Stopping voice phishing

One of my former Yonsei students recently had 10 million won ($8,933) - a significant portion of her life’s savings - stolen from her in a voice phishing scam. Bright, astute, technologically saavy, this individual - a Korean and a rising professional in a large institution here in Seoul - is one of the last people you would expect to fall prey to con artists. If voice phishing can happen to her, then the problem remains way out of control and underscores the need for better public awareness and more aggressive prevention and enforcement.

The phone call came at 11:50 a.m., while she was at her desk, just before her usual lunch hour at noon. In hindsight, the timing was a warning sign - the scammers placed the call at least hoping, perhaps even knowing full well that their target would soon take a break from the office and would be more likely to stay on the phone.

What she heard on the phone shocked her completely. A man claiming to represent the Seoul District Prosecutors’ Office told her (falsely) that her bank accounts appeared to be connected to a financial scammer they were (supposedly) pursuing. “We can’t assume you’re a victim,” the caller said. “You might have sold information to these criminals.” As absurd as this might seem, the cover story the crooks used at the start of their phone call - portraying themselves as law enforcement officials - sounded convincing at that moment.

Three people at the other end of the phone line - one claiming to be a prosecutor, the others claiming to be a detective - handed the phone back and forth to each other, saying they had to verify her bank account information to prove she was a victim rather than a co-conspirator to the alleged crimes. (In fact, they were the ones committing crimes, but their words threw her into a tailspin and had a brainwashing effect.) They told her she could either stop by their (bogus) office in Seocho-gu, which would be time consuming, or provide this information to them immediately over the phone and through the Internet. The callers directed her to a (bogus) website that appeared to her to be the actual website of the Seoul District Prosecutors’ Office.

Shook up and caught off guard, she cooperated with the scoundrels. They seemed to know every trick in the book to keep her under their total control until they obtained what they wanted: her money. They instructed her to stay on the phone with them continuously until all their (bogus) questions were resolved - and unfortunately, she did. Of course they wanted her to stay on the phone - had she hung up, most likely she would have seen through the scam in seconds. At one point, the caller told her, to convey a (patently false) sense of urgency, that “another colleague is telling me right now somebody is trying to access your (bank) account!” Later, after she had been on the phone with them for almost three hours and did question their veracity, one of the callers said to her: “If I were voice phishing, I wouldn’t be talking to you for three hours.”

In fact, he and his associates were absolutely voice phishing. They tricked her into transferring funds from her account to another account - with both accounts in the same bank. They told her she was “virtually transferring” the money simply as a test to confirm that her account was secure. In fact, the “virtual transfer” was the real thing: an actual online transfer. The swindlers were able to withdraw a portion of the funds straight away from multiple ATMs, while the remaining funds transferred were frozen by the bank, once the bank’s investigators detected the fraud in progress.

Keeping to their game, just before ending the phone conversation, the scammers even warned her (falsely) that a crook would call her shortly thereafter and claim to be representing her bank. In fact, she did receive a phone call from a genuine representative from the bank, and after several minutes of disbelief, she realized what had really happened and reported the crime to the police. The police officer who processed her report already knew the entire playbook the scammers had used so effectively against her - and countless other persons. As they talked, the police offer recited every step of the dastardly phone conversation, in the exact sequence, and all my former student had to do was keep nodding her head, confirming to the officer what had happened.

Unfortunately in this case - as in so many other voice phishing cases - the crooks were several steps ahead of everyone: their individual target, the bank, and law enforcement authorities. The police told my former student that whatever criminal organization took her money probably operates transnationally, in Korea, as well as China and possibly other countries. Apparently they cover their tracks and will be very difficult to catch. I find this hard to believe, since they operate with real mobile phone numbers, real bank account numbers (which often belong to third parties) and real Internet domain names, but so far, they have evaded capture. It doesn’t help that the police are overwhelmed. My student reported her case on the same day it happened in March, yet the police told her at the end of May they had yet to begin investigating, and she had to make several phone calls just to find the individual who will handle her case.

She has learned the hard way how con artists play to all sorts of emotions and psychological impulses, especially fear, to convince their intended targets into following their demands - even when these marching orders look totally ridiculous and misleading in hindsight. They know exactly how to get their targets to abandon their usual good judgment and obey them.

There are loads of scams, from fake hospital representatives insisting on advance payment to treat elderly parents (not really) in emergency situations to (false) allegations of non-payment of mobile phone services and credit card accounts. Sometimes callers claim to be representing the Financial Supervisory Service, and frequent targets are the elderly and young adults.

Aside from all the financial and emotional devastation voice phishing causes so many people, it’s also an outrageous waste of money, with billions of won snatched in recent years by criminal networks at the average rate of about 8000 people a year in Korea. Government regulators, bank officials, law enforcement agencies and international organizations need to do more to stop these fraudsters and put the criminal syndicates out of business. Do the bad guys always have to win?

*The author is professor of political science at Yonsei University.

by Hans Schattle