In the last two weeks or so users in Ireland have been subject to vishing attacks on a large scale.
The modus operandi is random phone calls from unknown mobiles, predominantly 087 numbers that appear to belong to Vodafone.
It’s unclear if these are real or spoofed – but from research that I carried out into the numbers confirmed to be part of this scam, none of them belong to any identifiable real persons.
Multiple users reported being targeted over and over, which suggests that the scammers don’t just pick random numbers to call – they actually verify that the victim’s number is valid and is in active use.
This “due diligence” is probably done using breach data dumps like the Facebook one, which I previously discussed here.
The vishing callers impersonate Irish government organisations, from the Department of Social Protection to An Garda Siochana.
The content of the message will vary, but usually it will employ some degree of urgency (“your PPS number has been invalidated” or “there is an outstanding warrant in your name”, etc.).
In some cases, an unanswered call will result in an automated voicemail message being left – like the one below:
Other variations of this message sound like this:
I was calling from the department of social protection we have got in order to suspend your PPS number on immediate basis because your PPS number is found suspicious for illegal and criminal activities it is very time-sensitive and urgent to hear back from you before we proceed further with suspension of your assets bank accounts, so please press one.
For some unclear reason, on this occasion the scammers favour using 087 numbers belonging to Vodafone.
Multiple users who were targeted also use 087 numbers, so perhaps this MO stems from the abuse of free calls between Vodafone numbers?
The company itself issued a warning on this topic, containing the following advice:
• Don’t engage with the caller
• Hang up the call, don’t return the call
• Don’t follow the automated instructions, don’t press 1 etc
• Never disclose personal/financial information
It’s unclear what Vodafone is doing to detect, prevent and report such scams (other than what we see publicly on their Twitter).
It’s also unclear if there is anything Vodafone, or any other company can actually do in cases like this. After all, spoofing a phone number or using a prepaid, unregistered one is all too easy.
During my research into this topic I gathered a sample of numbers confirmed to have been used in this scam.
The real number of vishing numbers is expected to be exponentially larger – but pasting some of them here will expose them – and if somebody searches for a specific number, they might as well find this post and confirm that it is indeed a scam.
NOTE: This might change in 6 or 12 months time and there is a chance that a particular number will get recycled back into the pool of available numbers, to be given to a genuine unsuspecting user. But right now, the only digital footprint for those numbers is this scam.
So here we go:
+353853875132 – [the only non 087 number on my list]
Irish phone number lookup resources
Unless you work in law enforcement or directly for a telecommunications company, identifying unknown phone numbers will require relying on OSINT.
In the cases of phone number lookups in general, a lot of this comes down to using community driven sites where people report suspicious phone numbers.
Last year I wrote a post on investigating scam text messages, some of which methods can be applied in this case, like for example using Truecaller, Sync Me or some Google search operators for phone numbers of interest:
“+12568417086” OR “256-8417086″ OR ” 1 2568417086″
site:”<whatever site you search>” intext:”+12568417086″
However, for looking up Irish numbers specifically, we have the following:
- IE Tellows: https://ie.tellows.net/
- Free Lookup: https://free-lookup.net/ireland
- Phone Numbers IE: https://www.phonenumbers.ie/
- Should I Answer: https://ie.shouldianswer.net/
BONUS: There are some landline scams doing the rounds too. For example, one of the readers recently received a call from +35312528641.
The scammer purported to work for Vodafone and promised his victim a new discounted plan – in exchange for credit card details…