Is it dangerous to call spam phone numbers, even if you know they're spammers?

  • I sometimes like to check spam just to see how the messages look like, and I found someone who actually put an American phone number (1-XXX-XXX-XXXX). Most of these spammers are either trying to get money out of you, or hack you in ways like disguising as services like Google+.

    Not that I actually want to, but I am curious if calling the number would do something to my phone. How could a hacker possibly access sensitive information just by tricking someone into calling. I have heard (no idea where), that some numbers when called, will charge you an enormous bill. Could this be true?

    " I have heard (no idea where), that some numbers when called, will charge you an enormous bill". In Italy *all* numbers starting with `899` are of this kind... so be warned if you ever come to visit Italy to *not* call any such number if you find an advertising of something you are interested in.

    @Bakuriu That's a nice little fact. You could add that as an answer or edit it into the accepted answer

    A side-effect if the phone number is in your country is being added to a "sucker list" that gets resold among the boiler rooms, something quite common for elderly who respond to various con schemes. Respond to one call, get hit with a permanent barrage to the point that your phone number needs to be changed.

    We should never give information to spammer, if you call them, they will have your phone number. I would suggest you find a pay phone a call from there if you are curious.

    Returning their call is confirming your phone number. If you have the ability to block that number or add it to your auto-reject list, you should do that. Edit: If you're unsure, Google the number first. There's some good forums out there regarding these numbers that call you.

    I'm not sure if it makes sense to consider any number really domestic versus overseas anymore (aside from billing purposes). Long gone are the days when the area code and/or exchange give you any idea at all of where on the Earth the person or computer on the other end of the call is physically located.

    I use an app (Android) called TrueCaller... here's the app description: `Truecaller lets you search beyond your phonebook, identify unknown incoming calls, block calls you don’t want to receive, and make relevant contact suggestions based on time and place – so you never have to leave the service to find the right contact.` https://play.google.com/store/apps/details?id=com.truecaller&;hl=en It might be worth a shot for you to try it as well, this has been very bothersome for me as well.

    Funny story: I work as a professional pentester, and "Windows Support" decided to call my business phone to tell me I have viruses and they need to VNC in to fix it. Has a reverse shell in 5 min. Remember, the FCC has a $50,000 bounty for anyone who can turn them in so keep it ethical, legal and go after them!

  • Can you get "hacked" by calling a number?

    I am curious if calling the number would do something to my phone. How could a hacker possibly access sensitive information just by tricking someone into calling.

    It could be a hack, or it could be a prelude to a hack. Here are some rough examples:

    1. If you call them, the spammer can find out if that phone number is owned by an actual person. The spammer can also easily fake the same area code as you, and set up a clever social engineering trick that may involve you thinking with the wrong head.
    2. If you're dumb enough to call them, you may be gullible enough to fork over additional information. If you're dumb enough, they may call you from other numbers, or forward you to another number.

    3. There may also be an exploit in your phone's processing of various messages/content types. While they could easily target all phones at once by using some form of auto-messaging feature, this may be easily stopped by carriers.

    Learning more about you allows an attacker to guess secret answers, passwords, etc. If you're the gullible type, chances are you don't have a good password policy, or you could be tricked into visiting a malicious website, or both.


    But why not just send infected videos or pictures to everyone?

    Let's assume the spammer has developed, or found, a program that helps with automatically dialing phone numbers.

    If they're sending an infected video or picture to multiple recipients, they may quickly run out of data. It's far cheaper and easier to target people individually, especially those gullible enough to call the number.

    In fact, if they target everyone, then that also increases the chance of their scam becoming well-known. By limiting their attacks only to the gullible, they've found a very good way to limit detection and knowledge of their particular scam.

    The reason why they'd want to limit knowledge is that many folks may be searching for a particular scam, not exactly their specific scam. This is a problem with many gullible people: they can't really think outside the box, and not realize it's the same type of scam, but with different features.


    Your information helps scammers engage in Social Engineering tactics

    Have you ever tried to contact customer service for anything important, such as banks, online game accounts, websites, etc? Usually, they need specific information from you, or someone pretending to be you, in order to handle your request.

    In fact, just recently, I was able to social-engineer a customer service representative for an account of mine by providing details on things I knew about me, without actually providing any real concrete details, or even providing my identity. All I needed was a few bits of information about myself.

    Social Engineering is a tactic used everywhere, and often results in astounding success because people in general are ill-equipped to handle it. If a spammer has your phone number, then it may be possible for them to get other information. Maybe your phone number is tied to different accounts.

    Maybe they have a partial database of credentials stolen from various websites, which could include more information on you. Maybe that database includes information on your email address, which will allow the scammer to continue their campaign of phishing without you realizing it.


    Can calling spam numbers cost me money?

    I have heard (no idea where), that some numbers when called, will charge you an enormous bill. Could this be true?

    Yes, this is possible.

    If you're calling a premium-rate telephone number, then that could cost you a lot of money when you call them. If you text a number associated with a "donation", whether it's legitimate or a scam, your phone bill will likely include additional charges.

    What if the call is done with the number hidden?

    @Jim What if the spammer somehow convinces you to give them your number? What if there's an exploit we don't know about regarding the way calls are handled?

    What you say makes total sense. I was wondering if when we hide the number this info is still somehow available or there is something I was not aware

    "...they may quickly run out of data." Scammers running that sort of operation are not likely to be on a limited-data plan, but more likely sending from a server somewhere.

    @WBT I partially agree with you, that's why I added "may." However, many scammers are using burner phones from Walmart/etc. They aren't necessarily outside of the country.

    Yes, "may" is a necessary hedge. The efficiency gains of scamming/spamming from a server can also be gained from people inside the US (or any other given country).

    Lol at social engineering involving wrong head.... thanks for that, I now have to wipe coffee from my screen again!

    Working for a telecoms company who specialise in automated diallers, I can tell you it's very easy to spoof caller ID and redirect inbound calls to premium rate numbers that play an automated message that sounds like the phone is still ringing. You can think you're waiting for a local call to connect, but in reality you're being charged for listening to a recording. While it is interesting to see what scammers are up to, you're best leaving this one well alone. Edit: it's not _that_ easy to spoof CID, it's still possible.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM