Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Loophole allows ‘number spoofing’ scammers to ply their trade

Friday, 17 January 2025

Number spoofing is the term used for the use of technology that fools your phone into displaying different number to the one the caller is actually calling from.
Number spoofing is the term used for the use of technology that fools your phone into displaying different number to the one the caller is actually calling from.

Number spoofing is experienced by its victims like a glitch in the Matrix.

It happens when someone uses freely available internet services to con a victim’s mobile phone into displaying a number that is different from the one that is actually being called from.

It’s a moment when the person receiving the call can’t trust their eyes.

The spotlight shone on number spoofing earlier this month after a scammer used it to help convince a woman that he was calling from her New Zealand bank. After successfully doing so, the crook ran up $30,000 on her credit card.

The theft happened in January last year, but media coverage followed when the Banking Ombudsman published a “case note” after it investigated the unnamed bank’s decision not to compensate her for the stolen money.

The telecoms industry has cracked down on malicious number-spoofing, and according to the Telecommunications Forum (TCF), an industry body of telecoms companies, it’s quite good at it.

But the defences aren’t perfect and there is a crack in its defences related to banks having outsourced call centres overseas.

TCF spokesman Paul Brislen said banks had provided the telecoms industry with the numbers it used, and when an attempt to spoof one came in from overseas through the undersea cables connecting New Zealand to the world, it would be spotted, and blocked.

But there was an exception, as the blocking “tool” is a blunt instrument, Brislen said.

Many banks have outsourced some of their call centre activity overseas, and are using number spoofing themselves so that customers talking to those overseas call centres see banks’ New Zealand numbers presented on their phone screens.

If the telecom industry blocks a particular number for number spoofing, it blocks all spoofing of that number, including the banks’ non-malicious calls.

So, if a bank is using overseas call centres, it will not ask telecoms operators to block spoofing of that number.

And that leaves the window open to scammers to exploit.

That’s not the only crack in the national defences against number spoofing, though there’s nothing the TCF can do about others.

Many people are shifting their phone-calling to services like WhatsApp, where number-spoofing is easy; social media giants like WhatsApp (owned by Facebook owner Meta) are also not regulated onshore entities.

WhatsApp is being used by more and more people to make phone calls. Scammers are also using it as it allowed they to number spoof easily.
WhatsApp is being used by more and more people to make phone calls. Scammers are also using it as it allowed they to number spoof easily.

Banks urge people to be wary of all unsolicited calls claiming to be from businesses, and Westpac specifically warns of cold calls coming in on WhatsApp.

Banks urge customers to hang up on cold callers claiming to be from their bank, and to then call their bank on the help numbers on their websites.

The January case note was not the first the ombudsman issued last year. In December, the ombudsman published two other case notes published on similar spoofing cases. There was another in September.

All had similar modus operandi. All involved scammers successfully number spoofing a bank number, gaining the victim’s trust, and conning them into handing over codes needed to authorise payments.

They had the hallmarks of highly professional organised crime. Scammers appeared to have information about their victims before calling, possibly from data breaches and hacks, and in the January 2024 case, there was a person in New Zealand ready to rush to stores to pick up goods before banks and police were alerted.

In November ANZ warned about a cold-calling scam in which some of its customers were called by scammers who appeared to have large amounts of personal and banking information, including credit card details.

Banks like ANZ warn customers to be wary about number spoofing cold callers.
Banks like ANZ warn customers to be wary about number spoofing cold callers.

The calls, ANZ said, “may appear to be from an ANZ phone number, an NZ or Australian (+61) number”, indicating number spoofing.

ANZ said common signs of a cold call scam include scammers claiming that to keep their accounts and money safe they need to do things like transferring money to another account, give them personal or bank information, like credit card details or a Visa Secure code.

In the January 2024 case, the scammer claimed the bank had spotted some suspicious transactions, and told her he would suspend her accounts, and cancel the payments.

The woman checked the caller’s number, and after finding it matched the bank's number on its website, she followed the caller's instructions, which included giving the scammer transaction authorisation codes he used to steal the money.

The bank said the woman had breached its terms and conditions which forbid customers from revealing authorisation codes to anyone, but the ombudsman decided that was not an indication the woman had failed to take reasonable care to avoid being scammed.

It found that banks sometimes encourage customers to breach their own terms and conditions about revealing codes.

When the bank replaced her cards, she added her partner to the account, and in doing so, the bank sent him a code, and asked him to read it out over the phone, meaning reading out codes apparently wasn’t a universal rule, the ombudsman said.