IRS, Social Security and iPhones: Sophisticated phone phishing scams on the rise

It’s tax season, so you know what that means: Beware of phishing phone calls from callers posing as Internal Revenue Service agents.

Last year, we wrote an article explaining how the IRS phone scam works. But this year, we are hearing about increasingly sophisticated phone phishing scams involving other government agencies and trusted companies you may already do business with, such as Apple.

The more straight forward phishing scams work something like this:

  • You receive a call from a number that looks like the IRS toll-free number.

  • The caller poses as an IRS representative claiming that you owe money to the IRS.

  • You are told that you must pay the balance promptly using a pre-loaded debit card or wire transfer or be subject to punishment. They may even threaten to arrest you or suspend your driver’s license.

The IRS reports that they typically send letters and would never use threats.

Social Security imposters employ similar tactics. One of our clients told us that he recently received a voicemail purporting to be an agent of the Social Security Administration. The message stated that his Social Security number had been suspended. He did not call back, then let us know so we could warn others about the scam.

According the Social Security Administration this scam is common. “The Social Security Administration (SSA) and its Office of the Inspector General (OIG) have received several reports from citizens across the country about persons receiving phone calls from individuals posing as OIG investigators. The caller indicates an issue exists pertaining to the person’s Social Security account or Social Security number (SSN) and directs the person call a non-SSA telephone number to address the issue,” the agency reports.

None of these claims turn out to be true, the agency cautions. “Citizens should be aware that the scheme’s details may vary; however, citizens should avoid calling the number provided, as the unknown caller might attempt to acquire personal information.”

While many people may be aware of these types of phishing attempts spoofing government agencies, particularly around tax time, we are now hearing about much more sophisticated attempts using the logos of trusted companies you already do business with, as well as what appears to be legitimate company telephone numbers displayed in caller ID.

In one example, Krebs on Security alerts readers about a scam targeting iPhone users.

“A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people,” the site notes. “It starts with an automated call that displays Apple’s logo, address and real phone number, warning about a data breach at the company.”

In one specific case a phishing phone call went to Jody Westby, the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby told Krebs that she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised and that she needed to call a 1-866 number before doing anything else with her phone. She followed up with Apple who had no record of calling her and said they don’t initiate calls. But what alarmed her the most was that the fake call was indexed in the iPhone’s ‘recent calls’ list as a previous call from the legitimate Apple Support line.

unnamed.png

Krebs on Security offers a tip to recipients of these types of alarming phishing phone calls: “If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller. If you want to reach your bank, for example, call the number on the back of your card. If it’s another company you do business with, go to the company’s website and look up their main customer support number.”

As these scams are getting more and more sophisticated, it is even more important that you’re careful about which calls you take, who you call back, and the information you provide over the phone.

Below are a few best practices for recipients of questionable telephone calls:

  • Hang up. It is the safest remedy if you get a suspicious call.

  • If you don’t know who is calling, avoid the call and let it go to voicemail.

  • Don't wire money to anyone you don’t know and be wary of anyone calling who seems insistent or urgent.

  • Never reply to messages asking for your financial or other personal information.

  • Do not confirm or deny your identity until you know who is calling. The person who called – and not the person who answers the phone – should identify themselves first.

  • Check the legitimacy of any agency, organization or company cold calling you by doing a quick online search while on the phone. (However, the Krebs report warns even an online search can be risky, since scammers often populate the Internet with misinformation.)

  • Do not disclose usernames or passwords. Do not confirm computer usage, ownership of anything in your house or account numbers.

  • Tell them you are recording the call (and do it if you can). If they hang up, then it is a phone scam.

  • Do not go to websites following the prompts of a cold call. If you do, chances are that you're downloading a virus or allowing access to your computer and data.

Phishing scams, particularly on the phone, try to make someone feel scared or rushed in hopes they will let their guard down and provide the requested information rather than listening to their gut and following best practices.

Who to call if you are a target of a phishing phone scam

For any phishing attempt, contact the Federal Bureau of Investigation at https://www.fbi.gov/contact-us.

Targeted victims of IRS telephone scams can call the IRS at 1.800.829.1040 or the Treasury Inspector General for Tax Administration at 1.800.366.4484. There is also an “IRS Impersonation Scam Reporting” form on their website.

If a person has questions about any communication that claims to be from the Social Security Administration, they can call Social Security’s toll-free customer service number at 1-800-772-1213.


If you are interested in learning more about how Sinu can help with data security and the creation of tech policies to keep your organization safe, let’s talk! Only 10 minutes of your time, no obligation, and invaluable information for free. Contact us below to find out more.