This FBI warning is clear
Republished on February 1 with new reports fraudulent calls from law enforcement agencies, where even those phone numbers can no longer be trusted.
Be careful — it’s getting ever more dangerous out there. We’re not yet through month one of 2025, and the AI-fueled cyber attacks we were warned would dominate this year are already in full flight. And while there are some macro-level threats — Chinese hackers compromising our networks and Chinese AI compromising our phones, you’re still most at risk from your own mistakes as you let your guard down against the influx of everyday threats.
So it is with the wave of “phantom hacker” attacks “currently targeting Apple and Android products,” which the FBI has warned is “growing rapidly,” and which relies on a spoofed call from a victim’s bank tricking them into transferring money to stop it being stolen by a non-existent (phantom) hacker. “And they may even be able to spoof that bank’s phone number,” the bureau warns, “so the number on your caller ID or cell phone might show that it’s the bank.”
This spoofed call threat is expanding rapidly, and has maybe reached peak-2025 already, with a hacking-savvy engineer almost caught out by an attack spoofing Google’s support numbers, which he described as “the most sophisticated phishing attack I’ve ever seen.” It should serve as a clear warning that you can’t believe what you see and need to stick to basic advice.
And on that note there’s a common theme. Google has confirmed it won’t proactively call users to troubleshoot technical issues, per this latest AI attack; and in the highest profile recent Phantom Hacker attack, the bank involved told its account holders to “remember that Bank of America will never contact you to request that you move money to protect yourself from fraud.”
Microsoft has just revealed a new update for Windows users that uses its own AI to hit this threat head-on, intercepting such “scareware” attacks targeting PCs with fradulent support calls. “The FBI reports that victims lose over a billion dollars per year to tech support and related scams,” Microsoft warned in its post, linking to the bureau’s advisory on how to stay safe.
The FBI’s warning could not be clearer: “Legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.” There are no exceptions. None.
With a wry irony, even law enforcement is not immune from becoming embroiled in such scams. If you needed a perfect illustration as to how close to the mark these call scams have now become, look no further than U.S. CBP warning that its “employees are continuing to receive numerous calls from people concerned about unsolicited calls from scammers posing as U.S. Border Patrol agents and U.S. Customs and Border Protection officers.”
And we’ve just seen echoes of the same, with convictions for fraudsters whose scam calls pretended to be police officers, tricking elderly victims into parting with cash and jewelry as part of an investigation. This scam worked by asking victims to call back by dialing 999 — the U.K equivalent of 911. But the fraudsters would stay on the line, which would not disconnect, and would then handle the emergency call themselves.
Just as with banks and tech support, CBP says it “won’t call you out of the blue with promises of money or threats. Is the caller asking you to pay a fee or share your Social Security, credit card, or bank account numbers over the phone? Hang up. It’s a scam.” The agency also warns “don’t trust caller ID; scammers can make their phone numbers look real even if they’re not.”
“Never call back phone numbers in caller ID, or left in voicemails, emails, or social media messages,” CBP advises. “Instead, type the agency name into a search bar and click on their webpage to find contact information.”
Tech platforms are responding to this threat now. Google has introduced call defense to the latest version of Android, than can listen into calls using on-device AI and flag a likely scam, it has also prevented users from being talked into disabling Android’s sideloading protection while on calls to prevent malicious apps being installed.
It doesn’t matter what email address or phone number contacts you. If it’s unsolicited, if it’s out of the blue, if you have not explicitly reached out first, assume it’s a scam. Don’t take the call — hang up. It’s not your bank, it’s not Microsoft or Google or Apple or anyone else. It’s a sharp-talking, hardened scammer and the longer you talk to them the more likely it is that you and your money will be parting company.
Heed the FBI’s advice at all times. It really is that simple.
