Recently, someone called me from the CDC. How can I verify that they're legit?
I got a weird call this weekend. That’s nothing special — my phone blows up with robocalls all day every day, just like everyone else’s — but the caller ID for this call caught my eye. It said “Cdc Natl Immun.” I thought about it for a second, then silenced it, assuming it was just another Covid-19 scam call. Because, really, does the CDC show up like that on caller ID? Seemed shady.
Then they called back, from the same number, a few minutes later. So I thought, okay, maybe this really is the CDC! We are in a pandemic and I want to do my civic duty, so let’s give them a shot.
But when I picked up, I was immediately on guard. Remember: I write all day every day about scams, be they online or over the phone, so I know the tricky technology — and even language — that scammers use to scam. This “CDC” guy was going to have to really prove himself to get me on his side.
And he just… Didn’t. Convince me, that is. He had a weird affect and didn’t really explain why he was calling and started by asking me about whether I was over 18, if I was driving, and whether or not I had kids in the house. The whole thing just felt so strange to me, so I told him that I wasn’t convinced this was a real call and I hung up the phone.
Turns out, I was wrong. A quick search for “CDC survey scam” led me to the CDC page explaining that it was legitimate. Apparently, they’re making calls from three numbers with Chicago area codes — 312-871-4241, 312-871-4242, and 312-871-4243 — and the call I received appeared to be from one of those. (And I say “appeared” because, as we’ll get into later, it’s very easy to spoof a caller ID.)
I realized I’d hung up on some poor dude who’s been hired by the CDC to do a national survey about kids and vaccines. And I felt like a jerk.
So I thought, okay, how could this have gone better? Here’s what I found for next time.
While Avast Threat Intelligence Director Michal Salát says he tells people to “never” answer phone surveys, he does say that if you want to participate, then the least you can do is verify the caller ID number.
In the case of the call I received, it was really easy to find the CDC page that explained what was going on. I double-checked the URL of the website, to make sure it was really the CDC, and checked the security certificate. That felt like good verification to me.
However, it’s important to remember: caller IDs can be spoofed. It’s probably a good idea to do one of the other tips here as well.
Salát also recommends not giving any information to the person who calls you directly, but instead going online to find a verified phone number from a legitimate source.
For example, in tech support scams it’s common for scammers to say they’re calling from Microsoft. It’s pretty easy to go to the official Microsoft “contact” information and figure out if the number that’s calling you is actually Microsoft. (Spoiler alert: It’s not.)
For the CDC vaccine survey, I found the phone number 1-877-220-4805 to call in order to verify whether or not it was real.
This is one of the reasons my scammer Spidey-senses were tingling on this call: I felt like he was about to ask me personal information and I know that’s a big no-no. “In general, if they are asking any personal questions or ask for personal data, you should hang up or tell them that you'll call back,” Salát says.
But I realized after talking to Salát about the types of personal information you should never share — namely, any kind of ID number (like a social security number, for example), date of birth, where you live, what type of internet service you have, and any answers to popular security questions, for example — that the caller wasn’t asking for specifics. He literally asked me if I was over 18, whether I was driving at that exact moment, and whether there were children under the age of 18 in my house.
Those are all legitimate questions that someone doing a survey for the CDC about kids and vaccines would ask. And I hung up on him. Yup, I’m a jerk.
Finally, don’t send money — of any kind — to anyone who calls you out of the blue.
“If they ask you to take some specific action which involves money in any form (checks, gift cards, money orders, Zelle, PayPal, etc.) — don't do it, “Avast Global Head of Security Jeff Williams says. Anyone with a legitimate need for this should not be doing this sort of thing by phone, email, Discord, SnapChat or anything similar.”
This one is less relevant in the case of the CDC vaccine survey call but it’s so common in other types of phone scams, so it’s worth mentioning.
In conclusion, I didn’t do my civic duty. I hung up on a guy who was just trying to do his job. I felt like a jerk — but I don’t regret it. Because, ultimately, I’d rather be overly cautious with this type of thing than get scammed out of my life savings or have all the data on my computer or my identity stolen.
But I do know that sometimes these calls are legitimate and important. So, CDC, if you’re reading? It might be time to do some trainings around what scam calls sound like, so you don’t sound like one. In the meantime, I think you’re going to get a lot of hung up calls.
One type of phishing scam that tends to occur during tax season is the W-2 scam, in which hackers pretend to be company executives and request employee W-2 forms. Here's how to stay safe.
Tech security tips for a new laptop, phone, tablet, or smart device.