Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?

An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?

This is a legal matter.

[FireballX301]

Refer to L3's legal department, threaten to file suit against them if they won't give up the identity of the sub-carrier's customer. They will cough it up immediately, or you will get a nice payout for civil fraud.

How can faking a call back number be remotelylegal

[RichMan]

Looking at the US today, how can providing an incorrect call back number not lead immediatly to an FBI investigation?

Sure the general police don't really care because they don't understand this, but this is "interfereing with the operation of computer network" (yes the phone system does count as a computer network) and the phone network is a vital civil infrastructure. We know from past things interfering with a computer network, even a small scale private one, can actually lead to very serious charges. The phone networks is much more important (than some universities database accesses).

Don't fight it, use it.

Contact the local police and/or the FBI, advise them that you have evidence of an identity theft ring, and provide them the information you have. They will open a case. Get the case number.

Instruct your call center that, when people call and complain, that there is a known fraudster who is spoofing caller ID records, and provide them the case number and the phone number to whoever is assigned the case.

The people who are calling you are understandably angry. Help them focus that anger on the right place by a.) acknowledging they have a reasonable complaint, b.) acknowledging you're aware of the issue, and c.) having them direct their complaint to someone who can actually help resolve it.

Sue immediately

Ignore nickel and dime lawyers who talk to you about "writing letters". That will accomplish nothing (except making a few bucks for useless, couch potato lawyers).

You have already been damaged so you have a tort. You should be suing immediately. Note that you do not actually need a lawyer to sue, just the cooperation of the executive officer of your company. Get a paralegal (or anybody with a brain) to find a lawsuit template and file a John Doe lawsuit with the local county court (you can always file a federal lawsuit later, if needed). Also, even if your original lawsuit is incompetently written, it does not matter, because you can emend it later.

The advantage of filing the lawsuit is that you can get subpoenas (and even bench warrants) from the court once your lawsuit exists. This is what you need to solve the problem. Your first subpoena is easy: demand the name of the John Doe who is screwing you from L3. Telcos have very efficient systems for dealing with such subpoenas. Some even have web forms you can use to request the info.

You should also issue a subpoena designed to find out if L3 knew of, or in any way assisted, the criminal activities of the defendant. If you can prove they assisted in the tort, you can add them to the lawsuit. as defendants, which would be good, because they probably have a lot more money than the perps.

Trust me, the way to get action in a situation like this is to get your butt to the county court pronto and start legal action. Most people have an irrational free of court houses, which is foolish and exactly why lawyers can prey on them. When you start acting like a lion instead of one of the lambs, trust me, you will get results FAST.

Re:Sue Them or Give Up

[gstoddart]

There is no technological solution. (The phone system as a whole is just so old).

There is no human solution. (The other company will not bother).

And, as far as I can tell, there isn't really much of a legal solution either.

See, the large companies who need to do callouts who got themselves some exemptions in the laws? They need to be sure that the people who call on their behalf show with their caller ID.

So the "legitimate" companies need to be able to spoof their caller ID, and they don't want it to be illegal to spoof your caller ID.

They, unfortunately, use the same kind of overseas call centers as are used in these scams. In some cases, I suspect the exact same call centers.

So, the root cause issue here is that the big players pushed for exemptions in the law, to be sure they could have whatever call center they need call out as if it was from a given number. In effect, they legalized spoofing caller ID.

That the shady players take advantage of that, and usually call from overseas locations where you'll never get the law to do anything ... well, that's the problem. But, this was predictable.

I have my cordless phone set to drop any call which is Unknown or Private, I pretty much won't answer calls from 800 numbers, and I won't answer calls from numbers I don't recognize ... because they've made call display so useless as to be something you can't trust.

I believe if it was made illegal to spoof caller ID, this could be stopped. But, the big players don't want it illegal to spoof caller ID, and the paid a lot of money for lobbyists to give them an exemption.

Unfortunately, this same exemption now exists for the people running scams.

Surprise!!

Ever exemption in the Do Not Call list pretty much made the legislation toothless and useless. And this, is quite logically, the expected outcome.

Once again, the exceptionalism by businesses means the laws surrounding this are pretty much useless.