I received a voicemail last year from someone claiming to be from “RMS” looking for a person named Adam Baker*.
While future research showed this to be incorrect, my immediate reaction was to think that this was my university’s missing persons department and that a student named Adam Baker was in trouble.
I have a friend named Adam. While his last name isn’t Baker, in my panic during my initial listening, I blanked on his last name and became worried that his last name was Baker. I began trying to think back to when I had last seen him. It was at the point that I had to ask a friend to make sure that this was not in fact referring to our friend and that the call was a scam.
Look, it seems dumb in retrospect, but I was tired at the moment, and I heard the voicemail at just the right time to get me paranoid.
This got me thinking: what if they had called asking me about one of my actual friends? What if a scammer called, claiming to be from the missing persons bureau, and asked for any information I had about a friend? What if they had someone’s actual name when calling and seemed to be legitimate?
Well, how would the actual missing persons bureau distinguish themselves from scammers? They could perhaps provide information not accessible by others, like my connection with the friend. Depending on how much information they had, maybe the bureau could provide personal information like my birthdate or even my social security number. This would seem like a legitimate enough way for them to prove their identity.
If they could provide this information to prove who they are, obviously, they wouldn’t want to provide this to whichever stranger picked up the phone. They’d have to verify my identity in some way besides my phone number before they could verify their identity. Maybe they’d need me to give them some information, like maybe my social security number, before they tell me who they are?
This, I realized, is where the scam could come in. If a scammer could call and could give some piece of my personal information, they might trick me into giving over more of my personal information.
Maybe they they could give me either Adam’s or my email addresses and/or phone numbers, or maybe even our home address. Fortunately, there’s no easy way for scammers to find this data. There’s no way for scammers to link peoples’ names and phone numbers, much less their emails addresses, together… right?
As we’ve seen many, many, many times, data breaches have become (unfortunately) a normal part of our day-to-day life. Troy Hunt maintains a website called Have I Been Pwned which has teamed up with the FBI to maintain a database of emails and passwords that have been leaked online. He also maintains a Twitter account and a page that lists data breaches as they become public. The fact that it lists 8 data breaches in January of 2021 alone which have leaked a total of almost 111 million emails should show us that data breaches are a major issue. Remember, this is 111 million email addresses leaked in one month.
How long will it be until scammers start using this data against us? Once they do, what can we do about this threat?
Imagine a scammer’s conversation with your grandparents going like this:
“Hi, is this Grandma Ellen?”
“Yes, who is this?”
“Hi, this is Fredrick Scottsman from the Missing Persons Bureau. I’m calling because Grandson Joey is missing and he has you listed as an emergency contact.”
I know that some relatives have received calls saying their child is in a hospital, so there are many ways this could be spun.
Grandma starts panicking “Oh my gosh! Is he okay?”
“We can’t tell you any more details about this case until you verify your identity. To show that you’re actually who you say you are, we need you to verify your social security number.”
Maybe Grandma becomes suspicious “How can I know that you’re actually the Missing Persons Bureau and not some scammer?”
“In order to confirm that we are the actual Missing Persons Bureau, we’ll confirm a portion of your and his information first. Your phone number is (123) 456-7890, and his phone number is (987) 654-3210. Is this correct?”
“Give me a moment to check… Yes, that’s right.”
“Also to confirm, your email address is firstname.lastname@example.org, and his email is email@example.com, right?”
“That is correct.”
The scammers could also google the two peoples’ names to learn more about them before the call and present this information
“Okay great. Now that we’ve verified that we are in fact the Missing Persons Bureau, we’ll need to confirm your identity before we can provide any further information. Can you give me your SSN so that I can confirm your identity?”
Even if some (maybe even most) people wouldn’t fall for this, I could see lots of people falling for this scam. I consider myself well-informed, yet in retrospect, I may not have noticed this until I was too late. Sure, I would have been suspicious, but if they verified my info in a convincing enough way, I might have trusted them.
What to Do About It
So the important question is: what are we (as a society) supposed to do about this? How are we going to prevent people from being duped based on information that (for all intents and purposes) is now publicly available?
To be honest, I’m not sure. I think we just need to remember that phone calls from strangers are untrustworthy, no matter how much information they have. Even if the person on the other end sounds just like your relative or friend, it could just be a deepfake.
The best way I can think of (and it’s not my original idea – I’m taking this idea from my parents) to establish trust with someone is to have a unique phrase or codeword with them. The person would need to be careful not to share this, but it’d probably be the best way to establish that you’re talking with the right person. It’s pretty much the equivalent of giving your friends a password for in cases of emergency.**
On the other hand, this can’t account for things like if your friend knocked out and brought into a hospital. In this case, they couldn’t share the password for the obvious reason that they’re unconscious.
To be honest, I can’t think of a good way to deal with this scenario. If you have any ideas, let share them in the comments down below! Maybe you could set your phone’s emergency contacts to show up on the lock screen and have the “password” in the contacts’ names? On the other hand, this would give any apps with access to your contacts these same passwords, so if one of your apps has a data breach, you end up in a similar situation as before. In addition, this gives anyone who steals your phone these passwords, so this information could be compromised in the future.
Another option is to use a messaging/calling app like Signal or an email address like Protonmail which supports end-to-end encryption, including digital signatures. Digital signatures are a way of verifying that you’re talking with the real person on the other end rather than someone pretending to be them. This is too complex of a topic to cover in this blog post, but it works very well in most circumstances. It does, however, fall victim to the same problem: it doesn’t work if the person in question is unconscious.
In the meantime, if you’re paranoid about security (think government-level, but this may also apply to the normal person), you probably shouldn’t trust any phone calls you receive about personal matters. Data breaches are a problem now whether we like it or not, so we have to make sure to consider the ramifications these will have on our lives in the near future.