In November 2022, a multi-country takedown took place against a Cybercrime-as-a-Service (CaaS) system known as iSpoof. Although the service advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, a UK court deemed it to be implemented with life-ruining, money-draining malfeasance in mind. The site’s kingpin, Tejay Fletcher, was given a prison sentence of over a decade.
The iSpoof service allowed users to show any number they wished on call display, essentially faking their caller ID. This service helped scammers to pose as representatives of well-known British banks, encouraging unsuspecting members of the public to disclose security information such as one-time passcodes to obtain their money. The total reported loss from those targeted via iSpoof is £48 million in the UK alone, with average loss believed to be £10,000.
Caller ID is not a reliable source of identification, as technically savvy callers could insert any number they liked when initiating a call. Before it was shut down, iSpoof was earning on average £80,000 per week, with 59,000 registered users. The site raked in loads of profit, with Fletcher profiting around £1.7-£1.9 million from running and enabling fraudsters to ruin victim’s lives.
To avoid falling victim to such scams, it is essential to treat Caller ID as nothing more than a hint and to initiate official calls yourself, using a number you can trust. It is important to be there for vulnerable friends and family and inform them that they can and should turn to you for advice before agreeing to anything over the phone. It is also essential to hang up without saying a single word further if anyone asks them to do something that’s clearly an intrusion of their personal digital space.
