitimacy. For example: "Hello, this message is for Joseph Schmoe. Mr. Schmoe, this is John Smith from Security Team at Chase, we are calling you regarding your Chase Freedom Visa card ending with 1234. We have spotted several transactions that we need to review with you. Please call us at your earliest convenience at 800-555-1234 and reference message ABC1234567. Thank you and we are hoping to speak to you soon. Have a great day!"
P.S. And if your credit card was really flagged for major fraud, it would get locked immediately, which would prompt you to call your bank ASAP.
I agree, although it isn't just the US that has this problem, but a global one We have exactly the same issue in the UK too. A lot of these calls that show up with a UK number actually originate from outside the UK (e.g. generally India), so I would have thought it would be easy for British Telecom to just block any calls with a UK caller ID, which originate from outside the UK, but I guess it isn't. It probably needs a global solution from all the telcos, which probably isn't going to happen until landlines are got rid of and everyone goes to VOIP.
OR you could say to them "This number is about to be disconnected but please phone me on my new number which is xxx xxxx " Make sure that the new phone number is a premium rate phone number that earns you a few dollars per hour. Then when they phone it they get a recorded message pretending to be real. Sort of like this.
Sounds of people arguing in the background
You - "Hello...hello...can you hang on a moment please. OI YOU LOT, SHUT THE **** UP WILL YA, I'M ON THE PHONE!. Sorry about that, yes you were saying." The message pauses for a few seconds to give them a moment to talk then " Oh for god's sake, sorry can you hold on a moment, IF YOU LOT DON'T SHUT THE ***** HELL UP THEN I WILL SWING FOR YOU" Then the message pauses for a few more seconds and then you come back "Yes........ok.......ah-ha.....Hang on a bit" The message plays the sounds of a phone ringing and you answering it and talking for a minute. Then you keep this charade up for at least 10 minutes. This way you get to earn money without having to speak to them and if they cotton then they are less likely to bother you again. If they hang on long enough you could play at the end of the message something along the lines of "Thank you for listening to this message, as a result I have earned $X, so thank you for your stupidity"
The only potential problem is if US legislations force you to tell the caller of call costs etc. A lot of these scammers are not from the US or country of the person they target. They often come from Africa etc.
[doublepost=1546643695][/doublepost]
I think they either phone and hope for the best or they get lists bought/stolen from websites that might contain such data.
I wonder if they still have lines with (900) are code. Most likely not, they probably did away with those the same time they did away with long distance fees here in the US.
But back in the day when they had those, operators of these lines did indeed have to advertise the cost of calls ahead of time. Most of these lines were for phone sex, which became obsolete with advent of internet porn.
There were, however, con artists that would go around and trick call these numbers. For example, they would show up at some store and claim to have a delivery for them that no one inside had any idea about. After going back and forth several times, they would ask if it's OK to use their phone to call their boss to see if there's been a mistake. The victim would have no problem with that and the trickster would then call the (900) number, pretend to talk to someone for several minutes, then apologize profusely saying there's indeed been a mistake and leave. At the end of the month, the poor victim would get a phone bill that's several hundred dollars higher than usual and in most cases, had no choice but to pay up as disputing was next to impossible.
The vast majority of major corps have long since outsourced their calling centers to India, so both scammers and legit calls originate from India.
Also, major corps all use spoofing too. When you do get a legit call from Apple, they aren't using THE ONE AND ONLY Apple phone to call you. No, they are using one of the 10,000 phone lines that spoof that number.
As someone else said, this is ancient tech. Fixing this requires breaking backwards compatibility, which would affect a wide range of things.
*Nope, how can you tell? Have you been to all countries in the world? FUD, we (where I live) don't have these problems.
* Nope= There's no number spoofing here.
Last edited:
Unfortunately it's ridiculously easy to spoof a Caller ID number. Changing one string in my Cisco Call Manager I could set it to whatever number I want...
Too rational. Those big company paid big bucks to the elected officials in the government.
I would love to see this getting implemented right away to fix this crap.
There are commercial providers who do it for you, an example; https://www.spoofcard.com/
The reason why it generally allowed is that police, doctors, support personnel, and others should have the possibility to call you with their personal devices without be required to show their own numbers, but rather the one to their exchange or office.
The Caller ID is a digital to analog signaling system which is sent during call setup and because calls can be routed through various networks it is not extremely hard, for mobile phones it is usually provided by the network, but you can suppress it.
This is all well and good. But just before Xmas I received a call from an unidentified mobile. I often ignore these calls but I answered. It was an Amazon delivery driver who had my street address but no number for some reason. I was able to give him my house number and went out to meet him. It was a vital delivery for my wife's Xmas. Not always a good idea to block /ignore unknown callers
Famous last words? If you live in a country where you can't receive international calls and calls from another network or phone exchanges, or/and can't use VoIP services I will believe you. It may not be rampant or a problem, but it does not mean it does not exist. Of course scammers do usually some ROI analysis and if you live in a country where few uses for example credit cards they will not likely attempt at credit card scams, or if few have mobile phones or pc or whatever.
Thanks. Have tried. Total kludge.
Who cares if the number is spoofed? It’s unlikely to be in my list of contacts. The simple heuristic is, handled entirely on the phone, since the carriers don’t seem to care.
1. Deny blocked calls;
2. Check numbers against a hash table of numbers in my phone book, deny any that don’t match;
3. Allow all.
They don’t. They are just guessing. There. was a great series of episodes on the Reply All podcast where the hosts tracked down phishers who were using a similar line (your Apple ID has been hacked...). I’m sure we’ve all gotten similar ones about “your windows computer has been hacked...”.
Deleted long ago.
Fact, we don't have phone number spoofing here, I don't know why not but I never heard of it, we do have "number unknown" or "number withheld"...no spoofing.
Might be our providers are less corrupt.
Or really do care about their customers.But that's the whole problem with the system. IMO, spoofing should be limited to number(s) you have active service on, not just any random number as you please. Again, there are legitimate uses for spoofing. When you would like to call on work-related matters from personal phone number, your work needs to have a way to dial into the work exchange, then place an outbound call from it, that way customer or whoever you are calling will see the work number on their Caller ID as originally intended. Or if you work at a call center and would like to spoof the main number that customers use to call in, it should not be a problem as the company is legally paying for service on that number. Telcos need to set up verification that makes sure that the number that's being shown on Caller ID is the number that this caller has legal rights to, not just anything they enter into their dialing software, which is probably what's happening with all these robocalls.
It’s not the phone, it’s the carriers/telecoms that should be catching it. They own the equipment that the callS originate and pass through.
Yup, reason why there's no spoofing here, but some do believe it's a worldwide problem...it's not.
Probably just a software thingy.