86.2 Million Phone Scam Calls Delivered Each Month In the US

An anonymous reader writes with a report from Help Net Security which assigns some numbers to the lucrative fraud-by-phone business in the U.S. -- and it's not just the most naive who are vulnerable. "Phone fraud continues to threaten enterprises across industries and borders, with the leading financial institutions' call centers exposed to more than $9 million to potential fraud each year," says the article. "Pindrop analyzed several million calls for threats, and found a 30 percent rise in enterprise attacks and more than 86.2 million attacks per month on U.S. consumers. Credit card issuers receive the highest rate of fraud attempts, with one in every 900 calls being fraudulent."

What's been your experience with fraudulent robocalls? I've been getting them on a near-daily basis -- fake credit card alerts, "computer support" malware-install attempts, and more -- for a few years now, which makes whitelisting seem attractive. ("Bridget from account services" has been robo-calling a lot lately, and each time she says it is my final notice.) My biggest worry is that the people behind these scams, like spammers, will hire copywriters who can fool many more people.

Best "nice try" was the guy in India...

[jpellino]

telling my mom that he needed to use logmein to help her, and if she hung up, disconnected or closed the computer that the Russian hackers were already in there and would destroy her computer.

asterisk, if you are up for it.

[lophophore]

If you have the patience to set it up, and keep it running, Asterisk can help you.

I use it at home to throttle phone spam.

all toll-free go to an auto-attendant that is a robot-check.
all "number unavailable" goes to another robot-check.
obvious fake phone numbers go to the blacklist auto-attendant, an infinite loop, basically.
known phone spammers go to the blacklist auto-attendant
it's easy to add a number to the blacklist.

On a typical day, 3 to 5 calls get gobbled up by asterisk. The phone rings once, the caller id is read, and the caller is sent away. It is *wonderful*.

She who must be complied with does not want to go to what I consider the ultimate solution, the white list for immediate pass-through, and a robot check for all other calls.

The spam callers that do get through are verbally abused before their number is added to the blacklist.

Re:asterisk, if you are up for it.

It borders on irresponsibility to recommend Asterisk to anyone who just wants to filter spam calls and be done with it. Asterisk is a dangerous weapon with which you can very easily shoot yourself in the foot. There are some rookie mistakes that allow anyone to use your VoIP account to call any number in the world, at horrendous costs to you. Unfortunately some of these rookie mistakes are perpetuated in Asterisk tutorials on the web, so even people who don't just blindly set it up with the sample configuration and tweak it from there are likely to end up with a many-digit phone bill eventually. At the very least only use accounts with Asterisk for which you can set a hard spending limit.

Re:asterisk, if you are up for it.

[lophophore]

I'm using a Sipura SPA3000, which is now unobtainium, to gateway my POTS line from the telco into asterisk. The Digium stuff works better, but it is too expensive. My Digium card got blown up by lightning, so I switched to the Sipura. I think there are similar devices available now.

I'm using ebay-ed Cisco IP phones in the house, they are a pain to set up, but I have not found anything that works better.

Know who to blame?

[gstoddart]

Want to know who to blame for this crap? The corporations who pushed to be able to spoof their caller ID -- so they could call us from foreign call centers.

I'm sure the technology exists or could be added to the phone system to basically say "if your caller ID is faked, we're not even accepting this".

I've started seeing the fake caller ID get to the point that it has the same area code and exchange as my own number ... once I apparently even called myself.

Essentially incoming calls have to all be treated as fraudulent, because they've been just created by a computer to conceal where it's actually coming from.

It has gotten to the point where if I don't know the number by sight, and then the persons voice, I pretty much tell all callers to piss off and go away.

Sometimes the legitimate callers get all butt hurt, but I simply don't care ... because 95% or more of incoming calls on my phone are 100% fraudulent, and involve some clown in an overseas call center trying to scam me.

And the problem is that it is probably the same exact call center that legitimate companies use, or one which has decided scamming is more lucrative than tech support.

But between the Microsoft Service Provider, the people who want to clean my ducts, the automated call telling me I've won a free cruise, the automated call telling me I need to respond about lowering my credit card rate ... incoming callers find a hostile person who assumes they're lying to me.

Sometimes I yell at them, sometimes I mess with them, but most of the time I just hang up immediately or leave it to the answering machine.

It's literally not possible to trust incoming phone calls. So why bother even answering them?

Re:Know who to blame?

[JonahsDad]

I've started seeing the fake caller ID get to the point that it has the same area code and exchange as my own number ... once I apparently even called myself.

Are you sure the call wasn't coming from inside your house?

Re:Know who to blame?

[The+Cisco+Kid]

The issue is, if you're a big company with 50 phone lines, you want your "main" number to appear regardless of which line you call on.

If you're a small phone(VoIP/etc) company, that uses wholesale services from multiple providers, if your customer places a call and it is handled by one provider, but their number might be provided by a different provider. The providers have to let you specify what their CID is, for it to NOT be a false CID. And they have to trust you to set it appropriately.

And yes, callerID is not and will not be 100% trustworthy. Consider it an "advisory" only.

Re:Know who to blame?

[Xest]

I don't know about the US, but it's similarly a sham in the UK.

I have two phone lines, the second always got spam calls, it was obviously a line some idiot had plastered everywhere and then given up only for BT to re-assign it to me, luckily I only have that line for my secondary internet connection so there's no phone on it anymore anyway.

But when I initially did have a phone, I asked BT how they intended to resolve the issue given that it was receiving junk calls through no fault of my own. The short answer is, they refused to unless I pay them money - fat chance given that it wasn't a problem I caused. The long answer is that there are actually two types of withheld number - there's a number withheld within the UK, which BT can see, but doesn't get passed to me, the owner of the line, there's a withheld number of foreign origin - they can tell where the call comes from, but not the original number. Both these types of blocked numbers can be differentiated at the customer's end point. I asked therefore, if they could simply block all calls from India, because I frankly have no interest in talking to anyone from there, and was told I could only block all international calls, or none at all, and as much as I'd like to prevent my mother in law from Canada ever calling, that wasn't an option because the other half would have something to say about that. Oh, and I'd have to pay them for the privilege, again, bearing in mind this was a problem of their making, not mine.

I similarly asked whether any of the withheld number calls I listed as unsolicited were from the UK and was told that they were, I asked what the numbers were but was told for data protection reasons they couldn't give me them, this was troubling for two reasons. Firstly, companies aren't protected by the data protection act and these were commercial calls, and secondly companies have a legal obligation to make their contact number available now.

But there was a common theme throughout the discussions - they couldn't do anything, unless I pay them more, whether a few pounds a month to block at their end, or about £130 for their fancy new BT phone that can magically block these things.

So it seemed perfectly clear that at least here in the UK, BT has everything it needs to help solve the problem, it could tell you details of companies calling you using hidden numbers if it wanted, and it could detect and block calls from certain countries if it wanted. Similarly, it could use market-led approaches to the problem, it could charge penalty costs to route calls from problem countries. India would soon get it's criminal call centre industry in line, if it's legitimate call centre industry was put at commercial risk.

But as it stands, it's just too easy for them to make money from making sure the problem remains a problem, they're making a fortune charging people for simple features that should be part of the already astoundingly high £17 a month line rental, and there's too much profit in charging for phones with built in filtering functionality such as whitelists.

So yes, solutions are already either widely available, or technically or even commercially trivial to implement. What's missing is the will for telcos to solve the problem when they're allowed to share the profit for it. This is unfortunately I suspect something that will not change without legislation.

Re:Know who to blame?

[ebh]

Fronters may get lunch, but they don't get coffee. Coffee is for closers only.

Re:Know who to blame?

[swb]

Dude, you are clueless on multiple levels. First, "spoofing" caller ID is normal - the ability to tell the phone company (this is a *high* level overview) what your number is when making outbound calls when using a non-POTS line. Due to the way the phone network works this can't easily be changed. And companies have done this for decades, it's not something new. Big multi-line companies typically want outbound calls to come from a single switchboard number.

I think there's two kinds of "spoofing" -- legitimate spoofing, where you own the DID number that you send out outbound trunks (eg, main phone number, etc) and bullshit spoofing, where at best you're obfuscating the source of your calls (eg, some hired call center that sends their client's DID info as caller ID) or worse, deliberately sending false or nonsense caller ID information to hide and obscure your call origin.

Telecoms providers could filter client outbound trunks and drop calls with bogus calling party information, where bogus is defined as something like "you don't control that DID and have no written permission to use it". The FCC could require telecoms providers to do this very thing.

I'm sure it would be messy and complicated to get setup, but so many calls are handled by the major carriers (ATT, Verizon, CenturyLink, etc) that you have a natural choke point that limits the ability of rogue providers to hand off calls.

Helpful Protip

[Shoten]

A large number of the people manning the phones for these boiler rooms have criminal records...most have done jail time. I've found that this provides me with no small amount of entertainment whenever these people come calling. Think of it as a combination of Jedi mind tricks and suddenly seeming to know more about them than they know about you. Sometimes it flops, but a lot of the time you can almost hear their eyes go wide on the other end of the line. Priceless. Even better, since the drones making the calls have no real ability to take people out of their database, you may end up recognizing the same people by their voice on subsequent calls...and this allows you to keep building on your past "conversations." Imagine a telemarketer dreading calling you :)

Verified CallerID would help

[david.emery]

I've advocated (including to my senator, Warner (D) of Virginia, a former telecom executive) that the FCC should require changes to make CallerID Verified. By this I mean that the Telco/switch has to verify the CallerID (e.g. using payment data?), and mark the CallerID information as either verified or suspect. This would not solve the problem, but would, I believe, help both consumers and Law Enforcement.

As long as spammers can forge CallerID, we won't be able to depend on CallerID to screen calls, and DoNotCall registry violations will be much harder to enforce. "Brigitte from Credit Card Services" calls usually have a City/State CallerID value, rather than the name of an individual or organization. But I get some legitimate calls (e.g. my dog's oncologist) that also show up as City/State. (I know to answer calls from Vienna, VA - at least until the Spammers start forging local CallerID values...) My former employer removed its telephone number from the CallerID information, I know if I get a call from "732" (New Jersey area code) that it's most likely one of my former co-workers.

But recently I've been getting Spam calls on my cell, usually (but not always) the CallerID says "unknown". Until this month, such calls were limited to the Land Line (and this is the single strongest argument for ditching the land line.)

Re:I screen every call.

[John_Sauter]

I have a simple but very effective screener for robo calls, built around the ObiHai 110. I connect the device between my incoming telephone line and my telephone. I then re-program it to send incoming calls to the Automatic Attendant, which I program to challenge the caller to press a key on his telephone keypad. If he doesn't he is a robo caller and doesn't get through. My phone doesn't even ring for robo calls.

Someday the robo callers will become intelligent enough to press a key when challenged, but until then my defense is adequate.

nomorobo.com

[zerofoo]

I'm going to keep posting this until everyone uses it. It's a free telephone filtering service. Just enable your simultaneous ring feature on your landline and nomorobo looks at every call that rings your phone. If the originating number is on their blocklist, they pickup the call.

It's a fantastic service.

Phone companies should embrace these filtering technologies. If it wasn't for nomorobo I would have gotten rid of my landline a long time ago.

Re:nomorobo.com

[LVSlushdat]

YES!! A THOUSAND TIMES YES!! Nomorobo ROCKS!! Hardly a day goes by where the phone doesn't ring ONCE. then stop.. Had to train the wife to wait to see if there was a second (or third) ring before she answered it... Just wish it would work on our cellphones, but I've yet to find a way... At least, on the cellphone I have call-control, which does a fair job of reducing the crap calls

submitter should not worry.

[sribe]

My biggest worry is that the people behind these scams, like spammers, will hire copywriters who can fool many more people.

Nope. Same as with spam. They need gullible idiots. If the initial pitch is more believable, they'l just waste more time with people of normal intelligence, who might get through a few minutes' of a pitch, but will ultimately balk at giving out all their personal info to a cold caller about their supposed account, or at rushing out to buy a Green Dot card to pay the IRS right now, etc.

Re:Ring ring

[BenJeremy]

First psot

Wow, talk about missing an opportunity...

You should have used:

First POTS

A few

[mrkmpn]

I've received the "Your computer is reporting problems indicating that it is at risk" phone call once, but I was in line at a register, and couldn't try to have any fun with the guy. Years ago I received several of the "Our records indicate your vehicle's warranty has expired" calls. Which technically was true... since my car was over 10 years old and I was the 3rd owner of the car. On the 1st call, I asked how they got my number and they hung up. On the second call, I asked to be removed from their call list, and they hung up. On the 3rd call, I said I was going to report them to the FCC, and they hung up. I've received several calls from people "with google" trying to help us increase our presence online. They seem shocked that I don't want to do that. I've also received several of the toner cartridge scam calls for printers. I don't understand how they think it will work when they call acting like they know you, '"remind you" of a phone conversation you had a year ago, and then try to sell you Ink cartridges for a laser printer for a brand you don't even own. (at 1st I thought he was trying to sell me a printer). Honestly I think 90% of the sales calls you receive at a business are some type of fraud.

ultimately, government collusion/apathy

[argStyopa]

The fact is that if they were aggressively and rigorously prosecuted, this wouldn't be an attractive business. As it is, they're assuming that they'll get away with it.

Personally, I invite anyone looking for a vigilante-cause to hunt down and kill some people, this would be a great subject. It doesn't have to be the LAW that punished these guys, to de-incentivize the whole industry.

I mean hell, by RIAA-caliber math, aside from their actual fraudulent scams, 86 million scam calls x 12 months x say 3 minutes per call average (to count the time it takes to get up out of my chair) = nearly 6000 person-years consumed annually just in time wasted. Assuming a median income of 26k per capita, this is nearly $160 million annually wasted.

Since you know the NSA is listening

[tekrat]

Use lots and lots of keywords.

When the scammer calls, no matter what the person says at the other end of the line, you say "What did you say? You want to blow up an airliner and kill the president? You're a member of Al-Qeda and ISIS?"

I guarantee that call will go dead and they won't ever call you again.

My experience with robocalls

[jeffmflanagan]

I never receive them, because if you're not in my address book, I'm not picking up the phone.

nomorobo has worked great for me

[Zontar_Thing_From_Ve]

I use normorobo (https://www.nomorobo.com/). It's free for non-business use. I have my home phone (yes I still have a home phone - my current home security system requires it) going through it and I think it's great. It only works with VOIP or wireless phone numbers though, not true land lines. It works by having you activate a feature to ring a 2nd number when a call comes in. The 2nd number is No Mo Robo's phone number. Let your phone ring once and their database will pick up the call before the 2nd ring if they feel it's fraudulent. I'd say it stops more than 95% of the robo calls I get, which to me is fantastic. Maybe once or twice a month a robo call will get through, but that's all.

Just as a point of interest, I work with a guy whose ability to judge scams is broken beyond anything I've ever seen in a non-elderly person. His ability to differentiate between the bogus and the legit is just about non-existent. Remember in the past decade when a lot of us US people were getting cold calls from some company telling us we could buy an extended warranty for our cars that would pay for any and every repair we needed for years to come? He bought one. I realized that it's guys like him who keep the robo callers in business.

Re:POTS security is broken.

[RabidReindeer]

The plain old telephone system evolved in an earlier era, security by obscurity was the norm. There were using simple whistling tones added/removed to regular conversation for data communication between exchanges. All analog. Blind phone phreaks were stealing just long distance minutes from the phone companies. But now the phone companies feel they have no liability to detect spoofed caller id. If some courts hold the phone companies liable for transmitting false phone numbers, using some lawyerly language like "aiding and abetting" "knowingly providing false information" "negligent" etc, then there could be some relief.

Phone companies most definitely know which of their resources are being employed to make calls with. They BILL for those resources and each and every call gets logged. Those logs are also required to be available for (allegedly) authorized law enforcement agencies and they're one reason why the old movie trope of "keep them on the line while we trace this call" is bogus. If the connection was made at all, no matter how briefly, there's a record constructed by automated equipment.

Naturally, if the true origin of the call is coming in from some other source, the phone company can only trust whatever ID came in from that source, but they definitely know where the call itself came from and that means that law enforcement can then track back until such point where they cannot gain any sort of co-operation. Even spoofing via Internet phone can be tracked if you're determined enough.

Re:I screen every call.

[TWX]

"I was just following orders" rarely works as a defense.