A few days ago, I got a call from a number I didn’t recognize. A string of calls, actually, in a span of about three minutes.
I ignored them at first, like I do with every unknown number that flashes on my cell phone screen (don’t we all?). But after five back-to-back missed calls, there was a growing sense of urgency. So I typed the number into Google, and realized, with horror, that it belonged to a local police station.
I called back, and got the switchboard for Manhattan’s 24th Precinct. Who needs bail money? I wondered. Did that creepy OKCupid date finally murder somebody? Am I being asked to testify?
As I listened to an automated voice rattle off a list of extensions, my phone buzzed again — another call from the precinct. This time, I answered.
“Hi is this Miss Kristen Bahler? This is very urgent. Do you know that you’re the subject of an FBI investigation?”
Uh … what?
“Do you know you’re under investigation? Have you been briefed on your file?”
Uh … no?
“This is very serious. If you don’t comply, someone will come and arrest you.”
Uh … who?
After a few minutes of escalating frustration on both ends, and several failed attempts to press the guy for more information, it finally clicked. This wasn’t a federal agent. This was a scammer.
Eventually, he hung up on me, and I was left with some burning questions. Who was this criminal mastermind, and how did he get my number? What, exactly, was his end game? Did he want my money? My social security number? Do other people get these calls? Do they fall for them? Why did the call come from an ACTUAL POLICE STATION????
The real New York Police Department didn’t have any answers. I called the switchboard again, and tried a few of the extensions. Eventually I got through to an investigator, who told me he didn’t have a clue what I was talking about.
“They called you from this number?” he asked. “And said you’re under investigation? Are you?”
Next, I tried Paige Hanson, identity education lead at the cybersecurity firm Symantec (which makes Norton antivirus software). She was less confused.
“This is a common scam,” she says. “It happens to a lot of people.”
It even has a name: “Spoofing,” a range of techniques criminals use to pretend to be someone they’re not with the help of fake IP addresses, emails, or, in my case, phone numbers. What they wanted was for me to handover my credit card number, in a panic, which they could have charged for any number of purchases, or my social security number, making me one of the more than 15 million Americans who fall prey to identify fraud every year.
Related article: This cell phone carrier is best at protecting you from spam calls
It’s actually pretty easy to hijack a phone number, Hanson says. Thanks to apps like “SpoofCard,” anyone with internet access can disguise their personal number with a new one of their choosing — even if it already belongs to a law enforcement agency, a hospital, or an Outback Steakhouse.
These apps market their services as a way for debt collectors, private investigators, and other professionals to mask their identity, and as an all-in-good fun conduit to prank calls. But Hanson says they’ve also empowered fraudsters to scare people into answering bogus calls.
There’s not a lot of data on how widespread “spoofing” actually is, but fraudulent calls are certainly a problem regulators are grappling with. According to the FTC, the state of New York alone logged more than 16,000 complaints of “imposter” calls last year. Nationally, that number’s close to 300,000. And since a lot of people who get these calls don’t actually report them, those figures are probably just scratching the surface.
How do you suss out a real FBI or police call from a fake one? In a press release about the scam, the FBI warns consumers that “The FBI does not call private citizens threatening arrest or requesting money.” Chances are, if you’re under investigation by the FBI, you won’t learn about it in a phone call.
If you’re not yet deeply unsettled, here’s a bit of info that should do the trick: Services like SpoofCard can completely mask a phone number, so the one users choose to replace it with (the NYPD’s, in my case) is the number that shows up on both your phone bill, and your caller ID.
Gullible consumers aren’t the only ones at risk. A fraudulent phone bill makes it hard for other vulnerable groups, like victims of stalking, to get the proof they need to seek legal protections from an abuser. SpoofCard, for what it’s worth, seems fine with this: A recent blog post on the company’s website gives step-by-step instructions for contacting an ex who’s blocked you from their phone.
Hanson couldn’t say for sure where the scammer got my number from, but says giant data breaches like the 2013 Target breach that resulted in a treasure trove of stolen phone numbers, emails, and credit card information — have made it pretty easy for criminals to get that information too.
As a precaution, she recommended adding my number to the National Do Not Call Registry, a federal department that blocks businesses from slamming consumers with unsolicited calls. Ideally, the registry will cut the volume of calls I receive, and will make me think twice before answering one that does make it through (its likely to be a scam). There are also a number of call-blocking apps that can help manage incoming calls, Hanson points out.
Expert-approved advice to never answer the phone again? Now that’s a silver lining.