SAN JOSE -- Most of us block or ignore robocalls.
Scott Hambuchen isn't like most of us. He's eager to answer when scammers dial his number.
"I like talking to these guys, to see what the latest scam is," Hambuchen said.
Hambuchen studies scams for a living. He's the chief information officer at First Orion, an Arkansas-based technology security firm.
Via videoconference, Hambuchen told NBC Bay Area scammers are better than ever at spoofing caller ID and pretending to be companies with which you do business.
"They can make you believe that they're a representative of that company," Hambuchen said, "and then use that to their advantage, to extract data, information, or even money."
Bay Area PG&E Customers Targeted
Local
We've already seen this scheme in action, right here in the San Francisco Bay Area. In August, several viewers alerted us that a clever robocaller had faked his caller ID, posed as PG&E and targeted PG&E customers in the 415 area code.
The caller warned the customers that they must "call the direct billing department" at a given phone number to avoid power disconnection "within 30 minutes".
The threat was bogus. But one viewer told NBC Bay Area the caller knew certain facts about his address and account. Hambuchen says that's the calling card for the latest wave of scammers -- getting personal.
"They have also acquired data, generally through data breaches, or access to data that they can purchase," Hambuchen said.
The savviest bad guys cross-reference those droves of stolen personal data with phone numbers. When they find nuggets like addresses, relatives' names, or even partial Social Security numbers, they use that information to gain your trust.
Using Personal Information as Bait
First Orion says nearly a third of scam calls now use this technique. Sadly, it works: in First Orion's study, 75% of scam call victims said they were conned by scammers using the victims' own personal information as bait.
Text messages are under assault, too. Aaron Cockerill, chief strategy officer with San Francisco-based Lookout Mobile Security, warns that some scammers are targeting parents with alarming, highly personalized texts.
Cockerill described one such real-life scenario: a text message stating "...'Your daughter', her real name, 'has had a serious accident at her elementary school,' [naming] the correct elementary school,'" Cockerill said. "'Click this link for more information.' And what parent would not click on that?"
Cockerill says crooks don't necessarily need to scour the dark web to personally pinpoint a scam like that because you might be doing it for them -- freely sharing reliable, accurate information like a child's name and school.
We asked Cockerill: Where are they getting that information?
"Social media," he said. "Because we publish all of our lives on social media, it's pretty easy to work out -- what's your daughter's name; what elementary school does she go to; and all of a sudden, you get a very personalized-looking message or email -- it doesn't matter -- and you're far more likely to click on that."
Clicking on those links in both texts and emails may grant the thieves access to sensitive information on your phone or computer, especially passwords and account numbers.
Protect Yourself
Security experts urge us to be extra cautious about what we share on social media, even if it's only with friends.
In the meantime, if you do get a call that appears to be from a business you use, like the power company or a phone provider, they should never ask for account numbers, passwords or credit card information over the phone, if they originated the call. To be safe, tell them you'll call back at their publicly listed number. Only share sensitive information when you call the company yourself, not the other way around.
