Last week you might have heard in the press about a phone scam that’s is supposedly sweeping the nation. The dreaded, super sneaky ‘Can you hear me’ scam. Fraudsters will ring you and ask the question “Can you hear me?”. When a victim replies “Yes” the audio is recorded and used to entrap you in a legal contract.
Now even at first glance, this has some merits. It warranted research to see if this was a real attack vector. We scoured the net for information, only to find quite anecdotal evidence. There is no doubt this is being discussed as a theoretical attack. However, the ways in which we engage into contracts in the U.K. simply doesn’t facilitate the audio recording of a customer saying just “Yes” as the basis of a legal contract. We found it quite alarming that almost every news outlet was running this story and we couldn’t even find a U.K. based victim.
Contracts & Fraud
To a criminal, a contract is one of the final steps of a fraud. Obtaining one illegally in a marks name takes work to achieve. If we take a mobile phone contract for instance, when you upgrade your phone they might send you an email to click, agreeing to the terms of the contract. If a fraudster could get that authorised it then needs further involvement, recon, further calls to alter the delivery of the phones, interception of the delivery etc. This unseen work behind the scenes makes it highly unlikely they will have the time nor inclination to ring you and want you to say “yes”.
Could a criminal abuse this and use your voice to their advantage, just from a simple recorded yes?
Take a recording of me saying yes as my answer.
Cyber Warning Fatigue
The media can be fantastic at spreading warning information that makes millions of people every day make note of a threat. From hurricane warnings to reports of current frauds, they get a short burst of interest in their media platform in exchange for the layman actually learning something. This education can be essential, but if we are constantly bombarded with this kind of warnings we lose interest. We cry wolf. The important information gets drowned out in the noise.
We asked @CyberGibbons, a consultant from Pen Test Partners to comment on this:
Without evidence of this being used to defraud anyone, it’s just more unnecessary noise that makes it harder for consumers to detect real threats. Information overload is becoming a real problem, causing many to become fatigued, and, as a result, more likely to fall victim to the common and plausible social engineering scams.
So who said it was?
So hearing from the Cyber Gibbons again, he had a few things to say. None of the stories even have a source – with some local papers quoting the Independent which quote the Sunderland Echo. Above all is that it is clear advertorial, with the bulk of stories promoting CPR Call Blocker.
Action Fraud declined to comment when we reached out to them.
Snopes class it as ‘unproven’.
Some articles in the news seem to be doing a180 on the claims, whilst the majority seem adamant it is a real attack.
What is worse ‘Cyber Aware’ police forces started backing the idea and warnings went out across the country.
— Leics Cyber Aware (@leicscyberaware) 25 February 2017
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.