Robocalls keep spamming Americans, in part because of their cyber tools
Mar 1, 2021 • CyberScoop
After a surprising lull at the onset of the COVID-19 pandemic, phone scammers are back, and showing signs of overlapping more and more with text messages and cyber elements.
Scammers are combining phone calls with tricks to circumvent two-factor authentication, using information they obtain online to make more targeted calls and, in some cases, mimicking the attack methods of hackers, government and industry officials say.
Phone scams that merge with other methods are growing more frequent and difficult to contend with, said Connecticut Attorney General William Tong. “I think it’s common and it’s dangerous, particularly the way that they’re able to cloak themselves or convince you that you need to respond to a particular call or email,” he said.
Internet technology has helped fuel a record number of robocalls thanks to the advent of voice-over IP, a tool that made mass calling convenient and more affordable. Estimates vary, but most studies conclude that U.S. consumers lose billions of dollars annually to phone scams.
Since early in the pandemic, the number of robocalls has hovered at between 3 and 4 billion robocalls per month, and somewhere in the vicinity of 2 billion scam calls within that number, said Alex Quilici, CEO of YouMail, a robocall blocking company. The figure is up from an estimated 2.9 billion in April 2020, some 1.2 billion of which were scam calls. In October 2019, though, YouMail estimated the robocall number at closer to 5.7 billion, roughly 2.4 billion of which were scam calls — a label the company applies to “clearly illegal” calls.
Several factors have pushed the overall numbers down after reaching that record high in late 2019, one of which is improving consumer savvy. That, in turn, has forced scammers to get creative.
“We’re doing way better on robocalls than we were,” said Quilici. “What happened, though, is with the pandemic, people got spoiled and said, ‘Hey, the robocalls went away,’ and now they’re starting to come back and it’s really noticeable.”
The numbers dropped at the pandemic’s outset, according to several experts, because physical call centers still play a role in the number of calls that go out. Those centers, like everyone else, were shutting down offices and adapting to working from other locations. A scam-busting activist featured in the New York Times recently boasted of turning on webcams at those call centers in places like India, where footage shows employees working in cubicles.
Where cyber meets phone scams
While phone scams might be showing more creativity, there is a history of them overlapping with other mediums.
Tech support scam calls usually have had a cybersecurity dimension. In that variety, fraudsters call up pretending to be from Microsoft or another vendor, then say they need access to a victim’s computer to remedy an apparent virus or other fictional technical issue. Finally, the swindlers install malware or try to sell worthless security products.
Tech support scams can also be conducted without phone calls, such as via email.
Quilici said that the real danger, however, is the increasing sophistication of scammers as opposed to just the volume. He said he can see those tech support scammers move toward, say, obtaining a targeted list online of people using a specific version of Windows.
“That’s my worry is that’s where this tech support stuff is going to head,” he said. “They’re going to find lists, they’re going to have information that’s about the person they’re calling that convinces a person they really know it’s them.”
In one kind of scam Proofpoint is seeing more often, the grifters send a text message pretending to be from a bank and ask if a made-up transaction was fraudulent. When the victim replies that they didn’t make that purchase, the scammers call, then swindle the victim into helping circumvent two-factor authentication to gain access to real bank accounts.
Increasingly, consumers have learned to not answer calls from unknown numbers or calls labeled spam by their carriers, said Jacinta Tobin, vice president of cloudmark operations for Proofpoint. But mobile phone users open almost all their text messages, she said.
“So there’s a kind of multimodal cumulative trust that builds, meaning if you get a text and a call from the same person, you’re more likely to trust that source,” she said.
USTelecom, a phone industry organization, established the Industry Traceback Group, which many observers have credited with helping crack down on scam callers. The group is a collaborative industry effort to trace the origins of illegal calls, and it also works closely with law enforcement and regulatory agencies. Josh Bercu, vice president of policy and advocacy, said the traceback program has increasingly been tracing back two kinds of cybersecurity-related calls.
In one variety, scammers make phishing calls in a bid to obtain credentials from call center workers, other employees or customers so they can “do the same thing any cybersecurity hacker can do,” Bercu said.
The other kind the group is increasingly tracing back is “telephonic denial of service (TDoS)” attacks that mimic the tactics of internet distributed denial of service attacks, with the TDoS offenders sometimes flooding a victim’s phone lines beyond their capacity and then demanding a ransom to stop.
One of the most infamous hacks of 2020, where hackers took over high-profile Twitter accounts including those of then-presidential candidate Joe Biden, came after a “phone spear phishing attack” on Twitter employees — although the social media company didn’t offer many more details.
What makes the numbers move
Besides the pandemic and the rise of voice-over IP, other factors affect the rise and fall of robocalls and scam calls, for good or ill.
Asked what’s challenging about battling phone scammers, an attorney in the Federal Trade Commission’s Bureau of Consumer Protection said the nature of telephonic infrastructure itself makes it difficult.
“The issue is that you’ve got a phone network that’s designed to be open source, and with a diffuse network that is designed to avoid outages in certain areas there can be almost an infinite number of pathways that travel from point A to point B, so that there’s redundancy in the system,” said the attorney, Will Maxson.
Designed more than 100 years ago, the copper line that transmits calls can’t carry very much data about a call source, either, Maxson said. That makes it relatively easy for scammers to spoof other numbers.
One thing that might help with that problem is the Federal Communications Commission mandate, under a 2019 law, for carriers to implement a set of caller ID authentication protocols known as STIR/SHAKEN.
Under STIR/SHAKEN, “calls traveling through interconnected phone networks would have their caller ID ‘signed’ as legitimate by originating carriers and validated by other carriers before reaching consumers,” the FCC touted. “Once implemented, it should greatly help the accuracy of caller ID information and should allow voice service providers to provide helpful information to their consumers about which calls to answer.”
The seasons can also drive scam calls numbers, with Proofpoint’s Tobin predicting a rise in Internal Revenue Service-themed fraud efforts as the tax filing deadline approaches.
Law enforcement and other regulatory agencies taking action against illegal callers can demonstrate an immediate impact. Quilici said that an operation in India in December, for instance, drove down overall numbers in January.
Tong and other attorneys general fear that a pending court case could hamper their joint effort to battle robocallers. In 2015, Congress enacted an amendment to a 1991 law, the Telephone Consumer Protection Act that placed restrictions on robocalls. That amendment allowed an exception to robocalls for collecting government debt. The Supreme Court last year struck down that exception.
Because of that Supreme Court ruling, a lower court ruled that the 1991 law’s robocall ban was unenforceable between 2015 and 2020. Last month, a group of attorneys general filed a friend of the court brief arguing against that lower court ruling.
One thing that probably won’t affect the battle against robocalls and scam calls is the shift to a new presidential administration, though, Maxson said.
“From my experience, it hasn’t changed at all really on this issue,” he said. “It’s been an enforcement priority for essentially every commissioner, for every chairman and chairwoman that I’ve worked under.”