Scam callers and spoofed telephone numbers.

by David Harley on May 23, 2023

One of the consequences of the ease with which a phone number can be spoofed, combined with the fact that scammers tend to know more about you than the tech support scammers of old, is that they can often spoof the customer services phone number that your bank or credit card provider puts on the back of your debit or credit card. At one time, scam calls were almost entirely random. The scammer might have ascertained the geographical address to match your landline, but probably didn’t have much else. However, there have been many data breaches in recent years where a financial or retail organization’s database has been hacked, disclosing information that might include not only the name of your bank, but your account number and mobile number, and sometimes even more sensitive information. As a result, we now hear of people being defrauded because the scammer is able to tell them to check the back of their bank card to ‘prove’ that the phone number they’re calling from is the real one used by the bank. However, this isn’t quite as bad as it sounds. In many cases, the number from which the scammer appears to be calling is a Do Not Originate (DNO) number, listed on an industry database of numbers which should never be used to initiate a phone call to a customer, but only to receive calls from customers. This database is made available to phone networks to use to block calls that seem to come from a DNO number. Unfortunately, not all financial services providers are signed up to this service, and not all telephone networks make use of it.

There is also an SMS SenderID Protection Registry intended to reduce the volume and effectiveness of scam texts. The Mobile Ecosystem Forum (MEF) states that this “enables organisations to register the message headers used when sending text messages to their customers and limits the ability of fraudsters to impersonate a brand by checking whether the sender is the genuine registered party.” However, not all services and networks are signed up to it.

The best time to check on whether your bank or telephone network is signed up to these services is now, not when you receive a suspicious message or phone call. However, if you get a text alerting you to a ‘security problem’, you should check with a known authentic number, not by responding to the text or to a number or link given in that text. If you receive a phone call where the ‘customer service agent’ or ‘fraud investigation team’ tells you to compare the number on your bank card or similar with the number from which they appear to be calling, you should never accept that as a means of authentication. Ring the number you know to be authentic. (If the call is genuine, they should be encouraging you to do this, not trying to persuade you not to, even if they really are calling from that number.)

The DNO database referred to here is specific to the UK. Ofcom states: “Ofcom and UK Finance set up the DNO list in 2019 and worked with telecoms companies, devolved administrations, government agencies such as HMRC and other public sector bodies, to record inbound-only telephone numbers that would not be used to call consumers.” However, other countries have, as you’d expect, adopted the same approach. In the US, the Industry Traceback Group has maintained a DNO Registry since 2017.

I’m not always a fan of Which, but this is a pretty good article: Is your bank protecting you from number spoofing scams?