New ASU research identifies how scammers use social engineering to exploit victims' vulnerabilities
Consumers have increasingly become victims of telephone scams — including the recent proliferation of Social Security number suspension ploys — to gain access to their personal information. But what aspects of these calls makes us willing to hand over our private details?
Adam Doupé, an Arizona State University assistant professor of computer engineering, and his team conducted a study to evaluate the effectiveness of scam calls, determine what factors can influence their success and identify what areas research should be addressed to safeguard against them.
Findings of the study were presented at the USENIX Security Symposium this week in Santa Clara, California.
Voice “phishing” is a form of phone fraud that uses social engineering principles to trick recipients into sharing sensitive personal information. Scammers use visual cues, like an altered caller ID and alarming voice content, to persuade a target to comply.
Video by Deanna Dent/ASU Now
The researchers examined the visual and voice attributes of these calls to determine what characteristics encourage information sharing in order to design solutions that can help protect consumers. The team evaluated 150 successful, real-world samples and created its own IRS and human resources phishing scams, including an IRS tax lawsuit, an unclaimed tax return, a payroll withholding event and an HR bonus.
For the test scams, the team used the following components:
- IRS scams used spoofed area codes originating in Washington, D.C., or a toll-free number; HR scams used the local business area code.
- Caller IDs replicated a government or business.
- Male and female voices, either synthesized or a prerecorded human, all repeated the same message.
- A variety of accents were used.
The scam scenario that generated the greatest breach of personal security, 20% (of 60 people who continued with the call), used a company human resources caller ID with a synthesized American male voice. The second largest, at more than 17% (of 58 people who continued with the call), used a phone number that looked like a company number, but did not have an identifiable caller ID.
The research included 10 specific experiments fielded to 3,000 recipients during a single work week in late March 2017.
“Overall, the results were quite surprising: 3.7% of people possibly entered their Social Security numbers into an automated telephone scam,” Doupé said. “However, the most effective telephone spam campaign, which tricked 10.33% of the callers, was specifically targeted at people in their workplace, in what is known as a ‘spearphishing scam.’”
The experiment spoofed the caller ID of the phone call to appear to come from an internal employer system and used a company-specific scam scenario — an approaching payday.
After the initial announcement about the nature of the call, the recipient was asked to enter the number “1” to continue to the next message, followed by a request to enter the last four digits of their Social Security number. The study notes that in the real world, the last four digits of a Social Security number, together with the recipient’s phone number, presents a pathway to financial and identity fraud.
Those who entered their Social Security digits were then presented with a “debriefing survey” which explained the experiment and inquired about the recipient’s motivation for responding. The ending message provided researchers’ contact information. (No Social Security numbers were actually collected during the test.)
Across all 10 experiments to a total of 3,000 recipients, 256 (8.53%) continued listening to the scam announcement, and 112 (3.73%) called back in response to a voicemail. Among those who listened to the entire announcement, 148 (4.93%) entered at least one digit of their Social Security numbers.
In the survey, 35 (1.17%) said they were convinced by the scam, and for those who heard the final message and responded to the survey, 27 (1.23%) stated they were not convinced. Both messages involved a threatened payroll withholding.
The most significant finding is that impersonating an internal entity, like an HR department, had a significant effect on the success of a phone phishing scam. Individuals who entered a Social Security sequence and responded to the follow-up survey indicated that the company caller ID was a convincing factor, though the majority remained suspicious and exercised vigilance in protecting their personal information.
Most recipients of the tax-related calls who completed the survey said they already knew the IRS would not make calls like those in the test, with some indicating that a foreign accent added to their suspicions.
"This study shows that telephone scams are quite effective, and therefore countermeasures should be developed to counteract effective techniques, such as spoofing caller ID," Doupé said. “Users must be educated on the dangers of telephone scams, and that caller ID cannot be trusted.”
The paper, “Users Really Do Answer Telephone Scams,” was presented at the 28th USENIX Security Symposium on Aug. 14, by Huahong Tu (University of Maryland), Adam Doupé and Gail-Joon Ahn (Arizona State University), and Ziming Zhao (Rochester Institute of Technology).