Slashdot Mirror
Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?
An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?
Refer to L3's legal department, threaten to file suit against them if they won't give up the identity of the sub-carrier's customer. They will cough it up immediately, or you will get a nice payout for civil fraud.
There is no technological solution. (The phone system as a whole is just so old).
There is no human solution. (The other company will not bother).
You have three options.
1. Wait until it stops and ignore it
2. Change your phone number
3. Sue Level 3 for damages (and file a police report)
In my professional (but not legal: I am not a lawyer) opinion, there is no way to resolve this sort of problem other than suing the closest legitimate business that links you to the perpetrators. Whoever is furthest downstream to the bad guys is your only target, and suing them is probably the only option. Maybe just to get a C&D, maybe punitively just in hopes of getting them to clean up their act. A police report on its own will have zero effect: the police just don't care about IT crimes on this scale.
Sue them, and as part of it file a police report. Don't even bother with any other options at this point: they are not likely to work.
(Again, not a lawyer, just an IT professional).
GeekNights!
Late Night Radio for Geeks!
Time to file complaints with Regulatory Bodies.
It's the phone provider's responsibility to ensure that the caller ID presented by numbers in their "pool" send valid information. You've notified Level3, so that's about all you can do to actually solve the problem. But getting a complaint filed will make it more likely to "light a fire" under Level 3 to block the offending sub-provider until they get their act cleaned up.
Luckily for you this is an in-country operation... when it's an offshore provider doing it you're pretty much out of luck.
As for solutions, best you can really do is put up an automated recording apologizing and advising that you're not the scammers, and encourage them to file complaints with their own providers and LEA/regulatory agencies (PSC, FCC, etc.)
I suggest you contact the FBI and work with them. Why? Obviously the criminals are asking for banking information, and I can't imagine this being used for anything other than nefarious purposes. The FBI can sting them and locate the relevant bank accounts and freeze the money (in other words, give the scammers a kick in the balls). If you both get lucky, the FBI will actually catch the criminals and jail them.
All those moments will be lost in time, like tears in rain... time... to... die...
Looking at the US today, how can providing an incorrect call back number not lead immediatly to an FBI investigation?
Sure the general police don't really care because they don't understand this, but this is "interfereing with the operation of computer network" (yes the phone system does count as a computer network) and the phone network is a vital civil infrastructure. We know from past things interfering with a computer network, even a small scale private one, can actually lead to very serious charges. The phone networks is much more important (than some universities database accesses).
In the same fashion that ISPs should be using Source Path Verification, TelCos shouldn't be allowing their its users to change (or cause) their Caller ID to something that's not their phone number. Petition the government to force ISPs and TelCos to clean up their act.
Buck Feta. You know what to do.
I contacted Senator Warner's office about this, and frankly was blown off. That being said, I think we need a -law- that requires the Telcos to work out how to make Caller ID unforgeable. I've been challenged to 'show the RFCs and related standards that would support this,' but since the industry has shown no interest in solving the technical problems, I reluctantly believe that it'll take legal action (either law, regulation or legal liability) to force the issue.
On a related note, I also asked about the impact of all those CallerID violations I've filed over the years, and got no response back from that. In both cases, I was forwarded a letter from the FCC that basically quoted from their website.
What's a phone, Mommy?
It should have been a lawyer demanding the resolve it immediately or they are liable for fraud. They know it's illegitimate but until slapped with a lawsuit they don't give a rats ass.
Level3 is one of the shadiest ones, they do nothing until a lawsuit is threatened.
Do not look at laser with remaining good eye.
In the past I have had to deal with L3 on some similar nonsensical "our abusive users are not our problem" crap. As you have already observed, they have a well refined hearing problem. First, decide how much the per call impact is to your business in your opinion. Estimate the number of calls per day and multiply by the per call rate and then by the number of days to come up with a daily and sum "rate of damages". Then have a lawyer letter drafted and sent to their legal department and make sure the letter shows that you also sent a copy of the draft to the FCC Attn: Fraud & Abuse at 445 12th Street SW, Washington, DC 20554.
In about the time it takes you to go to lunch, the problem will subside. At L3, FCC copied abuse resolution rolls down hill, pretty fast.
The same reason they don't go after people that fake the e-mail headers to be referring to legitimate domains, including the USPS and their own (fbi.gov) I get on a regular basis. There is no profit for them to investigate and it only affects small business and individuals.
Custom electronics and digital signage for your business: www.evcircuits.com
You can't really do much of anything. The calling party number can be set to whatever the caller wants - the only technical controls to prevent this would be for ALL carriers to enforce some sort of whitelist, which they don't do.
VoIP makes this problem much worse as it is trivial to buy/steal a new "SIP trunk" account. Since the traffic is IP the source of the traffic can easily be obscured behind a VPN provider or compromised system. Even if you get Level3 to suspend the account they will likely have a new one spun up in minutes. Even if you get Level3 to divulge the identity of the perpetrator, it is likely fake. Even if you managed to trace it back to the source, they are likely operating out of a country without any useful/enforceable laws. These folks are professional scam artists, they know how to get away with this.
Since Level3 operates most of SIP media gateways in the US, it is not surprising that this is the source of the fraud. Many / most SIP trunk providers just contract with them to provide the actual service.
I would suggest putting a greeting message on your toll free number explaining the situation, that should help to filter out much of the impact to your actual business. Perhaps just make it the first option off of the menu tree. Depending who calls this toll free number you may be able to only play this message for numbers that have never called before or for numbers in/not in a particular area code.
Given that toll free numbers are cheap, buy another one and point it to the same destination. On everything new publish the new number, that way in a year when folks google the toll free number they don't get a bunch of scam reports.
Also the damage to your business is likely minimal, short of driving up your phone bill and wasting folks time.
As for suing Level3, the scammer will likely move onto something new well before that yields anything useful.
The Truth in Caller ID Act of 2009 might also be interesting reading, but getting it enforced it likely impossible.
Good luck, and sorry the PSTN sucks...
While the Rambo style vigilante response option sounds good on the surface (and don't get me wrong, my natural response would be along these lines if it were not for the legal implications) the problem is that when you do this, you are now violating the same regulations as they are and you are arguably by definition "retaliating" which stacks even more regulatory violations on your illegal response. They have a bus full of overpaid lawyers ready to swoop on you if you "attack" them. For this reason I strongly recommend against this type of response even though the BOFH in me would very much like to employ it.
Yes, because making new marketing materials, distributing updated business cards and getting everyone involved to stop using the old number and separate the old number from the company is *such* an easy task and can happen overnight!
The phone number of a presumably reputable business that parties would likely recognize for their Caller ID number is a social engineering trick to get around one of the roadblocks and make people subconsciously overcome one of their answers to why this is a scam. Any act at this point is damaging the brand of the business, whether they capitulate and change their number, or whether the scamming entity continues to portray themselves as the company in question.
Let's change this a little bit and put a name to these calls... What if instead of "unnamed company", it was "Google" that had someone using their corporate phone number to do these calls? What about "Amazon", or "Microsoft", or "Apple", or "Cisco", or the "FBI"? Would your opinion about "just change your phone number" be the same?
Thirty four characters live here.
You are looking at it all wrong, those people that are calling you are all potential customers of your business. Offer to them something they are looking for: satisfaction. They are calling you to complain. Sell them something, like a way to kick ass of somebody, who you can present as the guy that placed that call they are complaining about. I am sure many would give you their money for some type of a moral satisfaction. Learn to sell, life gives you a lemon, make lemonade.
You can't handle the truth.
bring out the guns. Interim injunction with two options: Level3 disables the number and the forwarding or they're shut down, end of. Second barrel: Level3 discloses the identity of the subscriber. Third barrel: arrest warrant on the subscriber for wire fraud (in some jurisdictions this is an offence one step down from mail robbery).
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Traditional land lines have the caller ID information generated at the phone company's central office, based on who is paying the bill for the circuit.
Unless you're planning on hacking into their computers - it's not really changeable.
The problem lies with all the VoIP based phone systems out there. These days, there are probably more phone lines using VoIP than traditional copper lines.
The VoIP systems don't even have a way to tell emergency 911 operators what your correct address is. You're expected to provide the right one to go with the number you receive (often with the ability to do that yourself with a self-service web based control panel). So yes, the caller ID information is also controlled by the VoIP server -- and anyone running their own can do as they please with it.
Regulators don't give a fuck. No one does. I've been getting robodialers to my cell phone endlessly. They all come out of blocks of phone numbers provided by one datacenter (they own blocks around the country). They won't do anything. The regulatory bodies in states the numbers call from won't do anything. FCC won't do anything. FTC won't do anything. I've contacted my state AG. I've contacted my senators and congressmen.
No one gives a flying shit about this kind of thing. It is infuriating.
Unfortunately it's fairly trivial to make the caller ID say just about whatever you want--especially if you are running your own system. There's no form of reverse lookup verification to check if a call is really coming from where it says it's coming from. There are some legit uses for this (eg our office setup always shows the main switchboard as he called ID even if people are calling from a specific line) but it's all to easy to abuse if someone is intent on doing so.
>Hehe, so in this case a Slashdotter thinks you should be able to get details without a court order, but when the RIAA or MPAA wants details its a completely different situation...
Yes. Most Slashdotters recognize that the penalties for noncommercial copyright violation are ridiculously disproportional to the crime and have limited economic impact, and might support something small (like a $50 ticket that doesn't leave anyone with a criminal record or entry in any system) but will generally side with pirates against content-creators when you are looking at $10,000 per title, criminal penalties, dealing with the legal system, or really anything more than a slap on the wrist.
On the other hand, when someone is responsible for crimes that are much more universally recognized as deserving of criminalization, and as an actual pain in the ass, they are much more willing to support substantial actions against that person--and more, to preserve the reputation and business of the people being significantly harmed.
Exactly. Spammers (and scammers) will continue to do what they do until they start dying for doing it.
Contact the local police and/or the FBI, advise them that you have evidence of an identity theft ring, and provide them the information you have. They will open a case. Get the case number.
Instruct your call center that, when people call and complain, that there is a known fraudster who is spoofing caller ID records, and provide them the case number and the phone number to whoever is assigned the case.
The people who are calling you are understandably angry. Help them focus that anger on the right place by a.) acknowledging they have a reasonable complaint, b.) acknowledging you're aware of the issue, and c.) having them direct their complaint to someone who can actually help resolve it.
You can obtain the identity of this party with a subpoena. It is not difficult to obtain one.
You do realize that the phone number that you think you have for the scammer is also likely spoofed? These guys are probably sitting in India or Kenya.
You missed the bit about "Nuke from high orbit, just to be sure!"
Sent from my ASR33 using ASCII
I've got a better solution for both of you...
Put an automated message that says the following...
"If you are calling about a recent scam involving our number, please call Level 3 at..." and give the phone number to Level 3's complaint office. If they don't have a complaint office then simply give the main number. Better yet if you can, forward the call to them via a menu system. Let them deal with the fallout. Maybe they will take the hint.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
It might be wise to release a press statement warning of the scam in your points 1 and 2 and state that they are "cooperating" with regulators and authorities to catch the scammers.
I put cooperate in quotes because trechnically it is true as long as it is reported to them whether they act or not.
But it seems that one of the ways this works is the legitimate number being used to trick people. Well, if the news runs a story about it, that element goes away.
When someone calls your 1-800 number, you pay someone. That someone gives a cut of it to other parties. One of those parties may have picked your number for a reason. This can work in a way that is similar to the "False Answer Signalling" fraud that was so common years ago .
Put a comment on your website mentioning that someone out there is using your company's name and number for callbacks, and tell your customers to be aware of this issue.
You can't be liable for their gullibility, any more than you can for the actual actions of the Nigerian scammers (or whoever they are).
An Ancient Greek said "If people speak ill of thee, act so that no-one will believe them". I'd say that's still valid.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Completely untrue.
You've just misunderstood whose interests the regulators are there to protect.
Ignore nickel and dime lawyers who talk to you about "writing letters". That will accomplish nothing (except making a few bucks for useless, couch potato lawyers).
You have already been damaged so you have a tort. You should be suing immediately. Note that you do not actually need a lawyer to sue, just the cooperation of the executive officer of your company. Get a paralegal (or anybody with a brain) to find a lawsuit template and file a John Doe lawsuit with the local county court (you can always file a federal lawsuit later, if needed). Also, even if your original lawsuit is incompetently written, it does not matter, because you can emend it later.
The advantage of filing the lawsuit is that you can get subpoenas (and even bench warrants) from the court once your lawsuit exists. This is what you need to solve the problem. Your first subpoena is easy: demand the name of the John Doe who is screwing you from L3. Telcos have very efficient systems for dealing with such subpoenas. Some even have web forms you can use to request the info.
You should also issue a subpoena designed to find out if L3 knew of, or in any way assisted, the criminal activities of the defendant. If you can prove they assisted in the tort, you can add them to the lawsuit. as defendants, which would be good, because they probably have a lot more money than the perps.
Trust me, the way to get action in a situation like this is to get your butt to the county court pronto and start legal action. Most people have an irrational free of court houses, which is foolish and exactly why lawyers can prey on them. When you start acting like a lion instead of one of the lambs, trust me, you will get results FAST.
Clever in it's simplicity, yet fiendish in offloading the headache and punishing someone else. Hopefully, that someone is at least partly responsible.
How do you know where the number originated? Assigned numbers are meaningless. By buying a trunk line for your call center you can modify the CID for anything you like. This is often the case for providing a CID of your 800 DID line. Simply entering someone else's number is how this fraud originates. The fake number does not identify the caller. IF you take the call directly from a scammer, and the SIP call is completed, the SIP log can show the IP of both ends of the call if it is not routed through a proxy.
I am not sure how Level 3 was identified as the SIP provider for the scammer account. Unless a called customer captured the IP of the caller with a SIP to SIP call, the IP is lost once it is filtered by calling into the local exchange.
This is an ask Slashdot without a link to real data on the source of the scam calls. A Trunk line for outbound calls does not have a phone number association. Only the incoming DID line is associated with a phone number.
Try it your self. Find a commercial SIP provider and ask about DID and Trunk lines. DID lines have a number to be called, often an 800 number. The Trunk lines are not incoming lines and do not have a number and can't take incoming calls. The caller ID is set by the CUSTOMER to display the company info and switchboard, PBX, or 800 number on the CID. This is settable by the CUSTOMER. which is how this fraud is created.
The best defense is to place the entire scam summary on the front page of the corporate website to explain the situation, and have the auto attendant inform the customers of the scam and ask them to review the website. You are the victim of a Joe Job. A link to the Wikipedia article of Joe Job will help.
http://en.wikipedia.org/wiki/Joe_job
Level 3 is a large company and should have a dedcated fraud department that deals with this type of issue. Did you talk to them directly? If not I would contact them and place your complaint.
I've got a better solution for both of you...
Put an automated message that says the following...
"If you are calling about a recent scam involving our number, please call Level 3 at..." and give the phone number to Level 3's complaint office. If they don't have a complaint office then simply give the main number. Better yet if you can, forward the call to them via a menu system. Let them deal with the fallout. Maybe they will take the hint.
I suggest the sales department phone number. Those seem to be able to accomplish things with screeching to management and IT.
It might be wise to release a press statement warning of the scam in your points 1 and 2 and state that they are "cooperating" with regulators and authorities to catch the scammers.
I put cooperate in quotes because trechnically it is true as long as it is reported to them whether they act or not.
But it seems that one of the ways this works is the legitimate number being used to trick people. Well, if the news runs a story about it, that element goes away.
This could actually work in your favour, as the resulting news coverage could increase your legitimate business, and put pressure on the enablers upstream to do something about it.
It's a place where people used to go to borrow printed versions of websites, honey.
Get free satoshi (Bitcoin) and Dogecoins
Because with a BRI circuit - you can pump any CLID down the line that you want. Hell, that isn't even necessary. I know a few years ago a simple PERL script made the rounds and a MagicJack could be used for the nefarious spoofing.
You have to approach it from the right angle. Tell them it interferes with emergency communications and they'll be all over it like white on rice.
Tim,
You say these calls are being forwarded to your call center. Help me clarify how this behaving,
A) Company XYZ (Scammer)
Buys a trunk from Level 3 and sets the CID to your 1800?
Calls everyone in DC, and they call the number on their CID
B) Company XZY (Scammer)
Buys a trunk and from Level 3 and sets the CID to one of their own numbers
Calls everyone in DC, They receive a call and forwards the call over SIP to your IP Address and call center.
C) Company XYZ (Scammer)
Buys a trunk and from Level 3 and sets the CID to one of their own numbers
Calls everyone in DC, They receive a call and forwards call back out over their trunk to the PSTN (Public Switch Telephone Network) to one of your 1800s
D) Something else ?
A) - Legal action is required as it is a violation of FCC regulations. And I would report the issue to them and let the FCC handle them.
B) - Put in a firewall rule or VOIP rule based off the source IP Address sending you calls to either not accept them or to forward them to a honey pot or back off site to say Level 3s CEOs personal cell phone get creative.
C) - a bit more difficult depending on if they forward the callers CID info or their own CID info for the trunk. in either case you can contact your LEC and ask them to block traffic intended for your 1800 number from that call trunk (this can be done regardless of CID) but you will need to get fairly high up the engineer Ladder to a good Central Office Engineer
Not true. I had a problem with my phone line in the '90s. I sent a letter to the FCC and the phone company. The phone company, who had insisted the problem was "impossible" to fix had it fixed withing 48 hours of me putting the letter in the mailbox. They did so so that when the FCC contacted me, I could tell them that the problem had been fixed.
If they were as powerless and uninterested as you say, they wouldn't have reacted so fast.
Learn to love Alaska
How do you know where the number originated?
You can spoof CLID, but not ANI. If you could spoof ANI, then nobody would ever pay for calls, other than the one grandma everyone set their billing identity to.
This is settable by the CUSTOMER. which is how this fraud is created.
Which was by design. You can spoof the CLID all you want, but not the ANI. The idea is that anyone spoofing CLID for fraud would be caught. Instead, we get police much more interested in drug charges and other victimless crimes, and nobody investigating fraud, with identifiable victims.
But it's required so that when I get two trunks, one in-only and one out-only, I can set the 800 number as the CLID of the outbound trunk, so that if someone doesn't already know your DID, they'll call back the company main number. This is how most places that do sales and such like it. You call the "main" number, until you have a relationship with someone to call their DID. All the CLID-protection schemes that don't allow this behavior are rejected by carriers and corporates.
Level 3 should be thrown in jail for fraud and conspiracy to commit fraud.. They allowed numbers to be advertised that were provably not in their blocks of numbers.
Learn to love Alaska
And what a lovely greeting that will be for their customers who *meant* to call them...
And just who in their right mind allows random SIP traffic from the internet to reach their PBX? ABSOLUTELY FUCKING NO ONE! Page one, step one of toll-fraud: allow access only from authorized sources. So, if a SIP call is "completed", it came from your phone service provider.
If they're spoofing the caller-id, then you have NO WAY to know where it came from. Only a "trap and trace" can follow it back, hop by hop, to the origin -- one switch at a time, one provider at a time, all the way back to China (or where ever.) That's the basis for the hollywood phone trace, but in reality, it takes people combing through records to see what's going on. (unless it's crossing metered lines, in the US, it's almost a certainty no CDRs are being generated and/or recorded, and even then, only for the segment that's metered -- eg. your cellphone.)
Removal of fingers, ears, external genitalia, in approximately that order. Lots of unsubtle anal rape with a cattle prod. Come on guys - you've got professionals doing this stuff for your government. It's not rocket science (though you can use pyrotechnics, if you want to be showy). Just good old torture. And you need to communicate to the spammers to make sure that they know their children, siblings or parents are paying for their actions.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"