In November 2022, we wrote about a multi-country takedown against a Cybercrime-as-a-Service (CaaS) system known as iSpoof.
Although iSpoof advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, and even though using its services might technically have been legal in your country (if you’re a lawyer, we’d love to hear your opinion on that issue once you’ve seen the historical website screenshots below)…
…a UK court had no doubt that the iSpoof system was implemented with life-ruining, money-draining malfeasance in mind.
The site’s kingpin, Tejay Fletcher, 35, of London, was given a prison sentence of well over a decade to reflect that fact.
Show any number you like
Until November 2022, when the domain was taken down after a seizure warrant was issued to US law enforcement, the site’s main page looked something like this:
You can show any number you wish on call display, essentially faking your caller ID.
And an explanatory section further down the page made it pretty clear that the service wasn’t merely there to enhance your own privacy, but to help you mislead the people you were calling:
Get the ability to change what someone sees on their caller ID display when they receive a phone call from you. They’ll never know it was you! You can pick any number you want before you call. Your opposite will be thinking you’re someone else. It’s easy and works on every phone worldwide!
In case you were still in any doubt about how you could use iSpoof to help you rip off unsuspecting victims, here’s the site’s own marketing video, provided courtesy of the Metropolitan Police (better known as “the Met”) in London, UK:
As you will see below, and in our previous coverage of this story, iSpoof users weren’t actually anonymous at all.
More than 50,000 users of the service have been identified already, with close to 200 people already arrested and under investigation in the UK alone.
Pretend to be a bank…
Simply put, if you signed up for iSpoof’s service, no matter how technical or non-technical you were, you could immediately start placing calls that would show up on victims’ phones as if those calls were coming from a company that they already trusted.
As the Metropolitan Police put it:
Users of iSpoof, who had to pay to use its services, posed as representatives of banks including Barclays, Santander, HSBC, Lloyds and Halifax [well-known British banks], pretending to warn of suspicious activity on their accounts.
Scammers would encourage the unsuspecting members of the public to disclose security information such as one-time passcodes to obtain their money.
The total reported loss from those targeted via iSpoof is £48 million in the UK alone, with average loss believed to be £10,000. Because fraud is vastly under reported, the full amount is believed to be much higher.
In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.
Interestingly, the Met says that about 10% of those UK calls (about 350,000 in all), made to 200,000 different potential victims, lasted more than a minute, suggesting a surprisingly high success rate for scammers who used the iSpoof service to give their bogus calls a fraudulent air of legitimacy.
When calls arrive from a number you’re inclined to trust – for example, a number you use sufficiently often that you’ve added it into your own contact list so it comes up with an identifier of your choice, such as
Credit Card Company, rather than something generic-looking such as
…you’re unsurprisingly more likely to trust the caller implicitly before you hear what they’ve got to say.
After all, the system that transmits away the caller’s number to the recipient before the call is even answered is known in the jargon as Caller ID, or Calling Line Identification (CLI) outside North America.
It’s not any sort of ID
Those magic words ID and identification shouldn’t really be there, because a technically savvy caller (or a completely non-technical caller who was using the iSpoof service) could insert any number they liked when initiating the call.
In other words, Caller ID not only tells you nothing about the person using the phone that’s calling you, but also tells you nothing trustworthy about the number of the phone that’s calling you.
Caller ID “identifies” the caller and the calling number no more reliably that the return address that’s printed on the back of a snail-mail envelope, or the
Reply-To address that’s in the headers of any emails you receive.
All those “identifications” can be chosen by the originator of the communication, and can say pretty much anything that the sender or caller chooses.
They should really be called What the Caller Wants you to Think, Which Could Be a Pack of Lies, rather than being referred to as an ID or an identification.
And there was an awful lot of lying going on, thanks to iSpoof, with the Met claiming:
Before it was shut down in November 2022, iSpoof was constantly growing. 700 new users were registering with the site every week and it was earning on average £80,000 per week. At the point of closure it had 59,000 registered users.
The website offered a number of packages for users who would buy, in Bitcoin, the number of minutes they wanted to use the software for to make calls.
The site raked in loads of profit, according to the Met:
iSpoof made just over £3 million with Fletcher profiting around £1.7-£1.9 million from running and enabling fraudsters to ruin victim’s lives. He lived an extravagant lifestyle, owning a Range Rover worth £60,000 and a Lamborghini Urus worth £230,000. He regularly went on holiday, with trips to Jamaica, Malta and Turkey in 2022 alone.
Earlier in 2023, Fletcher pleaded guilty to the offences of making or supplying articles for use in fraud, encouraging or assisting the commission of an offence, possessing criminal property and transferring criminal property.
Last week he was given a prison sentence of 13 years and 4 months; 169 other people in the UK “have now been arrested on suspicion of using iSpoof [and] remain under police investigation.”
What to do?
- TIP 1. Treat Caller ID as nothing more than a hint.
The most important thing to remember (and to explain to any friends and family you think might be vulnerable to this sort of scam) is this: THE CALLER’S NUMBER THAT SHOWS UP ON YOUR PHONE BEFORE YOU ANSWER PROVES NOTHING.
- TIP 2. Always initiate official calls yourself, using a number you can trust.
If you genuinely need to contact an organisation such as your bank by phone, make sure that you initiate the call, and use a number than you worked out for yourself.
For example, look at a recent official bank statement, check the back of your bank card, or even visit a branch and ask a staff member face-to-face for the official number that you should call in future emergencies.
- TIP 3. Be there for vulnerable friends and family.
Make sure that friends and family whom you think could be vulnerable to being sweet-talked (or browbeaten, confused and intimidated) by scammers, no matter how they’re first contacted, know that they can and should turn to you for advice before agreeing to anything over the phone.
And if anyone asks them to do something that’s clearly an intrusion of their personal digital space, such as installing Teamviewer to let them onto the computer, reading out a secret access code off the screen, or telling them a personal identification number or password…
…make sure they know it’s OK simply to hang up without saying a single word further, and getting in touch with you to check the facts first.