According to the National Cybersecurity Institute (INCIBE), the digital world in which we live has left our personal lives more exposed than ever, offering a wide range of opportunities to scammers and cybercriminals. One of these is the exploitation of telephone conversations, in fact, they have developed a clever ploy that takes advantage of the seemingly innocuous act of answering “yes” to a call.
In our modern era, phones remain a common communication channel. We respond to friends, family, and even strangers with an automatic “yes,” but have we ever thought about the risks this act could entail? By recording your voice, cybercriminals have a powerful tool in their hands that they can use to authorize financial transactions, enter into contracts, or worse, impersonate you. They can even use our voice recordings as evidence in situations that could harm our reputation.
The telephone ‘yes’ deception takes place in several steps that we describe below:
- You receive the call: The criminal contacts you, posing as a representative of a bank, a store, or customer service. To gain your trust, they may apply social engineering techniques, such as mentioning basic information about you or referencing an alleged recent transaction.
- Starting a conversation and asking questions: The scammer engages in dialogue and asks seemingly harmless questions that seek to get a “yes” answer. In some cases, once the affirmative response is obtained, the scammer cuts off communication.
- Getting ‘yes’ recording: The scammer is calmly waiting to get the ‘yes’ confirmation, while recording the entire conversation using some app.
- Use of the engraved ‘yes’: With your ‘yes’ in the palm of your hand, the scammer seeks to use it to compromise you financially or to affirm your identity in some service or banking entity. It is important to note that these voice recordings can also be manipulated and used as false evidence, which can jeopardize our reputation both personally and professionally.
- Victim recognition and action: It is at this point that you realize that your identity is being used without your consent. In this case, you must act quickly to fix it. If you suspect that you have been an unwitting accomplice to fraud of this type, staying calm and acting quickly is crucial.
- Hang up on the call if you suspect it may be fraudulent.
- Verify the legitimacy of the call by contacting the entity or company directly through the official contact numbers. Do not trust the contact information they provide you in the call, they may be false.
- Do not give additional information and do not prolong the talk.
Monitor your bank accounts and credit cards for any suspicious activity. - Monitor the information circulating about you on the Internet and take steps to delete it if necessary.
- Change your passwords and security codes regularly, using strong and unique combinations.
- Save any relevant evidence, such as phone numbers, call recordings or messages, to file complaints and support claims.
- Report it to the competent authorities. If this call occurred in the workplace or you suspect that it may have to do with your capabilities within your organization, contact the security team immediately.
As we say in this last point, the telephone “yes” deception also poses serious threats to organizations. Cybercriminals can employ this technique in Business Email Compromise (BEC) attacks or CEO fraud. Cybercriminals can use voice recordings to simulate the authority of a company’s CEO to trick employees into transferring money or revealing confidential information. It is important that organizations are aware of these deception techniques and strengthen their security protocols and training to avoid becoming victims of these attacks.
By arming attackers with recorded ‘yes’ responses, these scams can bypass security controls that rely on voice verification. Additionally, recordings could be presented as ‘evidence’ in financial or identity disputes.
To counter these threats, you should learn about the next-generation training services offered by Kymatio. Our platform provides a new approach to human cyber risk management designed to raise awareness and improve people’s preparedness against cyber threats, including those that leverage social engineering and vishing techniques such as ‘yes’ phone fraud.
For additional tips and guidance on how to protect yourself against cybercrime and online scams, visit the Citizenship section of the INCIBE portal.