ASU researchers are phishing for information

The phone call experiment, which involved simulated phishing scams, was part of an ASU research team's ongoing study

An ASU research group within the School of Computing, Informatics and Decision System Engineering caused a stir following an experiment based around scam phone calls.

The research group within ASU’s Center for Cybersecurity and Digital Forensics sent out fake phone calls to nearly 2,000 ASU phones to test how susceptible people are to various types of phone scams.

Most of the calls focused on phony IRS scams asking ASU employees to enter their social security numbers, and a highlighted a fake department within the University asking for social security numbers to update the payroll.

Raymond Tu, a Ph.D student within the ASU Center for Cybersecurity and Digital Forensics and one of the research assistants on the project, said the research behind the experiment is necessary to further understand how scam phone calls work.

“We’re doing an experiment to measure the people’s responses to various types of telephone spam and scam calls,” Tu said. “In recent years, there’s been a large increase in the reported complaints of telephone spam. There’s an increase of phone fraud.”

And fake phone calls have cost Americans a lot of money. A poll conducted by Truecaller suggests that Americans lost nearly $9 billion to phone scams in 2013 with the average caller losing nearly $500.

Tu said the Institutional Review Board at ASU reviewed the experiment to ensure ethical treatment of the subjects involved. Along with the board, the team got approval from the ASU Health Desk, the University Technology Office and the University Telephone Network Team, Tu said.

Other than the organizations involved in approving the experiment, no faculty were aware of the test. Sandy Mancilla, director of fiscal and business operations for ASU’s Walter Cronkite School of Journalism and Mass Communication said she didn’t know about the experiment until she called a representative from the University Technology Office.

"I did after the fact, but not in that point in time,” Mancilla said. “But what I did was reach out to our University Technology Office, and Evelyn Pitchen told me it was a study.”

Steve Doig, a professor at Cronkite, said he was immediately suspicious when he received one of the phishing experiment calls on his office phone, which asked him to provide the last four digits of his social security number.

Doig said he was skeptical of the call and intentionally put in four random digits to get to a live voice behind it, which then proceeded to a debrief saying the call was an experiment, and gave a survey asking whether or not he fell for the scam.

“I didn’t actually fall for it, I made up my four digits and so on, which I actually think is a flaw of the study,” he said. “There are going to be people who, like me, actually recognize these things but may decide to play along or whatever, so I think that’s something they should’ve taken into account when they were doing this thing."

Doig said several professors in Cronkite who received the call emailed each other in an attempt to clarify the situation.

“We had a bit of a discussion inside the Cronkite School email list where a couple of the faculty said they were outraged," he said. "They thought this was really invasive. They were very unhappy about it. I said it’s actually a good thing to do this kind of study because it does give you a sense of how likely it is that random people being sent a message like that would actually fall for it.”


Reach the reporter at angelmendoza@cox.net  or follow @niceledes on Twitter.

Reach the reporter at emmillma@asu.edu  or follow @millmania1 on Twitter.

Like State Press on Facebook and follow @statepresss on Twitter.



Get the best of State Press delivered straight to your inbox.