I don’t use call forwarding and, because of this, I’d be a perfect target for the call forwarding scam. So, if you know nothing about call forwarding, read this post or become a victim. It’s as simple as that.
Call forwarding is a useful service. If, for example, you want calls forwarded from your office phone to your personal phone, you’d use call forwarding. Maybe you’re at an important meeting and want all your business calls answered by your colleague. Again, call forwarding comes in handy. The owner of a phone can decide which number or numbers they want the calls forwarded to. It’s pretty straightforward. Simply enter *72 and then the number you want to receive the forwarded calls. There is also a service called remote access call forwarding, where you can forward calls to a phone that you don’t actually own.
You can probably see where this is going. It’s a system ripe to be manipulated. In Nashville, a customer asked to use the restaurant’s phone to make a call. The customer was a scammer. He used the *72 code before he dialed his own number and, in so doing, had all calls to the restaurant diverted to a phone he or his gang controlled. In order for the scam to work, someone must answer the forwarded call. That locks in the change. Apparently, when calls came to the restaurant for orders or reservations, the scammers, who received the forwarded calls, would ask customers if they would like to pay using their credit card. If they fell for the scam and gave their credit card number, the scam was completed successfully.
Don’t get the idea that the scammer has to have physical access to the phone in order to make this scam work. The scammer could contact a business through SMS/text message, a call, or an email. They could pose as a customer or someone in the supply chain. In fact, they can make themselves look quite legitimate. They will ask to be contacted via phone and give their number. The only difference is that they would give their number as beginning with the *72 prefix. (Note that some companies use the *21* prefix.) If asked, they could explain that the unusual prefix is some sort of network access code. The victim may be told to try the number out to see if it works. Of course, trying the number, which will be answered by the scammer, sets the scammer’s number as the forwarding number and all subsequent calls would be answered by the scammer.
This leaves the scammer in a privileged position. Callers to the company will believe they are talking to a representative of the company; after all, they called the company number, right? The scammer can ask for personal details or even go so far as to ask for funds to be transferred to their account. Remember also that company employees are often told that if they receive an email that asks for the transfer of money, they should call the person making the request to insure that it is valid, even if it seems to be valid on the surface. If, however, they did this and had their calls forwarded to the scammer, the scammer would simply confirm the transfer.
Keep in mind that if the scammer receives all calls to a particular number, they can use this to bypass two-factor authentication (2fa). Many times, to reset a password for any account or to verify a transaction, a phone number is used to send a one time password (OTP). So a scammer could go to the login page for any site connected to the phone’s owner and intercept 2fa. Of course, the easiest thing to do would be for the scammer to login to the person’s cell phone account and, basically, take it over. Assuming they know the person’s username, they can act as if they’ve forgotten their password and click, “Forgot Password”, and wait for the OTP to be sent to them via a call or text message.
Another angle would be for scammers to attempt to learn company secrets. Getting call forwarding from the right people could enable the scammers to get secret or private information given to the victim. Research results, personnel lists, payroll information; the list of what they could do is almost endless. These spearphishing attacks would be more sophisticated but are certainly possible. All it takes is for the scammer to appear to be legitimate. Then, all they need to do is to use the information they gather to find one weak endpoint and they could establish a foothold within the company network. This is why it’s necessary to be sure these endpoints are secured and that bad employee behavior cannot disrupt your entire network.
Most people have heard of spyware and may have even heard of Pegasus spyware which has been used by governments to spy on political activists, journalists, and opposition leaders around the world. Sure, Pegasus is more sophisticated as it often uses zero-day exploits, but it is also more expensive than the call forwarding scam…far more expensive. Initial costs start from around $500,000. For no cost at all, a sophisticated call forwarding scam can accomplish much of the same thing.
Possibly the biggest use for this attack vector would be in stalking. There’s quite a market for stalkerware out there, and the apps for this are often given on a free trial basis. The map below from Kaspersky shows which countries have the most stalkerware. Since most stalkerware is used to spy on cheating partners, the map could indicate countries which have deeper social issues.
The call forwarding scam has one advantage over commercial stalkerware: You don’t need to have physical access to the target phone. A clever call placed by an accomplice that gave the stalker’s number for call forwarding would do the trick. And if you are being stalked or harassed by an unknown stalker, there are services available that will intercept the call and uncover the stalker’s real number. You simply forward calls from unknown numbers to the service and let them do the work. Stalkers will often change their numbers so they cannot be blocked so this service would make them think they were leaving a voice message for the victim, but they would only be revealing their number. The service would only release the voice mail if the victim wanted them. Once the stalker’s number is revealed, it can be blocked.
This is an under-exploited scam, which makes me believe it will eventually surface as a real problem, especially for businesses. Why? Because scammers go where the money is.