Phishing Evolves to Phone Call Scams

As cybersecurity awareness grows and we all become more vigilant against clicking suspicious links or downloading unexpected attachments, cybercriminals are changing their approach. A particularly concerning trend is the rise of phishing emails that bypass traditional link- or attachment-based tactics. Instead, these emails include a phone number for recipients to call. This seemingly innocuous approach preys on human curiosity and trust, creating new challenges for cybersecurity professionals and individuals alike.

The Growth of Phone Call Phishing

Phone call phishing, where an email includes a phone number to lure recipients into calling, is distinct from vishing, where the scammer initiates the call to deceive the victim. In phone call phishing, scammers rely on the victim taking the first step by dialing the provided number. This tactic leverages the victim’s sense of control and urgency, often making it feel less suspicious. On the other hand, vishing involves unsolicited calls, frequently using spoofed caller IDs to impersonate trusted entities. Recent data highlights the rise of phone call phishing, with TrendSecure noting a 35% increase in emails containing scam phone numbers compared to the previous year. This growth underscores the need for heightened awareness of both forms of attack.

Common Types of Phone Number-Based Phishing Messages

1. Technical Support Scams
   • These emails claim that the recipient’s computer is infected with malware or that their account has been compromised. They often impersonate well-known companies like Microsoft, Apple, or Google.
   • Example: “Your system has been infected with a critical virus. Call our toll-free number at 1-800-XXX-XXXX to resolve this issue immediately.”
2. Fake Purchase Notifications
   • Scammers send emails mimicking receipts or order confirmations for expensive items, prompting recipients to call if they did not authorize the purchase.
   • Example: “Thank you for your purchase of a $1,499 laptop. If you did not make this purchase, call our billing department at 1-800-XXX-XXXX.”
3. Subscription Renewal Scams
   • These messages claim that a subscription (e.g., antivirus software, streaming services) is about to renew automatically and charge the recipient’s account unless they call to cancel.
   • Example: “Your annual subscription to [Service Name] will renew tomorrow for $299. Call 1-800-XXX-XXXX if you wish to cancel.”
4. Government Impersonation Scams
   • Impersonating agencies like the IRS or Social Security Administration, these scams threaten legal action unless the recipient contacts the provided number.
   • Example: “This is the IRS. You have unpaid taxes and will face penalties unless you call 1-800-XXX-XXXX immediately.”
5. Account Verification Scams
   • These messages claim that unusual activity has been detected on an account and request the recipient to call to verify their identity.
   • Example: “Unusual login detected on your account. Call 1-800-XXX-XXXX to secure your account.”

Why These Scams Are Effective

First, phone numbers tend to be able to bypass traditional email security measures like link scanning or attachment sandboxing, making it harder for automated systems to flag these emails. Many people are conditioned to trust phone conversations over digital communications. Hearing a convincing human voice can make the scam feel more legitimate. By engaging victims in a phone conversation, scammers can use psychological manipulation to extract sensitive information such as credit card details, Social Security numbers, or account credentials. Often, they can create more of a sense of urgency in their voice, convincing victims that immediate action is necessary to avoid dire consequences.

Red Flags to Watch Out For

1. Generic Greetings: Emails that do not address you by name (e.g., “Dear Customer”).
2. Urgent Language: Phrases like “act immediately,” “final notice,” or “our system will lock you out” are designed to provoke panic.
3. Unfamiliar Numbers: Toll-free numbers or unfamiliar area codes that don’t match the supposed organization’s usual contact information.
4. Spelling and Grammar Errors: Many phishing emails contain noticeable mistakes that legitimate companies typically avoid.
5. Unsolicited Messages: Emails about purchases or issues you weren’t expecting are often suspicious.

What to Do If You Receive One of These Emails

1. Don’t Call the Number
   • Never call the number provided in an unsolicited email. If the email claims to be from a company you recognize, visit their official website and use their verified contact information.
2. Verify the Claim
   • Check your accounts or contact the company directly through official channels to confirm whether the issue mentioned in the email is legitimate.
3. Report the Email
   • Forward phishing emails to your organization’s cybersecurity team or report them to phishing-reporting services such as [email protected].
4. Block and Delete
   • Mark the email as spam or phishing in your email client and delete it immediately.
5. Educate Others
   • Inform colleagues, friends, and family about the scam to prevent others from falling victim.
6. Monitor Your Accounts
   • If you suspect you’ve engaged with a scammer, keep a close eye on your financial and online accounts for unauthorized activity.

Looking Ahead

As cybercriminals continue to adapt, staying informed and vigilant is crucial. Phone number-based phishing scams highlight the importance of evolving cybersecurity strategies to address emerging threats. By understanding these scams, recognizing the warning signs, and taking proactive steps, individuals and organizations can better protect themselves from falling victim.

Cybersecurity is an ever-changing battlefield, and awareness remains our best defense. If you’ve encountered a phone number-based phishing scam, sharing your experience can help others stay one step ahead. Together, we can reduce the effectiveness of these deceptive tactics and build a safer digital environment for everyone.