How cybercriminals trick you into giving your information over the phone

IBM's Chief People Hacker Stephanie "Snow" Carruthers describes how criminals use caller ID spoofing to get your private data.

How cybercriminals trick you into giving your information over the phone IBM's Chief People Hacker Stephanie "Snow" Carruthers describes how criminals use caller ID spoofing to get your private data.

CNET and CBS News Senior Producer Dan Patterson and CBS Investigative Reporter Graham Kates spoke with Stephanie "Snow" Carruthers, chief people hacker for IBM's X-Force Red team, about how hackers steal your information over the phone. The following is an edited transcript of their interview.

This is part two in a four-part series. Download the entire series: How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF).

See part one IBM social engineer easily hacked two journalists' information.

Dan Patterson: Stephanie, much of your skill lies in being able to trick people or to extract information from people over the telephone or even in person. How do you get information from people just by asking for it?

Stephanie Carruthers: One of the things I like to do with phone calls is I will do caller ID spoofing. I'll make my phone number appear as it is someone that you know or trust. Maybe it could be your bank or a relative, something where you would know that that connection is real. And once we have that connection, I go further, and I'll ask you questions and sensitive information.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)

Graham Kates: Can you explain how exactly you would do caller ID spoofing?

Stephanie Carruthers: There are a number of applications that allow you to spoof your phone number, and what that does is I can pick any phone number I want my number to appear to be from, whether it's your bank, or your boss, or someone in your company. And once I'm able to call you, and my number appears like that, you have automatic trust because it appears legitimate. If I called pretending to be a bank, I would first ask you to verify your account because, unfortunately, that's something banks still do, but I would ask you to confirm your address and your phone number. And without thinking and because you see the phone number coming from your bank, you would trust that, and you would most likely provide that information.

Additional reporting by Graham Kates.

Don't miss this related coverage: A hacker invaded 2 CBS reporters' lives without writing a single line of code (CBS News) | This hacker will trick you, and you'll be glad she did (CNET)

Parts three and four of this series will be published soon. 

Also see

20190903-socialhacker0-2-dan-1.jpg

CBS Investigative Reporter Graham Kates and CNET and CBS News Senior Producer Dan Patterson interviewed Stephanie Carruthers, chief people hacker for IBM's X-Force Red team at CBS News in New York.