Ask HN: Could scammers have infiltrated the IRS callback system?
3•supportengineer•5mo ago
We called the IRS to discuss an issue and we utilized the callback system. We entered our phone number and were told to expect a call back within 30 minutes, from a West Virginia number. I have used this system before so all this was familiar. The call came at the expected time, from the expected area code. However, it turned out to be a scam call center. How is this technically possible?
Comments
rolph•5mo ago
if you have a bad app with contact, or dialing history permissions, someone can keep snarfing your last dialed numbers until they see you dial a number that fits one of the scam workflows they have at ready.
the same principle can be used in browser.
supportengineer•5mo ago
It was an Android phone used. How could I detect such a malicious app? I am not an Android user.
rolph•5mo ago
curating apps for security is like closing a loop tighter.
if you see that some bad thing happens, e.g. you get a scam call after requesting callback, you then look at app history, and you look for apps that were active during that time span, and you have a short list of suspects.
the name and description of the app may be misleading, but have an odd permission set, for example a flashlight app that requires contact history and calander access. flashlights dont need that.
look at the permissions of each one, individually for any that allow, in your case, access to contacts, or dialing/dial history.
there is going to be some [system] app[s] that legitimately has this access and presumably, some unfamiliar app, or recently installed app that is abusive.
make sure you know the difference!
if your not sure, your can perform experiments such as removing the permissions, or forcing stop of the app, to see if the problem stops, or something complains.
a sophisticated exploit may involve a number of apps working together, to cloak activity, and keep reinstalling if the whole gang isnt cleared out at once.
in this case you may have some other compromise and a password change might be a good idea.
if any of these apps somehow have financial access, you may need to look at replacing cards, and auditing bank / credit activity.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the last bastion of defense, is how the target responds to the contact. they may be at the edge of competency, thus an easy mark, the target may be contacted at a time they are known to be overwhelmed with the mothly rota of bills and income. the target may have been behaviourally profiled and bombarded with a campaign from all sources and is now acting in a frame; a headspace that seems real, and very urgent.
you may actually have to talk them down out of that headspace, to prevent signifigant, recurring vicimization.
rolph•5mo ago
the same principle can be used in browser.
supportengineer•5mo ago
rolph•5mo ago
look for list of malignant apps e.g.
https://duckduckgo.com/?t=lm&q=which+app+is+doing+the+scam+&...
if you have any such apps delete them.
if you see that some bad thing happens, e.g. you get a scam call after requesting callback, you then look at app history, and you look for apps that were active during that time span, and you have a short list of suspects.
the name and description of the app may be misleading, but have an odd permission set, for example a flashlight app that requires contact history and calander access. flashlights dont need that.
look at the permissions of each one, individually for any that allow, in your case, access to contacts, or dialing/dial history.
there is going to be some [system] app[s] that legitimately has this access and presumably, some unfamiliar app, or recently installed app that is abusive. make sure you know the difference!
if your not sure, your can perform experiments such as removing the permissions, or forcing stop of the app, to see if the problem stops, or something complains.
a sophisticated exploit may involve a number of apps working together, to cloak activity, and keep reinstalling if the whole gang isnt cleared out at once.
in this case you may have some other compromise and a password change might be a good idea.
if any of these apps somehow have financial access, you may need to look at replacing cards, and auditing bank / credit activity.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the last bastion of defense, is how the target responds to the contact. they may be at the edge of competency, thus an easy mark, the target may be contacted at a time they are known to be overwhelmed with the mothly rota of bills and income. the target may have been behaviourally profiled and bombarded with a campaign from all sources and is now acting in a frame; a headspace that seems real, and very urgent.
you may actually have to talk them down out of that headspace, to prevent signifigant, recurring vicimization.
https://www.aarp.org/money/scams-fraud/fraud-tactics/
https://consumer.ftc.gov/consumer-alerts/2024/03/sure-ways-s...