Slashdot Mirror
Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?
An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?
Refer to L3's legal department, threaten to file suit against them if they won't give up the identity of the sub-carrier's customer. They will cough it up immediately, or you will get a nice payout for civil fraud.
There is no technological solution. (The phone system as a whole is just so old).
There is no human solution. (The other company will not bother).
You have three options.
1. Wait until it stops and ignore it
2. Change your phone number
3. Sue Level 3 for damages (and file a police report)
In my professional (but not legal: I am not a lawyer) opinion, there is no way to resolve this sort of problem other than suing the closest legitimate business that links you to the perpetrators. Whoever is furthest downstream to the bad guys is your only target, and suing them is probably the only option. Maybe just to get a C&D, maybe punitively just in hopes of getting them to clean up their act. A police report on its own will have zero effect: the police just don't care about IT crimes on this scale.
Sue them, and as part of it file a police report. Don't even bother with any other options at this point: they are not likely to work.
(Again, not a lawyer, just an IT professional).
GeekNights!
Late Night Radio for Geeks!
Time to file complaints with Regulatory Bodies.
It's the phone provider's responsibility to ensure that the caller ID presented by numbers in their "pool" send valid information. You've notified Level3, so that's about all you can do to actually solve the problem. But getting a complaint filed will make it more likely to "light a fire" under Level 3 to block the offending sub-provider until they get their act cleaned up.
Luckily for you this is an in-country operation... when it's an offshore provider doing it you're pretty much out of luck.
As for solutions, best you can really do is put up an automated recording apologizing and advising that you're not the scammers, and encourage them to file complaints with their own providers and LEA/regulatory agencies (PSC, FCC, etc.)
I suggest you contact the FBI and work with them. Why? Obviously the criminals are asking for banking information, and I can't imagine this being used for anything other than nefarious purposes. The FBI can sting them and locate the relevant bank accounts and freeze the money (in other words, give the scammers a kick in the balls). If you both get lucky, the FBI will actually catch the criminals and jail them.
All those moments will be lost in time, like tears in rain... time... to... die...
In the past I have had to deal with L3 on some similar nonsensical "our abusive users are not our problem" crap. As you have already observed, they have a well refined hearing problem. First, decide how much the per call impact is to your business in your opinion. Estimate the number of calls per day and multiply by the per call rate and then by the number of days to come up with a daily and sum "rate of damages". Then have a lawyer letter drafted and sent to their legal department and make sure the letter shows that you also sent a copy of the draft to the FCC Attn: Fraud & Abuse at 445 12th Street SW, Washington, DC 20554.
In about the time it takes you to go to lunch, the problem will subside. At L3, FCC copied abuse resolution rolls down hill, pretty fast.
Yes, because making new marketing materials, distributing updated business cards and getting everyone involved to stop using the old number and separate the old number from the company is *such* an easy task and can happen overnight!
The phone number of a presumably reputable business that parties would likely recognize for their Caller ID number is a social engineering trick to get around one of the roadblocks and make people subconsciously overcome one of their answers to why this is a scam. Any act at this point is damaging the brand of the business, whether they capitulate and change their number, or whether the scamming entity continues to portray themselves as the company in question.
Let's change this a little bit and put a name to these calls... What if instead of "unnamed company", it was "Google" that had someone using their corporate phone number to do these calls? What about "Amazon", or "Microsoft", or "Apple", or "Cisco", or the "FBI"? Would your opinion about "just change your phone number" be the same?
Thirty four characters live here.
The problem is that there's a lot of legitimate reasons to "forge" the caller ID information. Many companies use a group of lines for outbound calls, any outbound call simply grabs the next available outbound line and uses it for the call. You don't want people calling in to those numbers though, there's no way for anyone to pick up a call on them since they don't go to an actual phone, so you set the caller ID to the correct inbound number for people to call (eg. the company's main number, or the main sales number (that gets distributed to the next available sales agent) or whatever number matches the type of outbound call) so callbacks go to the right place. And no the obvious solution won't work since the correct inbound number may not be with the same provider as the outbound line so you can't check whether the caller ID number's owned by the same entity that owns the line in use.
>Hehe, so in this case a Slashdotter thinks you should be able to get details without a court order, but when the RIAA or MPAA wants details its a completely different situation...
Yes. Most Slashdotters recognize that the penalties for noncommercial copyright violation are ridiculously disproportional to the crime and have limited economic impact, and might support something small (like a $50 ticket that doesn't leave anyone with a criminal record or entry in any system) but will generally side with pirates against content-creators when you are looking at $10,000 per title, criminal penalties, dealing with the legal system, or really anything more than a slap on the wrist.
On the other hand, when someone is responsible for crimes that are much more universally recognized as deserving of criminalization, and as an actual pain in the ass, they are much more willing to support substantial actions against that person--and more, to preserve the reputation and business of the people being significantly harmed.
I've got a better solution for both of you...
Put an automated message that says the following...
"If you are calling about a recent scam involving our number, please call Level 3 at..." and give the phone number to Level 3's complaint office. If they don't have a complaint office then simply give the main number. Better yet if you can, forward the call to them via a menu system. Let them deal with the fallout. Maybe they will take the hint.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.