Consumer Alert: Avoiding Phone Phishing Scams

written by
3 · 01 · 13

Consumers who receive incoming calls from their financial institutions are vulnerable to phone phishing scams, where dubious characters extract private data under the premise that they are the consumer’s financial service provider.

Consider the example of a mortgage borrower who receives a call where the caller ID is blocked. The caller could have researched public records to learn the identity of the property owner and the name of the mortgage lender.

With such information in hand, the caller pretends to be the lender and begins asking the consumer for personal data as part of security procedures. The consumer winds up giving out personal information to an unknown party.

JPMorgan Chase & Co. Spokeswoman Amy Bonitatibus acknowledged that Chase asks for customer verification so that information is not shared with other occupants at the home.

“But we always introduce ourselves, and we also state the reason for the call,” she said.

Another scenario involves a call that is only identified as a toll-free telephone on caller ID. This is the case with calls from Bank of America Corp., which also asks for verifying personal data. BofA didn’t comment in response to a request for clarification about its procedures.

While a toll-free number in the caller ID display might seem reassuring to the borrower, it doesn’t take much for a criminal operator to obtain a toll-free number and execute a phone phishing scheme.

Although a specific Chase department will show up on caller ID, the New York-based company’s name is not necessarily displayed, Bonitatibus said. But Chase never blocks its number from caller ID.

At Citigroup Inc., a toll-free number is displayed if the call originates from a dialer, while the direct extension is displayed when the call comes from an office group, a spokesman said in a statement. He noted that the company doesn’t block phone numbers from displaying on caller ID.

A third possibility would involve a call that is identified on caller ID as being from the consumer’s financial institution.

When an automated or outbound call is made by Wells Fargo & Co. to a mortgage customer, the caller ID display shows “Wells Fargo Mort,” “Wells Fargo Home Mort” or “WF,” according to Vickee J. Adams, vice president, external communications, for the San Francisco-based company. In addition, a Wells Fargo inbound number will be displayed.

Quicken Loans Inc. spokesman Aaron Emerson said in a statement that the Detroit-based firm doesn’t alter the listing of the company on caller ID, and all calls from the company will show the full company name and the main switchboard number (313.373.3000) — though just the telephone number shows on some wireless devices.

But even a displayed caller ID doesn’t mean that the call is actually from that party.

Tim Rohrbaugh, chief information security officer at Intersections Inc., says that currently available technology enables users to modify how their caller ID shows up at the other end of the line.

Take the case of Karen Elaine Hanover, who was arrested in 2011 for allegedly using spoofing technology to impersonate FBI agents, according to the U.S. Department of Justice. Hanover allegedly used voice altering technology that made her sound like a man to make calls from her cellular phone that showed up on caller ID as being the main telephone for the FBI’s Los Angeles Field Division. One of her clients was threatened with prison if she didn’t stop complaining about Hanover — who was accused of operating a commercial real estate scam.

Rohrbaugh called this practice, “spoof an ANI.”

“That, in itself, just tells you that you should never, as a practice — regardless of what you’re doing in your life — take an inbound call and give away this data unless you’re doing some joint or mutual verification that they are who they say they are,” Rohrbaugh warned. “And in this case, you didn’t know that the call was coming in, or most people don’t.

The calling party might provide consumers with telephone numbers they can call, themselves, to verify that the call is legitimate. But the number could be associated with a related criminal enterprise that is in on the scam.

Consumers that are working on a specific transaction and expecting a call from their lender can feel more confident that callers are who they claim to be.

Chase’s Bonitatibus explained, “If I tell you the reason I’m calling you is to talk about your modification, and you’re not being reviewed for a modification, then that should be a tip.”

But with unexpected calls, the only way that a consumer can be confident that they are speaking with their bank or financial services provider is to independently obtain a telephone number for the company.

Adams, of Wells Fargo, said bank customers are advised to ask for a call-back number then verify the authenticity of the phone number through legitimate company sources like, the back of a credit card, a monthly statement or the website. She noted that phishing also occurs by e-mail.

Chase always urges customers to call the numbers listed on statements, Bonitatibus said. She added that borrowers should never respond to requests sent by text or e-mail messages because “we never ask for personal information that way.”

Quicken uses a number of proactive measures to help clients confirm that they are actually talking with Quicken Loans.

“That said, for the very reason you are asking these questions, it would not be prudent for us to disclose those publicly,” Quicken’s Emerson stated.


Mortgage Daily Staff


Consectetur adipiscing elit dapibus, vulputate in donec tempor ultricies venenatis erat, aliquam posuere urna habitant.