Wrong message, right address

February 15, 2015

Fraudsters are sending ‘good news’ messages from actual company IDs

Wrong message, right address

"Moazaz Customer, Mubarak ho apne Maal dhmal2 mai 10,000,00 ka prize won kia hay. Apna prize hasil kernay k liay call center k es number pe rabta krain 0092324624……." Mrs. Akram, a retired educationist was more than excited when she got this message from "Warid".

She immediately told her son to contact the number so that they could earn the first million of their life. The son got suspicious and asked his mother to relax and called on the helpline of the company to confirm the reliability of the message. The mother was very much confident that the identity of the sender was the official identity where from she used to get other informative messages and promotions of the company.

She was shocked when her son told her that the message was fake. Call centre representative told her son, "technology has become so advanced that it is now possible to generate any caller ID for anybody", and no such message was sent by the company.

This is called "Caller ID spoofing" and a Caller ID displays a number different from that from which the message was sent or a call was made with a malicious motivation by the speaker or writer. The software that is used to send such messages is available in the market at a very cheap price.

"Yes, we have received complaints that messages are being received by people with company ID and we are tackling the matter aggressively," says Shahzad, spokesperson of Warid. "Any such fraudulent activity reported by the customers, franchises, business centres or other source is handled immediately. We block that number without delay. We are informing people about the activity through messages in Urdu and English," he says. He was hopeful that such crimes will be controlled once the Biometric SIM registration is fully implemented.

There are five major companies operating cellular phone services in Pakistan namely, Warid, Ufone, Mobilink, Telenor and Zong. They send promotional and informative messages on a daily basis whether the customers like it or not. These include schemes to win cash prizes and other items ranging from free talk time to 1600cc car. Fraudsters have been sending messages from different numbers about the good news of winning prizes, in a bid to rob the public. But the recent advancement is very dangerous as the ‘sender’ ID is reliable and people willingly or unwillingly are bound to believe. Some smart people contact the company immediately but others become victims.

Mobile phone companies and ASPs should be alerted to the existence of such spoofing services, and should be collectively prepared to take action to investigate cases of caller-ID spoofing.

Case of Ayesha (name changed) of Bahawalpur is even worse. Ayesha is a principal at a local school. One day she received a message from "Ufone" that she had won a prize -- 10 tola gold and was asked to contact at ‘333’, the official helpline of the company. She called but couldn’t approach them. After some time Ayesha received a call -- "the number blinking on screen was the same i.e. 333," says Ayesha. The caller asked her to come to their office to receive the prize. But before that she was asked to pay Rs.45,000 as tax money. Ayesha happily sent them the money via top up to the number they gave.

Soon after she got another message of winning a Toyota Corolla car and this time the caller i.e. 333 asked her to deposit 50,000 rupees within two hours. "Now I sensed that I had been fooled and looted. I scolded the caller who then admitted that he was a swindler looting people with the help of personnel from mobile phone companies" claims Ayesha.

Spokesperson of Ufone, Amir Pasha, says their company is dealing with this issue actively. "Ufone is always conscious about protecting its customers from fraud," he says, adding, "We have done a lot to spread awareness about such activities including a public service television commercial which educates people about such fraudulent award schemes."

Pasha says information about all current campaigns is available on their website and call centres. Customers can also call to verify messages or calls they receive. Pasha says that the company immediately investigates and blocks the numbers used to fleece people.

"Protecting customers against all frauds is very important for us and numerous policies are there at GOP level. We have also placed multiple level checks and filters to block spammers and alpha numeric sender IDs such as firewalls, security protocols, VPNs and IP based black listings."

In a weak economy like Pakistan, where people look for shortcuts to earn big, schemes and packages introduced by mobile phone companies become very popular. At the same time the fraudsters and opportunists can take advantage of loopholes in the system to fleece the public.

Khurram Ali Mehran, Director Pakistan Telecommunication Authority says, "At present we have a complaint system where any such activity can be reported directly to PTA on toll free number 0800-55055 or at email address complaint@pta.gov.pk." Being the regulatory body we can deal with reported issues, he further adds.

There is an immediate need to take action against those involved in the offence of spoofing. Government shall block and ban the websites offering spoofing services with immediate effect. Mobile phone companies and ASPs should be alerted to the existence of such spoofing services, and shall collectively be prepared to take action to investigate cases of caller-ID spoofing. Sale of such software should be banned in order to avoid serious consequences and complications.

The long awaited law

Ministry of Information Technology & Telecommunication is going to table a comprehensive cyber crime bill before the cabinet soon. "The bill has been drafted in consultation with all stakeholders taking best international practices into consideration," says Sagheer Ahmad Wattoo, the spokesperson of the Ministry of IT & Telecom.

Wattoo told TNS that a special committee has been set up on the directions of the Standing Committee to review the draft bill and to make it in accordance with the National Action Plan. "The committee has been asked to submit its recommendations within two weeks and they are working vigorously on it," he says.

This cyber crime bill was long awaited as no legislation was available for the crimes committed electronically. NR3C, a law enforcement agency that works under the Federal Investigative Agency and takes care of cyber crimes in the country will be empowered to deal with all cyber crimes once the much awaited Bill is passed.

Currently the said agency relies on Pakistan Penal Code and various other regulations. It is hoped that the Bill will also curtail crimes like spoofing as the Prevention of Electronic Crimes Ordinance, 2008, Section 15 states spoofing as:"Whoever establishes a website, or sends an electronic message with a counterfeit source intended to be believed by the recipient or visitor or its electronic system to be an authentic source with the intent to gain unauthorised access or obtain valuable information which later can be used for any lawful purpose, commits the offence of spoofing". Yet there was no punishment set out for the spoofing criminals in that ordinance. Whereas similar crimes of Electronic forgery and others are punishable with imprisonment from six months to seven years and fine from Rs.50,000 to 700,000.

Wrong message, right address