Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.
I’ve also seen some very convincing email phishing in the last few weeks with spoofed email headers. It’s made it challenging for my email spam filter to weed out the fakes. I think the best I can do at this point is to never trust these phone calls or email even if it seems to be coming from legitimate sources. It is best to visit the website of the bank or call the numbers on the back of the card. The risk are too high.
