The Telecom Industry Strikes Back Against Robocalls
There is an effort underway, spearheaded by the United States Telecom Association (USTelecom), a nonprofit organization representing U.S.-based telecommunication-related companies, to stop the billions of illegitimate robocalls being made, or to at least put a significant dent in those numbers.
Together, USTelecom and its members have formed the Industry Traceback Group (ITG), which comprises communications companies providing wired, wireless, VoIP, and cable services. Operating under section 222(d)(2) of the Communications Act, which permits “carriers to disclose and/or permit access to customer proprietary network information if suspected fraud, abuse or unlawful use of services exists,” the ITG is a platform for communications companies to “trace and identify the source of illegal robocalls.”
The traceback process begins with a terminating service provider that possesses information about suspicious phone traffic. The call is then traced back through the various communication provider networks until it reaches a nonresponsive communications provider or the originator of the call. This information is shared with federal and state law enforcement agencies.
According to the 2019 USTelecom Progress Report, approximately 110 tracebacks were conducted per month, which translates to robocall campaigns responsible for “tens of millions of calls.”
USTelecom also collaborates with YouMail, which identifies the most prolific robocall campaigns, enabling the ITG to focus its traceback efforts to locate the source.
The effort appears to be working. Alex Quilici, CEO of YouMail, directed me to a recent article in The Wall Street Journal reporting that on March 13 YouMail picked up a surge of calls that mentioned novel coronavirus testing kits.
On March 17 U.S. communications companies traced the calls to a Philippines VoIP provider. ITG notified the provider, which responded within 24 hours that it had cut off services to the customer responsible for the calls.
Moreover, YouMail reports that between March 17 and March 18 the volume of robocalls pitching the testing kits had dropped 75%, and after March 20 they had almost disappeared…
Fighting fraud is often compared to a game of whack-a-mole: Improve security in one area, and criminals will find a new way to breach a company’s defenses in another area. In recent years, for example, the introduction of security chips has greatly reduced the fraudulent use of physical credit cards, but criminals have not responded by throwing up their hands and going home.
Instead, they’re increasingly turning their attention to account takeovers.
Fraudsters sometimes gain access to victims’ bank and e-commerce accounts by cracking weak passwords or using stolen credentials, but more and more attacks are targeting what is emerging as the weak link in many organizations’ security systems: the phone channel.
In a recent study, 51% of the financial services companies we surveyed identified the call center as the vector of choice for account takeover attacks. Jim Hickman, assistant vice president of Financial Crimes Operations at USAA, and Tom Poole, senior vice president for digital payments and identity at Capital One, have also pinpointed the call center as the location where most fraud starts. At the Money 20/20 USA conference in 2018, they agreed that while account takeovers tend to show up in the online channel, the job usually begins by socially engineering call center agents.
Social Engineering And The Rise Of Account Takeovers
Call centers often use knowledge-based authentication — asking callers to prove their identity by supplying personal information such as their account number and mother’s maiden name — to grant access to customer accounts. This process is highly vulnerable to social engineering, which is shorthand for when a scammer manipulates an agent into inappropriately granting access to an account, particularly now that vast troves of consumer data are available for sale on the dark web.
As the VP of technology for a company that works with financial institutions and other enterprises needing to authenticate callers to protect account access, I know this scenario all too well. Armed with personal information purchased on the dark web or gleaned from social media, a criminal can phone an organization’s call center (perhaps using a spoofed number or a virtual call service to disguise the call’s origins) and, posing as a customer, correctly respond to the agent’s identity interrogation to convince him or her to reset the account’s online password or change the associated email address.
Treating Everyone As A Suspect
Because these systems are not foolproof, and they merely flag risks rather than positively confirm a legitimate caller’s identity, organizations end up treating every caller as a suspect while doing little to actually catch fraudsters.
This process asks agents to subject every caller to time-consuming (and often annoying) identity interrogation while spreading the organization’s fraud-detection resources across all incoming calls, even though the vast majority of callers are actual customers. There is a better approach.
When detectives begin investigating a crime, one of their first steps is to confirm alibis and rule out suspects who don’t match the forensic evidence at the scene. If they can rapidly eliminate 80% of the potential suspects, they can concentrate all their resources on the remaining 20%. This same principle applies to separating good and bad actors before they can commit a crime.
If an organization can immediately confirm the majority of callers as legitimate, the call center’s fraud-detection staff and tools can be directed toward assessing the significantly smaller subset of non-authenticated calls, thus dramatically improving fraud-fighting return on investment. Agents receiving non-authenticated calls will be more alert to potential social engineering attempts, and the use of tools to assess inbound call data or caller voices can be much more focused.
But how can call centers confidently focus their fraud-fighting efforts if knowledge-based authentication is ineffective?
The first thing organizations need to do is fight fraud where it starts, not where it ends. They should build systems to accurately track fraud events back to the source. This will very often be the call center and will require an ability to record and replay activity on an account to determine the moment of account takeover.
A second approach is to augment the training of agents. A strong line of defense is an informed call center staff. Employees should be able to recognize the signs of a social engineering attempt, being wary of behaviors like a strong sense of urgency, pressure to make a quick decision or seeking empathy. Agents should be empowered to react to attempts, regularly retrained and apprised of the latest fraudster techniques.
And finally, companies should look into implementing stronger authentication methods. Organizations can choose from a growing range of multifactor authentication solutions using technologies that can verify customers’ identities and route them into a trusted caller flow. For example, an inherence factor (a voiceprint) can be combined with a physical ownership factor (the customer’s smartphone) to create a solution that automatically and accurately authenticates callers before they reach an agent.
September 30, 2019
Given the recent media attention on combating robocalls, we need a reality check: We can’t completely eradicate these “nuisance” calls. But we do have the technology and regulatory framework here in the United States to block the most egregious robocalls that put consumers at risk.
While there’s not a panacea for robocalls, we can take huge strides in shutting down illegal robocalls run by fraudsters who use autodialed, pre-recorded messages to prey on unsuspecting victims to steal money or personal data, or both. Some quick clarity on terminology: If you answer the phone and hear a recording rather than a live person, then it’s a robocall. And if the call is trying to sell you something, then it’s illegal — unless you’ve given written permission to allow it. More information on robocalls from the Federal Trade Commission (FTC) can be found here.
September 14, 2019
A new report highlights how nimble scammers and spammers are in the face efforts to combat robocalls.
Despite new initiatives by the Federal Communications Commission (FCC) and carriers, robocalls aren’t on the wane. Americans are still facing a scourge of 200 million unwanted robocalls a day, according to a report from Transaction Network Services (TNS), a major telecommunications network and services company…
July 12, 2019
The Federal Communications Commission is lauding the progress that phone carriers are making in the fight against unwanted robocalls, but also warning that if they fail to meet a deadline, the agency will move to impose new regulations.
This week the FCC held a summit on combating robocalls, a broadly acknowledged problem that has eroded trust in the phone system and put consumers — particularly the elderly — at risk of falling prey to scammers.
The FCC has alighted on a technical approach to fight the spoofed calls that often show up on your caller ID with your own area code and, often, the same first three numbers as your own phone number. Those calls, by spoofing your own number, aim to trick you into answering what appears to be a legitimate, local call, but in more likelihood originates from an overseas auto-dialing operation. The result, officials have lamented, is that we have become a “nation of call screeners.”
The Federal Communications Commission is pushing the telecom industry to step up attacks on robocallers, which could provide another tool for consumers.
The FCC knows better than anyone how bad the robocall crisis is (FCC Chairman Ajit Pai has called it a “scourge”) simply because of the flood of complaints the agency gets.
Unwanted calls are far and away the biggest consumer complaint to the FCC with over 200,000 complaints each year—around 60 percent of all the complaints we receive.
–“The FCC’s Push to Combat Robocalls & Spoofing,” FCC
Verizon is getting ready to offer a free robocall blocking app at the end of this month, as it steps up efforts to combat the growing plague of spam calls.
Update (Thursday March 28, 2019): here’s the new free app.
In 2019, pretty much everyone is on a robocaller’s speed-dial list. That often means several spam calls per day.
Verizon knows this of course. It already offers a paid blocking app for $2.99 a month. But the new freemium (free + premium) strategy means that in addition to the paid app, there will now be a free* version…
October 29, 2018
Just weeks after the Social Security Administration (SSA) warned about an Office of the Inspector General (OIG) impersonation scheme, the Acting Inspector General of Social Security, Gale Stallworth Stone, is raising an alert about a new scam. This time, the scheme involves thieves who are engaging in caller-ID “spoofing” which echoes a pattern where thieves pretend to be from government agencies, like those scammers who are spoofing calls from the Internal Revenue Service (IRS)…
July 22, 2018
Why can’t the government catch these guys? That was the sentiment echoed in my inbox over and over as those Internal Revenue Service (IRS) impersonation phone scams exploded. It felt painfully slow, but arrests were finally made in the United States and India. This week, many of those scammers were sentenced for their crimes.
Twenty-one members of a massive India-based fraud and money laundering conspiracy faced sentencing hearings this week in Houston, Texas. The defendants had ties to India-based call centers that targeted U.S. residents and cheated thousands out of hundreds of millions of dollars…
July 20, 2018
It may be summer, but the bad guys aren’t taking a vacation. The Acting Inspector General of Social Security, Gale Stallworth Stone, has issued a warning about an ongoing phone scam from thieves pretending to be from the Social Security Administration (SSA).
As part of the con, scammers try to convince you to give up personal information, like Social Security numbers and bank account numbers, over the phone. In another case, a caller claims to be from “SSA headquarters” and asks you to confirm personal information, such as an SSN, “new” Medicare number, address, and date of birth…