Telephone fraud is a significant and growing problem. Decreasing costs and automation have made the telephone an attractive medium for disseminating unsolicited information. Telephone phishing can be more convincing than other forms of fraud because it presents an enticing harmony of both visual and audible cues. In the midst of concerns with telephone scams, however, it remains unclear why people fall for them and how to combat the problem.
Tu et al. ran a telephone phishing experiment on a university campus. Researchers reviewed more than 150 real-world telephone scam samples to identify their main attributes. They then tested variations of those attributes on a population of 3,000 Arizona State University staff and faculty to assess their individual effectiveness. Contacts were randomly chosen from the university telephone directory, and then evenly separated into 10 experiment groups. Participants were called on their work phone with a pre-recorded message, according to one of ten sets of specific experimental characteristics. They were then prompted to enter the last four digits of their Social Security number. This led to a debriefing announcement and a survey asking if they had been convinced by the scam. The experiment was carefully designed in collaboration with the university’s Institutional Review Board because of its involuntary participation.
Impersonating an internal entity was the attribute most linked to attack success. The experiment where participants were shown a caller ID displaying a faked internal department name was the most effective, with 10 percent (31/300) of recipients entering the last digits of their Social Security number. Manipulating the area code also had a small but noticeable impact on attack success. On the contrary, manipulating the type of motivation, voice production, voice accent and caller name did not result in a higher success rate. Across all 10 experimental groups, 5 percent of participants (148/3000) entered at least a digit when requested to enter their Social Security information. To account for the possibility of recipients entering a fake Social Security number, the authors removed the participants who subsequently stated that they were unconvinced by the scam during the survey process.
ID spoofing is a very effective feature in telephone scams. Given the success of impersonation techniques, scam prevention efforts should prioritize impersonation countermeasures. Technical solutions such as caller ID authentication are recommended to provide users with early impersonation warnings. Feedback from survey participants indicates that vigilance was an important reason for not falling for a scam. Education and awareness campaigns are thus also recommended as scam countermeasures.
ID spoofing is a very effective feature in telephone scams. Prevention efforts should accordingly prioritize impersonation countermeasures.