Owning the Problem of Telecom-based Attacks
In 2022, Regions’ customers and non-customers reported a record number of telecom-based attacks that sought to abuse Regions’ brand name. Threat actors conducted text-based attacks “smishing” and voice-based attacks “vishing” against both wide audiences and in highly targeted attempts. The attacks impersonated Regions and our vendors to deceive the recipients into believing fraud had occurred on their accounts. These attacks involved robo-calling, mass text message schemes, and even spoofed phones calls. The threat actor would then deceive the victim into allowing the threat actor to take over their financial accounts and conduct fraud.
Meanwhile the smishing events also targeted Regions associates in attempted executive impersonation schemes meant to convince associates to purchase gift cards.
Traditionally, many organizations have viewed these types of telecom-based scams as a telecom sector problem. After all, the phone calls and the text messages all occur outside the organization’s own network. What possible control could organizations in the financial, retail, healthcare, or the hospitality industry have against telecom-based attacks? Organizations’ primary response has been customer and employee training. Organizations in numerous sectors have warned their customers and employees not to trust every text message and phone call they receive. While those activities have made everyone a harder target for telecom-based scams, the threat actors have also continued to innovate both in their techniques for abusing telecom networks and in the apparent credibility of their deceptive messaging.
While we can all hope that telecom-based attacks will go away or that authorities will prevent them from occurring, hope is not a strategy. Through brand protection efforts and partnering with effective vendors, organizations must take ownership of the problem and work to mitigate brand abuse seen in all channels, including telecom.
How YouMail’s Technology Plays a Crucial Role
Beginning in 2023, Regions Bank partnered with YouMail Protective Services (YPS) to mitigate telecom-based threats by identifying the source of these illegal calls and text messages. By tracking phone numbers and analyzing call patterns, YouMail was able to provide crucial evidence to telecom providers regarding the abuse of their services, including call recordings that reveal the true intent of the call. YouMail’s detection network expands what Regions can collect beyond what customers and associates report directly to Regions. Without installing anything on the Regions network or requiring Regions customers to install a YouMail app, YouMail detected dozens of calling campaigns and worked with Regions to determine which campaigns were legitimate and which threat actors perpetrated. YouMail’s deep knowledge of telecom network traffic allowed them to home in on fraudulent calls among legitimate traffic from known Regions vendors conducting calls on behalf of Regions.
For the malicious robo-calling and human-led calling campaigns, YouMail worked on Regions’ behalf with industry groups to trace back the malicious calls to their true origin and shut them down. Threat actor groups exploit weaknesses in the telecom network path to route malicious traffic to call recipients that can even display phone numbers that do not belong to them or hide their caller-ID all together. By legally compelling telecom providers to cooperate with the investigation, YouMail works with industry groups to learn where they received the call and continue to move up the chain to find its true origin in the United States or abroad. The threat actors who originate the calls have sometimes created new accounts and sometimes compromised legitimate accounts, but either way they are abusing the trust of telecom networks and the tracebacks lead to their identification and account termination.
For text-based attacks, including executive impersonation schemes, YouMail identifies the originators telecom provider and works with them to shut down the phone number. When threat groups that specialize in tollbooth-themed smishing attacks decide to try their hand at targeting banking customers, YouMail shuts down the threat groups’ phone numbers and worked with telecom providers to find other phone numbers used by the group and shut them down as well.
YouMail also works with the telecom carriers to add Regions’ phone numbers to Do Not Originate lists to mitigate threat actors attempting to appear to originate their calls from Regions-owned phone numbers.
Conclusion: A Proactive Approach to Telecom Threat Mitigation
By partnering with YouMail, Regions was able to defend forward and impose costs on the threat actors. Defending forward involves taking proactive, offensive-minded actions outside of Regions own network to detect and disrupt malicious activity at its source. Imposing costs involves shutting down the threat actors’ infrastructure so they must build, buy, or compromise additional infrastructure. Discouraging the threat actors’ activities leads them to shift their tactics and even to shift to going after other targets. When peer institutions kept reporting certain scams, Regions had already stopped seeing them. Regions’ overall reported telecom phishing events dropped by 55% and telecom phishing events that led to fraud dropped by 37%. The reduction of telecom phishing events reduces the menace to Regions customers and reduces contact center interactions related to telecom-based fraud events. Moreover, Regions has a mechanism to act on customer-reported attacks.
Given how threat actors will continue to try to reach their victims via telecom and increasing mobile messaging phishing, these attacks are not going away. But banking customers and organizations need a strategy that will defend forward and impose costs on the adversaries when other controls fail to stop their attacks. Doing so helps defend the brand and ensure that banking customers trust that Regions is working to mitigate these threat actors’ activities even when they happen outside of the Regions network.
