Republished on February 2 with new reports of fraudulent calls from law enforcement agencies, where even those phone numbers can no longer be trusted, and advice on how to stay safe.
Be careful — it’s getting ever more dangerous out there. We’re not yet through month one of 2025, and the AI-fueled cyber attacks we were warned would dominate this year are already in full flight. And while there are some macro-level threats — Chinese hackers compromising our networks and Chinese AI compromising our phones, you’re still most at risk from your own mistakes as you let your guard down against the influx of everyday threats.
So it is with the wave of “phantom hacker” attacks “currently targeting Apple and Android products,” which the FBI has warned is “growing rapidly,” and which relies on a spoofed call from a victim’s bank tricking them into transferring money to stop it being stolen by a non-existent (phantom) hacker. “And they may even be able to spoof that bank’s phone number,” the bureau warns, “so the number on your caller ID or cell phone might show that it’s the bank.”
This spoofed call threat is expanding rapidly, and has maybe reached peak-2025 already, with a hacking-savvy engineer almost caught out by an attack spoofing Google’s support numbers, which he described as “the most sophisticated phishing attack I’ve ever seen.” It should serve as a clear warning that you can’t believe what you see and need to stick to basic advice.
And on that note there’s a common theme. Google has confirmed it won’t proactively call users to troubleshoot technical issues, per this latest AI attack; and in the highest profile recent Phantom Hacker attack, the bank involved told its account holders to “remember that Bank of America will never contact you to request that you move money to protect yourself from fraud.”
Microsoft has just revealed a new update for Windows users that uses its own AI to hit this threat head-on, intercepting such “scareware” attacks targeting PCs with fradulent support calls. “The FBI reports that victims lose over a billion dollars per year to tech support and related scams,” Microsoft warned in its post, linking to the bureau’s advisory on how to stay safe.
The FBI’s warning could not be clearer: “Legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.” There are no exceptions. None.
With a wry irony, even law enforcement is not immune from becoming embroiled in such scams. If you needed a perfect illustration as to how close to the mark these call scams have now become, look no further than U.S. CBP warning that its “employees are continuing to receive numerous calls from people concerned about unsolicited calls from scammers posing as U.S. Border Patrol agents and U.S. Customs and Border Protection officers.”
And we’ve just seen echoes of the same, with convictions for fraudsters whose scam calls pretended to be police officers, tricking elderly victims into parting with cash and jewelry as part of an investigation. This scam worked by asking victims to call back by dialing 999 — the U.K equivalent of 911. But the fraudsters would stay on the line, which would not disconnect, and would then handle the emergency call themselves.
Just as with banks and tech support, CBP says it “won’t call you out of the blue with promises of money or threats. Is the caller asking you to pay a fee or share your Social Security, credit card, or bank account numbers over the phone? Hang up. It’s a scam.” The agency also warns “don’t trust caller ID; scammers can make their phone numbers look real even if they’re not.”
“Never call back phone numbers in caller ID, or left in voicemails, emails, or social media messages,” CBP advises. “Instead, type the agency name into a search bar and click on their webpage to find contact information.”
And a wave of fresh warnings that scammers are pretending to be law enforcement when they call target victims have surfaced this weekend. It’s harder to be this binary with law enforcement, given that an unsolicited call is more likely. But that will never solicit money or goods and you always have the right to call back from a publicly available telephone number for the agency or police department in question. Exactly as CBP has suggested.
Per one report from Fox Los Angeles, “Ventura County deputies are warning residents about a new scam involving a phone call from a fake deputy that has scammed several people out of thousands of dollars. The scam involves getting a phone call from a fictitious ‘Sergeant Locker’ with the Ventura County Sheriff’s Office, officials said. This person even gives people a fake badge number. ‘Sergeant Locker tells victims that they missed a grand jury summons, and they now owe $1,500 in court fees because of it. From there, the scammer convinces victims that they need to buy Bitcoin, using Bitcoin ATMs, and transfer the $1,500 to a cryptocurrency wallet, deputies said. Once they receive the money, the scammer empties the crypto wallet and disconnects the phone number they used to call their victims with.”
While from the other side of the country, “the Baltimore County Police Department is warning the public of a phone scam in which the caller poses as a member of law enforcement. Authorities say these callers use urgent language to pressure the resident into making an immediate payment via wire transfers or other means. Through fraudulent means, the name of a legitimate police department may appear on caller ID. The criminal may also use the name of an officer legitimately employed with BCoPD. If you receive such a call, hang up immediately and report it.”
Meanwhile, ABC reports that “if you get calls or texts from someone claiming to work for law enforcement, think twice. Things may not be all they seem. The Manatee county Sheriff’s Office now issuing a fresh warning about a scam they’ve seen before. It’s a pretty simple ruse: someone, claiming to work with the government, will contact a victim and ask for money over the phone. The supposed reason can vary from speeding tickets to having a warrant out for your arrest. Scammers will often try to put pressure on victims, creating a sense of urgency.”
Tech platforms are responding to this threat now. Google has introduced call defense to the latest version of Android, than can listen into calls using on-device AI and flag a likely scam, it has also prevented users from being talked into disabling Android’s sideloading protection while on calls to prevent malicious apps being installed.
It doesn’t matter what email address or phone number contacts you. If it’s unsolicited, if it’s out of the blue, if you have not explicitly reached out first, assume it’s a scam. Don’t take the call — hang up. It’s not your bank, it’s not Microsoft or Google or Apple or anyone else. It’s a sharp-talking, hardened scammer and the longer you talk to them the more likely it is that you and your money will be parting company.
Heed the FBI’s advice at all times — it really is that simple. But if you do fall victim, here’s what you should do:
- “Run up-to-date virus scan software to check for potentially malicious software installed by the scammers. Consider having your computer professionally cleaned.
- Contact your financial institutions immediately. Take steps to protect your identity and your accounts.
- Change all passwords if the scammer had access to your device.
- Expect additional attempts at contact. The scammers often share their victim database information.
- Keep all original documentation, e-mails, faxes, and logs of all communications.”
