Connect with Joseph Steinberg
Google Voice Scam

CyberSecurity

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

The FBI Warns About A Google Voice Scam That Is Not New, But Still Finding Plenty Of Victims

The FBI recently warned the public that many people are still falling prey to a Google Voice scam that the FTC warned about months ago.

Here is what you need to know to keep yourself safe:

What is the common Google Voice scam about which the FBI warned?

The particular Google Voice scam that is presently wreaking havoc involves a fraudster contacting a would-be victim – for our case let’s assume that they are targeting you – perhaps in response to a post that you made offering something for sale on Craigslist or Facebook Marketplace, via the chat function of an online dating app, as the result of a lost pet notice, or under some other legitimate pretext. The criminal tells you the reason that they are contacting you – and the reason sounds totally legitimate – but, they go on and tell you that for security reasons, before they speak with you further, they want to verify that you are who you claim to be, and that the phone number that you gave them is really yours. To do so, they ask you to perform a form of Google authentication in which, to confirm your identity, you need to provide them with a number that will be sent to your phone by either text or voice message.

Of course, the scammer is not really sending you an authentication code – and they are certainly not having it sent to you in order to verify your identity to themselves. What they are, in fact, doing, is finding a way to trick you into helping them set up a fraudulent Google Voice number – a number that will be traced back to you, and not to them, when they, or other criminals, use it in the future as part of the perpetration of scams and/or other crimes.

For those unfamiliar with it, Google Voice is a phone service that offers a free phone number to anyone who has both set up a Google account in the United States and supplied and confirmed ownership of another phone number to which the Google Voice number can forward. However, Google Voice allows people to configure their accounts to send all calls directly to the Google Voice account’s voicemail box – so, if a scammer sets up a phone number to forward to you, and gets the confirmation code from you, the scammer can than set the respective Voice number not to ring your phone, but instead, to send anyone calling that number to be sent straight into the account’s voicemail  – and, voila, the scammer has a working voice and text phone number that is associated with your phone number, and which, therefore, Google thinks that you set up.

Armed with the Google Voice number and account, the perpetrator can offer bogus items for sale – and include a US phone number in their listings, making their posts look far more authentic and inviting than if the offers lacked a phone number or included only a foreign phone number from a country halfway around the world.

It is likely that Google’s anti-fraud engines already stop some attempts at establishing fraudulent numbers – for example, by denying the request to set up a number if the phone receiving the text or voice call with the confirmation code is detected to be in a completely different geographic location than the location from where the account setup request was made. But, with VPNs and other technologies widely available, such approaches are unlikely to be anywhere near totally successful at stopping fraudsters.

The current Google Voice scam exploits several psychological components – not only does the caller appear to be calling for a legitimate purpose, but does so for a purpose that appears to make communicating with the fraudster beneficial for the recipient of the call. Additionally, despite warnings by cybersecurity experts not to authenticate people through such mechanisms, we have become accustomed and conditioned to being asked for one-time authentication codes texted to our phones – that is, for example, how many cellphone providers authenticate callers before complying with sensitive requests. As such, the criminal’s request may seem innocuous, when it is anything but.

Attempts at perpetrating the aforementioned scam are currently pervasive – because scammers are seeing that it works. Someone to whom I was consulting as a cybersecurity expert witness was targeted just this past week.

How can you best protect yourself?

1. If you have not already done so, create a Google Voice number for yourself – there can only be one Google Voice number associated with a particular “real” phone number, so, by setting up a Google Voice number you will prevent a scammer from fraudulently setting up one your behalf. Also, as I have explained before, in most cases, it may be best for security reasons to create a Google Voice number, forward that number to your cellphone, and then give out your Google Voice number rather than your actual cellphone number.

2. Understand and internalize that there is rarely, if ever, a reason that someone would need to ask you for a code – and, that the only times that you should even consider such a request are when you made the phone call to the other party AND you know that the other party is trustworthy. If you called your cellphone service provider, for example, and a representative at that firm sent you a text message to your cellphone without asking you your number, providing the code to that rep is quite different than the situation that this article discusses.

What if you already were scammed?

In most cases, successful perpetrators of this particular scam will not gain the ability to access any of your accounts as a result of scamming you.

The perpetrator will, however, be able to potentially commit crimes that will be traced, at least initially, and at least in part, to you. While law enforcement knows about this particular scam, and will understand your explanation and plight, you clearly do not want to have to deal with such a situation. Besides, if you are not vigilant and do let a scammer create a Voice account you may help the scammer steal from, or otherwise harm, innocent people.

So, if you never set up a Google Voice account, but, are unable to create a Google Voice account because someone already set one up for you without your authorization, follow the instructions provided on these two pages hosted by Google:

Reclaim your Voice number

I was stupid and I let a scammer have my Google Voice Verification Code. What do I need to do?

 

 

Continue Reading

More in CyberSecurity

 

POSTS BY CATEGORY

JOIN MY NEWSLETTER

* indicates required