Beware of These New Cellphone Identity Theft Scams

[Some links may no longer be available. —Ed.]

Identity Theft and Cellphones  

According to the Federal Communication Commission (FCC), cellular fraud is defined as "the unauthorized use, tampering or manipulation of a cellular phone or service." The Federal Trade Commission (FTC) tracked consumer complaints of identity theft from fraudulent cell phone scams and reported its findings in an annual Consumer Sentinel Network Data Book. Of the 250,854 identity theft complaints reported in 2010, the wireless or cellphone category accounted for 3.7 percent, or 9,282, of them. Cellphone use is escalating and, most likely, so will the number of related identity-theft complaints. In addition, technology-savvy criminals will continue to develop new cellphone scams that we'll have to confront.

Cellphones are increasingly more popular targets. Fraudsters are exploiting the cellphone arena to market their scams and harvest personally identifiable information. This is particularly true in the past 20 months because consumers now can conduct transactions with financial institutions from their handhelds. An analysis of some significant cellphone scams follow.

Smishing/Vishing Cellular Fraud  

The opening fraudulent case is fictional, but my wife alerted me to this high-tech scam — called smishing or vishing — when she received a similar message on her cellphone in early October. According to Ken Serrano, in his Oct. 19, 2010, article, "Smishing' Scammers May Hit Cells," in USA Today, "The slang term smishing, sometimes spelled SMiShing, is a combination of the abbreviation for text messages — SMS, or short Message Service — and phishing." (Vishing is the combination of voice and phishing.) The anatomy of the scheme follows.

According to the Nov. 24, 2010, article "Smishing and Vishing and Other Cyber Scams to Watch Out for This Holiday" on the FBI's website, a fraudster will develop an alarming text or taped phone message, such as "Your ATM card needs to be reactivated" or "There's a problem with your account," which he hopes will propel recipients to quickly act emotionally without thinking of the consequences. The fraudster will then devise an automated dialing system to call or text the alarming message to potential victims in a specific geographic area or area code. (Alternatively, he may call individuals after stealing their phone numbers from financial institutions.)

The message instructs recipients to call a phone number, push a number on the keypad or visit a phony website at which they are asked for their personal identification numbers, account information, credit account numbers, Social Security numbers and mothers' maiden names. Then the fraudster can establish credit accounts in victims' names or pilfer their bank accounts.

According to Serrano, "smartphone users inadvertently have downloaded malware, designed to mine personal information, by responding to emails on their phones."

The FBI reported these examples of smishing scams:

• Account holders at a credit union, after receiving a text message about an account problem, called the phone number in the text, gave out personal information and had money withdrawn from their bank accounts within 10 minutes of their calls.
• Customers at a bank received a text saying they needed to reactivate their ATM cards. Some called the phone number in the text and were prompted to provide their ATM card numbers, PINs and expiration dates. Thousands of fraudulent withdrawals followed.

The Wells Fargo smishing scam noted above began on the West Coast in August 2011 and has since popped up in the state of Washington, Oregon, the Dakotas, Utah and parts of Colorado, according to a Wells Fargo spokesperson that Serrano interviewed. (Fraudsters also have used other banks with this scam, including Capital One, Bank of America and Citibank.) The fear is that the scam will spread across the U.S. Individuals who have received the fraudulent messages are instructed to report the incident by calling Wells Fargo at (866) 867-5568 or visiting www.wellsfargo.com (or contacting other banks if they purportedly received messages from them).

Subscriber Cellular Fraud
According to the FCC, subscriber cellular fraud is the "primary type of cell fraud," costing carriers more than $150 million per year. The scam originates when an individual fraudulently obtains personal information of victims and uses it to open up new cell phone accounts in the victims' names. Each victim, who ends up with two cell phone accounts, is charged for his or her legitimate calls and the fraudster's. The victims then have to try to disavow the bogus charges.

Cloning Cellular Fraud
In this scheme, a fraudster will steal the telephone number (MIN) and unique factory-set electronic serial number (ESN) of a victim's phone and program those numbers on another cellphone. According to the act, "unscrupulous people can obtain valid ESN/MIN combinations by illegally monitoring the radio wave transmissions from the cell phones of legitimate subscribers. After cloning, both the legitimate and the fraudulent cell phones have the same ESN/MIN combination, and cellular systems cannot distinguish the cloned cell phone from the legitimate one."

A cellphone company charges the victim for the fraudster's calls on the cloned cellphone. Cellphone users need to study their individual charges on their statements.

Even though it's still common today, cellphone cloning accounted for a large part of cellular fraud prior to the Wireless Telephone Protection Act of 1998. The act "expanded prior law to criminalize the use, possession, manufacture or sale of cloning hardware or software." In addition, cellphone manufacturers have improved cellphone authentication systems, which has reduced cloning.

Protection From Cellular Fraud Scams
In a relatively short time, we've gone from mammoth IBM computers that filled rooms to PCs to laptops to smartphones. Smaller handheld computers substantially increase the possibilities of identity theft. An estimated 3 million cellphones are lost and stolen annually in the U.S. (Hang on to your phones!)

The FBI offers these tips for protecting yourself from mobile and other cyberscams:

• Don't respond to text messages or automated voice messages from unknown or blocked numbers on your mobile phone.
• Treat your mobile phone like you would your computer. Don't download anything unless you trust the source.
• Don't respond to unsolicited emails (or to text messages or phone calls, for that matter) requesting personally identifiable information, and never click on links or attachments associated with these solicitations.

In addition, check your cellular company's website to view possible links to learn more about how to protect your phone.

If you or someone you know has been victimized by cellular fraud, file a complaint to these organizations:

• Your real cell phone carrier (if cellular cloning fraud was involved) or the carrier where the fraudulent account was established (if subscriber cellular fraud is involved).
• Your local law enforcement agency.
• The FTC.
• The Internet Crime Complaint Center.
• The FBI.

Share this information about cellular frauds with your clients, friends and family. We need to do a better job of protecting our computing devices and related personal information if we're going to continue to put a dent in identity theft. As usual, if you have any interesting identity theft issues you want me to research and report, please contact me. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.