Why Phone Record Breaches Increase Risk of Impersonation Scams

The AT&T phone record breach – which took place in 2022 and was disclosed July 2024 – affects everyone.

Even if you're not an AT&T customer, records of calls placed and text messages sent to you could now be at risk of falling into the hands of criminals, according to recent breach disclosure reporting.

While stolen call and text logs may not seem as damaging as the exposure of your PII (personally identifiable information), breaches of telecommunications data pose an increasing risk of targeted attacks and scams, thanks to increasing access to spoofing technology and other tools.

If threat actors know who you communicate with, they know who to pretend to be in order to increase their chances of tricking you – whether that's a phishing email, a scam call or text, or even on social media.

Below are the top recommendations from IT Security expert Blaine Kahle, CTO of Five Nines, to apply across your personal and work communication behaviors.

INBOUND = UNTRUSTWORTHY, OUTBOUND = TRUSTWORTHY

Caller-ID can easily be faked, or "spoofed", which is why inbound communications that ask you for personal data, ask you to complete a task involving finances or personal data, or otherwise stress a sense of urgency should not be automatically trusted. Reaching out to the person or business supposedly contacting you is the best defense to confirm the legitimacy of a request.

No legitimate business will object to you hanging up and calling them back on a trusted number. The best way to verify the legitimacy of an inbound communication from your financial institution, for example, is to end the call and reach back out using known or trusted contact information – think the number on the back of a credit card, contact information from the official website, etc. and not the number you received a call from, or a number the person on the other end of the line told you to use.

A call appearing to be a relative or friend that feels "off" can be verified by hanging up and calling them back using the entry in your contacts. 

If you face resistance from the person on the other end of the line, trying to keep you from hanging up a call or using a trusted outbound communication method, chances are it's someone else.

LOOK FOR THE SIGNS OF PHISHING (SOCIAL ENGINEERING)

These classic signs of a traditional phishing email can also serve as a great rule of thumb for other types of social engineering attacks, including impersonation scams over phone or text:

• Unexpected Requests to Reveal Sensitive Information

If you don’t usually receive requests to wire money or share sensitive info, then an email or phone call asking you to transfer funds should be a red flag. For any unexpected request – whether by email, call, or text – stop and ask yourself if the request makes sense before you click a link/attachment, respond, or provide any data verbally or digitally. 

• Unsolicited Outreach or Suspicious Attachments

Before you click a link or open an attachment in email or text, check for a few red flags. First, unless you have specifically requested such file, steer clear of any file attachment ending in .exe. However, know that malicious files come in all shapes and sizes. A .exe file is a clear sign of danger, but malicious code and viruses can hide in nearly any type of file, including Microsoft documents and PDFs. Play it safe and avoid opening any unexpected attachments. Also, be aware of links that look familiar or trustworthy but are malicious-in-disguise. Hover over links before clicking, and double-check that the destination of the link is a trustworthy site as well. When in doubt, just don’t click!

• A Sense of Urgency or Emotional Appeal

“Urgent!”, “Action Required!” – While there may be times that a business or individual needs you to take an immediate action, their subject lines would likely be a bit more specific. It’s in your best interest to be suspicious of any communication that uses red-alert terms or encourages you to feel rushed, stressed, or concerned.

• Generic Language or an Unfamiliar Tone

It's safe to be suspicious when the language of a message isn’t quite right – for example, a coworker suddenly communicating more casually than normal, or a family member acting far too formal. If a communication seems strange, it’s worth looking for other indicators that this could be an impersonation scam.

• Authenticity Red Flags, like an unfamiliar or illegitimate address

Remember an earlier time, when you were once told not to trust strangers on the internet? Cybercrime goes beyond targeting young users on messaging forums, and the risks are just as prevalent among other digital communication methods these days. Turning a critical eye on a sender’s address can help you identify the first sign of a phishing email. Watch out for red flags in email addresses, such as an illegitimate or unfamiliar domain, or display names that don’t match the email address behind them. 

WHEN IN DOUBT, FREEZE IT OUT

If you don't already freeze your credit reports, now is a good time to do so. This is a free service, regulated by law, accessible to all U.S. citizens. A true "freeze" is free, and does not involve paying for any of the highly-marketed "identity lock" services.

Online: Equifax
By phone: 800-685-1111
By Mail: Equifax Security Freeze
P.O. Box 105788, Atlanta, Georgia 30348-5788

Online: Experian
By phone: 888-397-3742
By Mail: Experian Security Freeze
P.O. Box 9554, Allen, TX 75013

Online: TransUnion
By Phone: 888-909-8872
By Mail: TransUnion LLC
P.O. Box 2000, Chester, PA 19016

Online: Innovis
By Phone: 1-866-712-4546
By Mail: Innovis Consumer Assistance
PO Box 530088, Atlanta, GA 30353-0088
Mail Form

With a freeze in place, identity thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name.

For more information on freezing your credit reports, read more here.