Teams, Security, Caller ID spoofing
Security information from Technology Services Privacy and Information Security team.
Caller ID spoofing - A tough, and as-of-right-now, un-fixable problem
You get a call. You look at your phone and it reports that the incoming call is coming from on-campus. If you're on a university-owned computer, your phone or computer might even helpfully look up and display the caller's name from the directory. But when you answer, your sixth sense rings out as a fraudster lays into you with their agenda—"Take our survey" or, "This is the FBI, Western Union us some money or we'll arrest you!" or, "Your dear relative has been in an accident overseas, send I-tunes gift cards, stat!" or, "Wire us money and we'll make you rich!", etc.You're confused! Why would our colleague take such a sleazy path, you may think. Alternatively, you may think that person has been hacked. In reality, it is not that person. In fact, whomever has just rung you is extremely unlikely to be anywhere near the university. The reason is simply that while digital telephony is the way of the future, it's not capable of enabling end users to detect fraud in this way yet.
- SIP trunking for digital telephony cannot do what old-school copper/switches used to give us: reliable origin reporting/tracing capability.
- The SIP protocol relies on all of the endpoints to report their phone numbers honestly, but with some fun SIP-spoofing software, anyone can change what phone number is reported to the caller-id of the call receiver.
- Customers, including large universities, cannot detect or prevent inbound calls from outside lines from reporting fraudulently that they came from the inside.
- This is why the telephone system has been afire with fraudsters, and why a growing number of congresspeople and AGs* are laying into the chairman of the FCC for a fix.
- As always, be vigilant when answering unexpected calls, especially when the caller suddenly asks you to wire money, gift cards, bitcoin, or anything of value.
- Do NOT assume that when a call shows as "local" that you should trust it.
- Report all fraudulent phone calls to the FTC. (https://www.ftccomplaintassistant.gov/)
- Never send anything of value based on an unverified incoming call.
- Never divulge any valuable, sensitive, or identifying information to the caller on an unverified incoming call.
SIP spoofing with Asterisk:
*The AGs have had it