Private Number Calls are a Security Risk for Government and Business

by George Gleason
To prevent getting scammed: whenever you leave a voicemail message for a government or business entity, include a codeword they will need to use to identify themselves when they call you back, and make it clear they need to write it down because you are going to ask when they call. Repeat it twice, slowly, to be sure they hear it and can write it down.

Choose a different codeword for each of the entities you call. If someone claims to be calling you back from whatever agency or company, and can't give you the codeword you left for them, tell them they will need to check their voicemail tomorrow and call you back with the correct codeword, and hang up. Then call their legit listed number immediately, and leave a new message with the correct codeword.

In a conversation today about the increased prevalence of telework, someone told us of their recent interactions with the Social Security Administration (SSA). They had called SSA to enquire about survivor's benefits, and left a voicemail message for someone to call them back. A day or two later they received a call that showed as "Private Number" on their Caller ID screen. The caller was an actual employee of SSA, working from home, who had gotten their message and returned their call. The caller had enough specific information from the voicemail message that it was clear they were legit.

A coworker & I discussed this, and the security implications were immediately clear and alarming.


Fast, cheap, not so great:



First, you should understand that this is the fastest and simplest way a government agency or business entity can set themselves up for telework. All the employees go home, and all the entity's phone numbers are answered by voicemail, just as they normally are after hours. The employees at home dial in to get the messages a few times a day (or receive them via email), and return the calls from their home landlines or mobiles. Clearly this isn't the best way to do telework, as we or your IT folks can advise in depth, but it's a "quick and dirty" way to do it in a pinch.

For their own safety, the employees returning your call may dial *67 before your phone number, thereby blocking their outgoing Caller ID. You will see "Private Number" on your phone. This is obviously essential because there is always the risk that someone might try to "get them" by posting their private number in a public place, or worse, track them down and harm them physically. Such is the state of our culture, where the basic right to just live our lives in peace has been subjected to the new dictatorship of internet-enabled criminality and sociopathy. Some day there will be a cure.


What the bad guys will do:



Right now they "spoof" (fake) the caller ID information of large companies and government agencies, to try to get you to send them money, such as for "tech support" scams, or "in trouble with the law" scams.

But now a whole new generation of scammers will simply be able to block their outgoing caller ID and tell you that they are with whatever agency or company, and they are working from home during the pandemic.

If you have recently called an agency or company, a scammer might try to get you to believe they are returning your call. "I'm calling from (name of agency or company), you recently contacted us about your account." Or they may say they are reaching out to you from whatever agency or company, in regard to your account or your benefits, etc.

As a result of the pandemic, many more people than usual will be calling government agencies, financial institutions, health care providers, health insurers, pharmacies, and so on. So the chances of a scammer reaching someone who has recently called one of those types of entities is high. Given that many of us are nervous, frustrated, or in other moods that make us vulnerable, there's a greater chance that a vague introduction by a scammer could get you to reveal more information they can use.

Scammers are famously good at zeroing in on you by using whatever you say. For example they might start with "Hi, I'm calling back about the claim you filed on your account." Then you ask, "Oh, are you calling from Social Security?" Or, "Are you calling from XYZ Insurance?"

Oops!, now they know you've recently called Social Security, or your insurance company, so they say "Yes, I'm calling from (whatever you just told them)." Please give me your Social Security number (or account number) so I can verify this transaction..." Or it could be the IRS, your bank, your pharmacy, grocery store or online shopping service, etc. etc.

Even small bits of information can bite you. Your name plus your birth date are sufficient for identity theft. (Never "celebrate birthdays" online!) A scammer may have a lot of information and only be seeking a small thing, such as your age (from which they can derive your birth year). Don't give in, and don't give information out.

As with hand-washing and keeping safe social distances, be safe and protect yourself and others.


How to fight back:



Whenever you leave a message for an agency or company, give them a codeword to use when they call you back, to verify that they are legit.

For example: "Hi this Alice Alvarez, I'm calling about my account. When you call me back, here's a codeword you will need to tell me so I know the call is legit and not a scammer. The codeword is _giraffe_, that's _g-i-r-a-f-f-e_. Once again, the codeword is (repeat the word and spelling). My phone number is (whatever number)...." Say it slowly, spell it, and repeat it. If you're calling from a mobile or a VOIP line, or they are getting your message on either of those, there may be drop-outs in the audio: saying it slowly and spelling it out, twice, helps overcome audio drop-outs.

Obviously, don't use "giraffe" or any other example in our articles or elsewhere, and don't use famous names, famous cusswords, any part of your name or identity, etc. Keep a dictionary, thesaurus, or some other physical printed matter handy before you call, and search for random words that can be used for this. Write them down before you call. Make a game of it to get good ones but don't share them outside your household. Getting codewords from printed matter is better than getting them from online reading material, in case your computer has been compromised.

Now when someone claims to be returning your call to that organization, you can ask the caller: "Please tell me the code word I left in my message for you." If they can't give you the codeword, tell them you can't talk with them, and you're going to leave them another voicemail message, and they will have to give you the code word you leave in that message. (Do not get fooled if scammers try to cajole you by saying things such as "it might be another two weeks before I can call you back.")

Yes that's inconvenient, but far less so than getting your bank account cleaned out. Yes it may mean waiting a few more days for the next callback, but that's far less time than it would take to replace your credit cards and suchlike.

If this method is widely publicized, it should become standard practice for government agencies and companies. After that, scammers will have to try to guess at codewords. "Hi, this is Bob calling you back from the IRS. The codeword you left for me is _pickle_." At which point you can say "Sorry Bob, it's not _pickle_, and I'm not giving any hints, so you'll have to wait for my next voicemail message to get the next codeword. Have a nice day! Bye!"


Always practice good cyber-hygiene, and remember to vote:



Never ever ever give out information until you have verified that the caller is legit. Ask: "Who is calling please?" Get their name. Get their phone number. Check their phone number on the legit website for the entity. Anything government-related ends in .gov. Call back to the correct listed number and make sure the caller actually exists.

Do not let someone convince you to dial a different phone number that's "a temporary number during the pandemic." Chances are that number goes back to the scammer, or to a phony voicemail menu that may even sound exactly like the agency's or company's real one (that is surprisingly easy for badguys to do).

Never click embedded links, and never open email attachments, without first calling the sender to check that they actually sent the link or attachment. Especially beware of "greeting cards," Google docs, and other things that may appear legit on the surface. Watch out for URLs that are subtle misspellings of well-known brands, for example substituting a digit 1 for a lower-case letter l.

If you're looking for something to read whilst cooped-up at home, you can always check out sites about cybersecurity, such as KrebsOnSecurity.com, and sites about medical scams such as ScienceBasedMedicine.org. Stopping scammers of all kinds requires strong laws that are vigorously enforced. Ultimately that depends on each of us, to elect public officials who take these issues seriously.

So: practice good cyber-hygiene, write to your elected officials, and be sure to vote in every election. As with hand-washing and keeping safe social distances, all of these things together are now matters of civic duty.