If you want a good scare put into you, take the time to read the article “A Day in the Life of a Prolific Voice Phishing Crew” by KrebsOnSecurity. The post, in great detail, delves into the operations of a sophisticated voice phishing (vishing) group known as “Crypto Chameleon.” This group exploits legitimate services from tech giants like Apple and Google to deceive victims into divulging sensitive information. It should serve as a warning to those of us who think we are already tech-scam-savvy. These people continue to remain one step ahead of us. I’ll give you a quick summary of this case, and some advice on what to look out for that you should share with your staff, friends and family.

What Happened to Tony

One case the post outlines involves a cryptocurrency investor named Tony, who lost over $4.7 million in an elaborate vishing attack. The attackers initially contacted him via Google Assistant and misused Google’s services to send him legitimate-looking emails and account recovery prompts, thereby gaining his trust. This group, and others like it, often coordinate in real-time using platforms like the group chat site Discord, sharing screens to execute their schemes efficiently. Roles within these groups are clearly defined, with titles like:

• The Caller, who engages directly with the victim to manipulate them.
• The Operator, who manages the phishing panel, guiding the victim through fake processes.
• The Drainer, who accesses compromised accounts to siphon funds.
• The Owner, who oversees the phishing panel and often takes a percentage of the stolen funds.

As you can see, this isn’t a case of a run-of-the-mill hacker operating out of Mom’s basement! They are members of established, technologically advanced crime rings. And they just keep evolving their tactics.

How Voice Phishing Scams Generally Work

Let’s break down the modern phone scam. Voice phishing (AKA, vishing) scams typically start with a phone call from someone pretending to be a legitimate representative from a trusted organization. The caller might claim to be from your bank, a government agency, or a tech company like Google or Apple. The goal is to create a sense of urgency or fear, prompting you to act quickly without thinking.

Exploiting Trusted Services

Here are some of the ways the scammers take advantage of trusted services like Google and Apple:

Spoofed Caller IDs: Scammers use technology to spoof caller IDs, making it appear as though the call is coming from a legitimate Google or Apple support number. This increases the likelihood that the target will answer the call and trust the caller.

Fake Security Alerts: Cybercriminals often send fake security alerts via email or text, claiming that there is an issue with your Google or Apple account. These messages include a phone number to call for assistance, which connects you directly to the scammer.

Impersonating Support Representatives: Once on the call, the scammer impersonates a Google or Apple support representative. They might use technical jargon and reference real services to sound convincing. They may ask for personal information, such as your account credentials, verification codes, or payment details.

Remote Access Tools: In some cases, scammers ask targets to install remote access tools, claiming they need to fix a problem with their device. This gives the scammer control over the victim’s device, allowing them to steal sensitive information or install malware.

Protect Yourself!

There are a few things you should do (or not do) when confronted with one of these calls:

Verify Caller Identity: If you receive a call from someone claiming to be from Google or Apple, do not engage. Hang up and call the official support number listed on the company’s website. Do NOT trust the caller ID alone, as it can be spoofed.

Be Skeptical of Unsolicited Calls: Legitimate companies rarely ask for sensitive information over the phone. If you receive an unsolicited call asking for personal details, it’s likely a scam. Again, hang up and find the company’s official phone number online (or in the case of a credit card, on the back of your card). Call that number to find out if there is an issue with your account.

Do Not Share Verification Codes: Never share verification codes or passwords with anyone over the phone. Google and Apple will never ask for these details in this manner.

Awareness – and Skepticism – is the Key

Voice phishing scams are a growing threat, and cybercriminals are becoming increasingly adept at using services from trusted companies like Google and Apple to deceive their targets. By staying vigilant, well-informed, and following best practices for security, you can protect yourself and your loved ones from falling victim to these sophisticated schemes. Remember: When in doubt, take the skeptical route!  This has become my mantra.