This was a DTMF attack. And it’s so damn clever!

When you press a key on your phone’s keypad, it generates a specific pair of audio tones. This system is called DTMF, or Dual-Tone Multi-Frequency signaling. Each key, 0 through 9, along with the asterisk and pound, produces a unique combination of two tones that phone systems use to identify what was pressed. It’s the same technology that lets you “press 1 for English” or enter your account number on an automated line. But those tones are just sounds, and anyone on the call with you can hear, record, and decode them.

That’s exactly what the scammer did.

When this Redditor called the balance verification number using three-way calling with the buyer on the line, they entered the card number and PIN using their keypad. Those DTMF tones traveled directly through the call to the scammer’s end in real time. The scammer either recorded the call or used software to decode the tones as the victim pressed them, translating each beep back into the exact digits entered. Once they had the card number and PIN, they hung up, logged into the gift card issuer’s website or called the automated line themselves, and drained the balance. The entire process likely took just minutes.

The technology behind this isn’t complex. Tools for recording and decoding DTMF tones are readily available and free. However, what made this attack so effective wasn’t the technology; it was the social engineering. The scammer didn’t hack anything; they simply created a situation where the victim willingly entered the credentials while they listened. The three-way call seemed like a normal, cooperative action. A buyer wanting to verify a balance before purchasing makes complete sense. That’s exactly why it succeeded. Social engineering attacks don’t target systems; they exploit trust.

https://en.wikipedia.org/wiki/DTMF_signaling

https://nhollmann.github.io/DTMF-Tool/

Wilmington?

Last week, I spoke at the Delaware Fraud Working Group conference in Wilmington, Delaware. What a pleasant event! I’m disappointed I had another commitment and couldn’t spend the entire day.

The host venue at Delaware Technical Community College was fantastic—truly one of the best places I’ve spoken at. I was also pleasantly surprised by Wilmington. I’ve long written off cities like Philadelphia and New York and generally refuse to attend any event hosted there. Heavy traffic, limited parking, panhandlers, dirt, and chaos make the inconveniences and costs too high to justify the effort.

Wilmington probably has those issues, but I didn’t experience them. The drive into the city from the West was smooth, and parking was straightforward and, best of all, free. The only problem I faced was the haze of marijuana smoke in the parking garage stairwell.

I’m not sure whether the DFWG will host next year's event at DelTech, but if you’re within a reasonable drive, attend.

Reader Mail

Matt, your take on the Darksword exploit is one of the most balanced I’ve read. You should push that to a publication with a much wider reach. It’s genuinely better than most things I’ve seen in any of the major news outlets. - JohnS

I was an examiner with a 3 letter agency for eight years, and now I work for an incident response firm. I can’t stress enough how important it is for people to keep their devices updated. We recently had an incident in which the owner of a business was using an iPhone XR running iOS 17.7. How does that happen? It’s really that simple. Keep your devices on the most recent version, and you eliminate 99.9% of remote exploits. - KS

See Issue 280 for context.

The News…

David Maimon explains the fraud known as “Pell Running” that is crushing the American federal student loan system. https://resources.sentilink.com/blog/inside-pell-running-the-federal-student-aid-fraud-congress-is-trying-to-stop

AI-generated deepfake audio has raised concerns about the integrity of evidence. With voice cloning tools becoming affordable and widely available, it’s now simple to produce realistic fake audio recordings of voicemails, calls, or confessions that can be used as evidence in legal proceedings, insurance claims, or business disagreements. https://www.forbes.com/sites/larsdaniel/2026/03/15/beyond-cybersecurity-deepfake-audio-is-an-evidence-crisis/

It’s tax season and that means tax scam season. Proofpoint has identified over 100 malicious campaigns using tax-themed lures to deliver malware, Remote Monitoring & Management tools, credential phishing, and fraud. https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers

A recently identified phishing-as-a-service platform is targeting C-suite executives using highly personalized, QR-code-based emails that impersonate SharePoint notifications. These emails bypass detection using techniques such as randomized HTML noise, fake email threads, and Unicode QR codes that evade image scanners. When scanned, victims are led through a multi-layered “gate” that prevents automated tools and researchers from proceeding, before being redirected to credential harvesters. More worrisome, the exploit functions within Microsoft’s authentication system, making traditional MFA ineffective as a key line of defense. https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft

I currently hold two SANS/GIAC certifications and recently let a third (GSEC) expire. The exams and their preparation are quite demanding. The crucial aspect is really the preparation process itself. Although the exams are open book, spending too much time looking up answers will result in you running out of time. You will need to look up some answers quickly, and this is where the index becomes essential. Here is a good take on creating an effective index. https://aerobytes.io/writeups/giac-indexing-guide/

Two individuals have pleaded guilty in federal court in Rhode Island for their roles in a transnational fraud and money laundering scheme targeting elderly victims across the U.S. and Canada. The scheme involved fraudsters posing as representatives of financial institutions and government agencies, such as the FTC and the Federal Reserve, convincing victims that their accounts were compromised and directing them to transfer funds via wire transfers, cryptocurrency, cash, or gold bars. The scheme defrauded approximately 300 victims across 37 states, with known losses exceeding $5 million. https://www.justice.gov/usao-ri/pr/two-defendants-plead-guilty-transnational-fraud-scheme-targeting-elderly-victims

Uno is a good boy. https://cdapress.com/news/2026/apr/01/coffee-with-a-k9/

DFIR

Tsurugi Linux released update version 26.03 on iso or ova. https://tsurugi-linux.org/downloads.php

Cool Tools

FTC Sentinel Fraud Dashboard. https://public.tableau.com/app/profile/federal.trade.commission/viz/FraudReports/FraudFacts

Who is giving money to whom? https://www.opensecrets.org/

Cool Job

Card Fraud Manager, Members 1st Federal Credit Union. https://careers.members1st.org/jobs/2682/Card%20Fraud%20Manager

Vice President of Consumer and Banking Fraud Strategy. JP Morgan Chase https://jpmc.fa.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/210699592

Irrelevant

Credit: Varun.ch

Feedback

matt (at) threatswithoutborders.com

Sign Off

Wow, a lot of new subscribers this week.

So, what’s this all about? See that issue number, 281—that’s how many consecutive weeks the Threats Without Borders Newsletter has been published. Yep, every Tuesday morning for five years and four months. Never a miss. What I lack in quality, substance, and style, I make up for in tenacity.

Welcome. And when your email provider drops the newsletter or your company decides newsletters are a time-suck and creates a “unsubscribe and delete” rule, you can always find every issue published at www.threatswithoutborders.com.

Or install the Substack app on your smartphone and ensure delivery each week.

Get more from Matt Dotts in the Substack app

Available for iOS and Android

Get the app

Thanks for checking us out and I hope to see you all next week.

Matt

“DON’T LET A BAD DAY MAKE YOU FEEL LIKE YOU HAVE A BAD LIFE.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.