Before I landed my present job, I would be sending out many resumes per day, per week, etc. Along with that, I also made follow up calls to recruiters, staffing agencies, etc. to find out what has happening to my resume after I had applied.
But in all of this, I forgot one thing: Cyberattackers, especially those that specialize in spamming, were starting to use job recruiting boards in much more frequency in an effort to pick up the PII of candidates that submitted resumes.
After all, it is quite easy. You submit your resume, which has your name, your physical address location, email address, as well as your phone number. Once you hit “Submit Resume”, this information for all intensive purposes, can go anywhere in the world. You just never know for sure where it will land up at.
Long story short, after I sent out these “tons” of resumes, I started to get phone calls almost every hour. I was thinking great; a job is coming soon. Not so quick. Hardly I answered, there was some sort of automated answering message on the other end, or nobody answered. Many times, in my iPhone, it would simply say “Unknown Caller”, or “No Caller ID”.
Because of that, I stopped picking up calls, and to this day still do. After a legitimate recruiter would leave a voice mail as well as send an email, right? But believe it or not, these unanswered/automated calls are just one way for the Cyberattacker to confirm at least partially, the information that they have about you.
Once this has been accomplished, they can then try to put the other pieces of your identity together with the other means that they have at their disposal.
In an effort to combat all of this, T-Mobile, has just launched a new program for its customers in order to alert them to fraudulent calls that they could be receiving. This is called the “Caller Verified” feature, and will simply broadcast a message that says “Spam Call” or “Phony Call” anytime an unknown number is received.
You may be asking how all of this works? Well, it is based upon the “STIR/SHAKEN” Methodology. STIR stands for “Secure Telephony Identity Revisited”, and SHAKEN stands for “Secure Handling of Asserted information using toKENs”.
Both of these protocols make use of Digital Certificates, based upon the Public Key Infrastructure (PKI) techniques for ensuring the authenticity and integrity of these certificates.
For example, only trusted Certificate Authorities (CAs) can provide legitimate Digital Certificates to the wireless carriers. As a result of this technology, the device which receives the call is able to verify the accuracy of the calling number and whether it has authentic or not.
For those of you out there that know more about the principles of Encryption, this is essentially another form of Asymmetric Cryptography. In reality, two types of Digital Certificates are used, the Public Key and the Private Key.
The former is used to transform a message into a garbled state, and the latter is used to descramble the message into a readable format once it has arrived at the receiving end. Want more details on this? Well, my next book which is entitled “Testing and Securing Web Applications” will have an entire chapter devoted to this, so stay tuned!
The STIR/SHAKEN Methodology was finally adopted by the The Alliance for Telecommunications Industry Solutions (aka “ATIS”) back in 2018. So far, T-Mobile has been the first wireless carrier to deploy this kind of technology.
They have actually experimented with it for quite some time, going under different project names such as “Scam ID”, “Scam Block”, and “NameID”. But at the present time, there is one huge limiting factor: The STIR/SHAKEN Methodology is only for those T-Mobile customers that make use of the Samsung Galaxy Note 9 device. But, T-Mobile plans to make this available to all Smartphone brands that it carries later on this year.
My thoughts on this?
First, I think that it is great that T-Mobile is rolling out this kind of technology in an effort to protect its customer base. But, on the flip side, I question why it has taken so long for it to be adopted by the wireless industry? I mean these protocols, the use of Digital Certificates, and Certificate Authorities have been around for the last 20 years. Just scratching my head in bewilderment.
But for you, it is important to keep that the Cyberattacker is now shifting to using the older tricks of the trade in order to get to your PII.
They all know that just about every Cybersecurity professional and organization are keeping an eye out for the technological ways in which a hacker can tap into your PII. So, in order to detract attention, the Cyberattacker is now resorting to making use of Social Engineering tactics on the phone in order to get to your personal information and data.
So, in the meantime, what can you do to stay safe? Never answer calls from numbers that you don’t know. If the call is that important and the caller is legitimate enough, they will leave a voice mail. But even then, you can’t be to sure. Listen to the voice mail, and if it indeed does sound authentic enough, do a Google search on it to determine if there are any public complaints on that particular number.
For example, I have received threatening calls from the IRS saying that they are coming after me for my back taxes. But the truth is I don’t have any back taxes. I usually let these calls go to voice mail, and from there, I do a Google search on the phone number.
Every time it has happened that this was a spammed call (also keep in mind, the IRS will never call you on the phone – they just send letters out instead).
You also need to be aware of any text messages that you might receive. These should be handled in the exact same way that you would a Phishing E-Mail. Never reply to a suspicious text message, just simply delete it. This is especially true with job searching as both legitimate and illegitimate recruiters are using texting more now in order to reach out to potential job candidates.