Phone Scam - Other People Getting Calls from My Mobile

Educate

This week I've received calls from two people saying they got missed calls from me (my mobile number). One of them even had a voicemail saying "Hi, it's [MY NAME] calling" and they used my first name.

I've Googled and can only really find info. on how to respond to receiving spam calls, but not what actions can be taken if my number is being used to make spam calls.

Is there anything I can do to stop this?

ItHurtsWhenIP

Stick your mobile number, in full international format (+3538xyyyyyyy), into the email field here: https://haveibeenpwned.com/

If it says "Oh no - pwned", then your mobile number and name were in a Facebook breach in 2021.

What's likely to have happened is that somebody called those people "spoofing" your number. Normally they try to execute some scam on the people they are calling, like saying they are from Social Protection, it has been discovered you're using your PPS number illegally and you must pay a fine before the Guards show up and arrest you. 👀

I got a load of those type of calls in 2021 and a few more last year. I just ignored all unknown numbers calling me. One day though I got a call from a business (it's name showed up with the incoming call). I called them back and was told that I was the third person to call them claiming a missed call.

kirk.

What does it mean if your email is in a data breach

I see I have it on one my 2 emails

ItHurtsWhenIP

There should be a description of the data breach down the page after you have searched for your email address.

Look for the "Compromised data" at the end of the description. If password is part of the compromised data, then:

• Change your password on that site immediately.
• If you have used that SAME password on ANY other account, change those passwords too ... and to something NEW and UNIQUE for each account.
• I would highly recommend you enable two-factor/multi-factor authentication on those accounts. Do this as well for any email accounts you have.

If password wasn't part of the compromised data, then just be aware that the information that WAS compromised is out there and available for criminals to try to use against you.

Edit to add: Enable two-factor/multi-factor on your email accounts anyway, regardless of whether your password has been compromised. If you're a gmail user, consider turning on its new passkeys capability. https://support.google.com/accounts/answer/13548313?hl=en

Educate

https://www.boards.ie/discussion/comment/120793004#Comment_120793004

Interesting - didn't know you could put your mobile into that checker.

Plot thickens. It came back as "Good news — no pwnage found! No breached accounts."

Very strange...

Esel

..

Jeff2

https://www.boards.ie/discussion/comment/120806992#Comment_120806992

I wouldn't be putting my private number into anything like that as I'd feel that is how someone gets your number in the first place. That's just my opinion.

L1011

https://www.boards.ie/discussion/comment/120811149#Comment_120811149

That site, that specific site, is trustworthy. Plenty of others aren't.

ItHurtsWhenIP

I've even registered my personal gmail account with the site ... 😱 ... 😏

I got notified last December/January that my email address and password on Deezer were breached ... a fact Deezer couldn't be a$$ed telling me about ... though I closed my account about 7 years ago.

The Irish National Cyber Security Centre (NCSC) is using the service to monitor Irish Government and State agency emails for the last number of years.

https://www.troyhunt.com/welcoming-the-irish-government-to-have-i-been-pwned/

One of many countries doing so.

While I'm no longer a massive fan of Troy Hunt himself, I can't fault the service that he has built.

Most of us have a fair bit of data pwned. One thing about Have I been pwned is it is in itself a bit of a data breach site when you think of it. For instance you could type in my email address and find I’ve been pwned on some kinky site.

OP, Google “Fake Call” and you will see plenty of dodgy apps.

ItHurtsWhenIP

https://www.boards.ie/discussion/comment/120813302#Comment_120813302

Actually no, those specific "kinky" sites are classed as "sensitive" and you must prove control of the email account before you are told about them.

https://haveibeenpwned.com/FAQs

What is a "sensitive breach"?

HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone's presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as "sensitive" and may not be publicly searched.

A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done via the notification system which involves sending a verification email to the address with a unique link. When that link is followed, the owner of the address will see all data breaches and pastes they appear in, including the sensitive ones.

There are presently 50 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, Carding Mafia (December 2021), Carding Mafia (March 2021), CityJerks, CrimeAgency vBulletin Hacks, CTARS, CyberServe, Doxbin, Emotet, Fling, Florida Virtual School, Freedom Hosting II, Fridae, Fur Affinity and 30 more.

RetroEncabulator

If your number is being used to make scam calls, it's simply set on the outgoing Caller ID on some VoIP system.

Unfortunately, at present anyway, there's absolutely no control over this. ComReg is working on blocking calls coming in with fake caller ID but, it's still a work in progress.

Basically Caller ID is part of an old set of signalling protocols and they were never designed to verify anything. When another network sends in a call there are a few fields of very simple metadata, which include the outgoing phone number. The majority of phone networks will simply pass that through. It's trivial for someone with a VoIP server to spoof it.

ComReg's currently working with the phone networks so that when anyone presents a +353 phone number, if it's not coming from an Irish network, or a network that has legitimate reasons to use one, it won't be processed.

Basically, calls from +353 numbers shouldn't be presenting form outside the state, but for various reasons, some legitimate ones do at the moment. That's being ironed out, so that all Irish calls are going through domestic interconnects only.

Also the mobile and fixed line networks are rapidly moving to all-IP and modern soft switches handling all of this stuff, so it is becoming a LOT easier to include that kind of filtering and analysis. The old switches were fully digital but quite old tech - 1980s/80s era stuff.

There's also a lot more scope to provide verified connections with certificates etc.

ItHurtsWhenIP

It would seem that even Troy Hunt (him off HaveIBeenPwned) is also experiencing the same issue the OP has:

https://twitter.com/troyhunt/status/1677165865547218945?s=20

kirk.

https://www.boards.ie/discussion/comment/120796731#Comment_120796731

I beefed up security on email and amazon

I get text verification when logging into Paypal

Would I need to upgrade to 2-factor security in the website?

ItHurtsWhenIP

https://www.boards.ie/discussion/comment/120833231#Comment_120833231

I don't know what website you're asking about, but I would recommend 2-factor in as many places as you can. It really will help keep those accounts secure and prevent account takeover in nearly all circumstances.

kirk.

https://www.boards.ie/discussion/comment/120839829#Comment_120839829

Paypal

They have a text authentication system , u get texts logging in which I have

There's also 2 factor using an authenticator app

ItHurtsWhenIP

I much prefer the authenticator app, as they are more secure than text messages. I have dozens of accounts set up on my authenticator app.

I thought PayPal could be set to use the app rather than by text, but I have used my account in a few years. I'll check it later.

kirk.

https://www.boards.ie/discussion/comment/120841611#Comment_120841611

When u say dozens ? What type of accounts

Donald Trump

Other possibility is a Tyler Durden scenario OP

kirk.

What's the best authenticator google has a 3.4 rating

ItHurtsWhenIP

https://www.boards.ie/discussion/comment/120841784#Comment_120841784

I have about 15 email accounts, at least a dozen Social medias, 5 admin accounts for website CMSes and a few cPanels, the usual shopping sites (Amazon and ebay) and payment providers (PayPal and Stripe), most of the streaming sites, another ten miscellaneous online sites that I've set up accounts on, a couple of CRMs, VPN, password manager, a couple of NASes ... so quite a few.

https://www.boards.ie/discussion/comment/120842006#Comment_120842006

I use Google Authenticator (GA), but it had a problem for a long time that if your phone was lost, stolen our damaged then you were goosed. I have two phones, so if I am adding a new account, I scan the QR code on both simultaneously. GA then got the ability to export the codes, so that made setting up a new phone very simple, but there is always the danger that I could lose both phones, so I carefully and securely store any backup codes for my various accounts.

Google did introduce the ability to backup the codes to your Google Account ... but it wasn't going to be encrypted (which is madness really). So I'm not using that until they do.

I also have Microsoft Authenticator for some MS365 accounts. It's probably better than GA, in that the codes are backed up to a Microsoft Account (securely I believe), but I had most things set up on GA, before the Microsoft one showed up.

Educate

https://www.boards.ie/discussion/comment/120841901#Comment_120841901

Can I be Pitt at least? Not the narrator? 😁