Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?

An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?

This is a legal matter.

[FireballX301]

Refer to L3's legal department, threaten to file suit against them if they won't give up the identity of the sub-carrier's customer. They will cough it up immediately, or you will get a nice payout for civil fraud.

Re:Sue Them or Give Up

[gstoddart]

There is no technological solution. (The phone system as a whole is just so old).

There is no human solution. (The other company will not bother).

And, as far as I can tell, there isn't really much of a legal solution either.

See, the large companies who need to do callouts who got themselves some exemptions in the laws? They need to be sure that the people who call on their behalf show with their caller ID.

So the "legitimate" companies need to be able to spoof their caller ID, and they don't want it to be illegal to spoof your caller ID.

They, unfortunately, use the same kind of overseas call centers as are used in these scams. In some cases, I suspect the exact same call centers.

So, the root cause issue here is that the big players pushed for exemptions in the law, to be sure they could have whatever call center they need call out as if it was from a given number. In effect, they legalized spoofing caller ID.

That the shady players take advantage of that, and usually call from overseas locations where you'll never get the law to do anything ... well, that's the problem. But, this was predictable.

I have my cordless phone set to drop any call which is Unknown or Private, I pretty much won't answer calls from 800 numbers, and I won't answer calls from numbers I don't recognize ... because they've made call display so useless as to be something you can't trust.

I believe if it was made illegal to spoof caller ID, this could be stopped. But, the big players don't want it illegal to spoof caller ID, and the paid a lot of money for lobbyists to give them an exemption.

Unfortunately, this same exemption now exists for the people running scams.

Surprise!!

Ever exemption in the Do Not Call list pretty much made the legislation toothless and useless. And this, is quite logically, the expected outcome.

Once again, the exceptionalism by businesses means the laws surrounding this are pretty much useless.