Update: Republished on April 8 with new analysis and advice as mobile attacks surge.
The U.S. is in the grip of a phishing attack sweeping “state-to-state,” with Las Vegas and Phoenix the latest cities to receive warnings from the bureau as a toll scam attributed to Chinese hackers shows no signs of slowing. But just as America becomes more aware of that particular threat, here comes another one that’s much more malicious.
The bureau is now warning that criminals are “impersonating law enforcement or government officials in attempts to extort money or steal personally identifiable information.” This threat may come at you by email, with “the appearance of legitimacy by using pictures of the FBI Director and/or the FBI seal and letterhead.” But it’s more likely to be a phone call. “On the phone, scammers often spoof caller ID information, so fraudulent calls appear to be coming from an agency’s legitimate phone number.”
The bureau’s advice is clear. “Hang up immediately and report the call to law enforcement.” It should be an obvious red flag, but in the moment with a well-versed scammer on the phone, it can be all too easy to fall victim. “Law enforcement does not call or email individuals threatening arrest or demanding money.”
There’s some variety of flavors to this scam, and the FBI gives examples:
- “Demanding payment or threatening arrest. You will also not be asked to wire a ‘settlement’ to avoid arrest.
- Asking you to use large sums of your own money to help catch a criminal.
- Requesting you send money via wire transfer to foreign accounts, cryptocurrency, or gift/prepaid cards
- Calling you about ‘frozen’ Social Security numbers or to coordinate inheritances.”
Echoes here of the “phantom hacker” calls that the bureau warned about earlier this year. This is when a spoofed bank call tricks users into transferring money to a new account to safeguard it from an ongoing attack. Again, a bank will never call to ask you to move money, just as technical support will never unexpectedly call to inform you that there’s a fault with your phone or computer, proactively offering to help.
The latest law enforcement impersonation warning comes by way of the FBI’s Philadelphia Field Office, but just as with the toll scam it’s a much wider threat. Last week, the San Francisco Police Department warned its Chinese community that “individuals [have been]
impersonating local health care providers, federal employees, and foreign police officers, claiming to be from cities located in China.”
These scams have even included “video calls [with] suspects dressed in Chinese police officers’ uniforms with a background resembling a police station in China. The victims were instructed to download communications applications like Signal or Skype for texts, voice calls and video calls to discuss the alleged fraud further.”
We have also seen criminals impersonating ICE officers this year, playing to the political focus on immigration, making deportation threats absent the fast payment of fines. Scammers like northing more than an event to cloak their attack. As such, you can expect a wave of tariff-related scams to proliferate over the coming weeks.
Notwithstanding the seriousness of this latest warning, it’s nothing compared to the ongoing unpaid toll scam which continues to generate multiple headlines each week as more state and city agency names are co-opted into the attack. The Chinese phishing kit behind the attacks lends itself to viral growth, and the scam is now getting even worse.
“Individuals need to be cognizant that their security is also at risk on their personal devices and that it is very easy for threat actors to spoof phone numbers and pretend to be someone they are not.” That’s the stark warning from Cofense’s Chance Caldwell, who leads the cybersecurity firm’s phishing defense unit.
Bleeping Computer warns of a new “surge in this mobile phishing campaign,” with “the volume of texts being sent in this scam 1744098092 so large that users have been expressing their frustration over the frequency and persistence of the particular scam attempts, sometimes reaching up to 7 messages in a day.”
“Smishing continues to grow as a threat.” Caldwell says, “because almost everyone has a phone and most of us are constantly glued to it. They can just send out a smishing attack to a large number of random phone numbers and they are likely going to be looked at. You might not look at every email you receive, but you are likely to look at every SMS you receive. Also, unlike email, text-based services are not as heavily monitored or provide the same level of built-in security monitoring. Enterprise organizations do not have the same level of control over their employees personal phones as they do their email.”
One Redditor posted that they have received “these texts once every week or so for the past couple of months,” with another warning that “currently this is the most popular scam running. Requires very little effort on the scammers part but still seems to be making money for them or they would change tactics.”
According to Cofense’s Max Gannon, “one way for individuals to protect themselves from these types of scams is to independently verify any links before clicking on them, especially those claiming to be from financial institutions or government entities. A quick online search can often reveal that the URL doesn’t actually belong to the organization it’s impersonating. Another easy indicator or red flag to watch for is whether the message was part of a group text or sent to other people. The last two versions of this scam I received on my personal phone were also sent to other people, making it crystal clear that this message was malicious.”
And it can be relentless when the scammers have your cell number in focus. “About a few weeks ago, I started getting a text about toll violations and wondered why I got that,” another Redditor complained. “I never drive on any toll roads and I do not live close to any toll roads. Later on I get more of these texts telling me that I’ll have consequences if I don’t pay my toll in time. I already figured that these are all scams because today I got two of these texts and they all have different paying dates and shady links. I’ve been trying to delete them but they keep on popping up in my messages. I don’t know how to get rid of them.”
This “new wave of toll fee scams” is now “heading your way,” warns Malwarebytes, adding that it “usually creates a sense of urgency — a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences… Some users get up to 7 such messages in a day.”
Just remember, regardless of what number appears on your iPhone or Android screen, no law enforcement officer, bank official, tech support agent or anyone else in an official capacity is going to call you out of the blue to demand information, ask you to install software, or demand money. Hang up and call back or go online using a normal, publicly available source. Don’t take any risks.
“Smishing is becoming such a large threat because it is for the most part outside of enterprise security,” Gannon says. “It is also outside of the situations that most security awareness training platforms prepare people for. Some apps like Google messenger which I use do a decent job of filtering out the malicious content but the bulk of it could be done by native applications. The issue becomes how much personal data security are you willing to give up to prevent phishing. The onus also lies with the telco providers who allow this abuse of their services.”
Caldwell echoes this complaint. “While the level of security provided by different OS platforms varies, the overall weak security provided to SMS in comparison to email comes down to the lack of financial pressure to provide better security. Email providers are seen as a vendor for large corporations and receive pressure from these organizations to keep their users safe, whereas these SMS providers are not held to the same security standards by organizations and are seen as a ‘utility’ service rather than a vendor that they need to directly manage.”
Meanwhile, as the FTC has just warned once again, any unpaid toll bill text is almost certainly a scam. If you have any doubts, call the toll agency’s number or go online. Do not click any links, give away any information or make any payments.
Read the full article here
