Sprint responds to a customer's complaint of mobile phone calls and text messages from unknown callers. Here's what the carrier offers for advice. Given that we all need to be more security-savvy and learn the behaviors of good cyber hygiene, I try to stay on alert when it comes to email messages and phone calls. One client told me I have been in the industry too long because I wouldn’t open a link he shared until I confirmed he actually intended to send it.So, I know about email spoofing — that it is used for phishing campaigns — but I didn’t realize spoofing also happens on cell phones.Maybe you, too, have answered the phone to hear a brief moment of pause before a woman explains she was just adjusting her headset. I’ve received it, a few times even. I’ve just hung up on her. In the past few weeks, though, I’ve gotten a collection of random calls and texts from people who say, “I just missed a call from this number.” In fact, I’ve received three such calls today — all before noon — while I was on the phone with Sprint trying to report the issue.Mysteriously, the calls that remain in my call log all come from a number that has the same area code and first three numbers of my cell phone number, but the last four digits are all different each time. How to stop phone spoofingWhen I called Sprint, I was concerned that my account had been hacked, but they, “didn’t see any suspicious activity,” according to Elena in customer service.As I sat on hold, being transferred to three different people, I started Googling the issue. There have been chats on reddit, and AT&T reminds its customers to read their privacy guidelines. I asked if the security practitioners were aware of this issue, but Elena told me she’s only had calls from people reporting telemarketing concerns. Naturally, I asked what steps they take to communicate customer concerns about potential security breaches, and she said, “If you call again with this same matter, the next person will be able to see her notes in my account.”But the concern that I’m reporting isn’t ever shared among the customer service representatives. And while I was the first person to make Elena aware of these spoofing calls, she has no idea whether anyone else has reported it to other representatives.Then I was transferred to Sara, a manager, who said she was “unable to report this to the corporate security team because there is a process for security and incident reports.”Oddly, Sara said, “The only time you can reach out to corporate security is if there has been a physical injury, as in an accident or assault, or something of that nature.” Sprint’s media relations department responds to spoofingThat rule apparently applies only to customer service representatives because I did reach out to Sprint’s media relations department and received a swift response.A Sprint representative wrote:This appears to be spoofing and not a Sprint-specific issue. As the activity is prohibited by the FCC, they provide helpful information on their website which may be of interest to your readers, including how individuals can protect themselves and how to report suspicious calls.Additionally, Sprint provides a service called Premium Caller ID. In November 2016, we announced an enhancement to that service so that customers can protect themselves from unwanted robocalls and caller ID spoofers. Here is a blog post outlining the details.The blog post does indeed discuss solutions to spoofing, one of which is that you can “elect to block the number in order to prevent future calls, and may also choose to report the call, which is used to help refine data via crowd-sourcing.”The latter part of this advice was never conveyed in my first three conversations with anyone (including supervisors) in the customer service department. The very word spoofing was never even uttered. Yet, the blog goes on to claim,“At Sprint, we strive to provide top-notch customer service, and today, we’re able to protect our customers from unwanted robocalls,” said Mark Yarkosky, Sprint’s director of product management. “Cequint has effectively created an important and needed solution to better providing mobile customers with better privacy and security.”So, my question remains: Is spoofing a security risk, or is it just annoying? Related content news analysis Searching for unicorns: Managing expectations to find cybersecurity talent Finding the cybersecurity leaders of tomorrow means being realistic about job descriptions and providing training and mentoring for non-traditional tech people. By Kacy Zurkus Sep 29, 2017 4 mins IT Skills Careers IT Leadership feature Vulnerability vs. risk: Knowing the difference improves security Conflating security terms evokes fear but doesn't help security newbs understand the difference between vulnerabilities and actual risks. By Kacy Zurkus Sep 26, 2017 3 mins Risk Management Vulnerabilities IT Leadership opinion What the Equifax breach means to me — an end user perspective Recovery and resiliency or apathy. Which will prevail now that most everyone's PII has been exposed in another massive breach? By Kacy Zurkus Sep 15, 2017 4 mins Cyberattacks DLP Software Internet Security opinion Abandoned mobile apps, domain names raise information security risks When app creators abandon domains for bigger, better deals, what happens to all the app-specific data? By Kacy Zurkus Sep 08, 2017 3 mins Access Control Data and Information Security Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe