Practical advice for combating robocalling

Robocall scams have exploded worldwide during the past several years, and the Covid-19 pandemic threatens to spur many new schemes. Governments are taking action to punish perpetrators, yet the problem persists because it is profitable for scammers. Fines, elimination of warnings prior to issuing penalties, and caller-ID authentication requirements aside, robocalling will persist if consumers continue to fall for its tactics and aren’t offered simple ways to report when they receive unwanted robocalls. Other than large scale data theft, such as the well-publicized Equifax data breach, robocalling is a major vector for identity theft. Thieves bombard nearly everyone with automated calls using spoofed caller IDs that look like legitimate numbers. Once robocallers engage their marks, they aim to bring their victims “under the ether” to gain personal information, as Frank Abagnale Jr., author, lecturer and consultant with Abagnale and Associates describes in his recent book Scam Me If You Can. Abagnale is an internationally acclaimed expert in confidence schemes of all types and the subject of the 2002 film Catch Me If You Can. Abagnale consults to law enforcement agencies, banks and other large organizations on how schemes are conducted and how to implement measures to detect and prevent them.

He explains that con artists, such as robocallers, aim to influence victims into an emotional state – “under the ether” - that compromises their judgment. By exciting people with promises of an easy financial windfall or even with fear of having one’s identity stolen, cons probe their victims with friendly questions or threatening demands.

Robocalling is a brute force version of this classic confidence scheme approach that uses the global telephone network. Thieves only need to be successful with a tiny percentage of victims to be profitable, and so the practice has grown. At the time of writing, 13.7 billion robocalls had been placed in the United States in 2020, an average of nearly 42 calls per person year to date, according to the YouMail Robocall Index. Once personal data is acquired, thieves either use it to conduct other schemes or sell it on the dark web – the internet’s shady black market.

Stopping robocalls

Communications service providers (CSPs) and their partners are implementing several technical approaches to identify and block robocalls, like identifying known robocalling origination points, recognizing compromised number ranges or detecting floods of calls to certain number ranges from a small number of origination points.

“One of the concepts is stopping the call before it gets delivered,” says John Haraburda, Principal Solutions Engineer for iconectiv, the United States’ local number portability administrator (LNPA) and trust anchor for the country’s newly mandated STIR/SHAKEN caller ID authentication framework known as the Calling Number Verification service. “You firewall the customer base by blocking calls from dodgy ranges or numbers not associated with any carrier,” he explains.

Such network-side technical approaches are useful but can also become a cat-and-mouse game. “Fraudsters will test a campaign and see if the number will be blocked or not and then run it as a mass campaign,” says Chris Drake, CTO for iconectiv. “If carriers can sense those test calls, the whole ecosystem can be vigilant about it.” Robocalling is not shut down entirely because trusted entities also use it for legitimate purposes. For example, school districts use robocalling to alert families when school is cancelled for weather or health reasons, and businesses can use robocalling with customers that have consented to be contacted.

How consumers should protect themselves

One way to dissuade thieves from robocalling is to make the practice ineffective. There is no better way to minimize or halt the practice than for people not to fall for the scam. Abagnale provides useful advice for consumers in Scam Me If You Can which CSPs would be wise to echo loudly to their customers worldwide. He advises:

• Use robocall blocking services – these are increasingly provided by CSPs or by legitimate third parties. If a CSP does not offer or recommend such a service, it should consider doing so immediately to protect customers from this growing scourge.
• Ignore calls you do not recognize – if an unfamiliar caller ID comes up, just ignore it. If it’s a legitimate call, the caller will leave a message.
• Block repeat calls from your mobile – if you’ve ignored a call and the number comes up repeatedly, use the “block this caller” function through your incoming calls list to deny future calls.
• Do not provide information – should you answer a call from an unknown number, say nothing. Your voice can activate a recording or transfer you to a con artist. Never provide any personal information at all – not a name, location, bank you use or anything else.
• Double check – if you think you’ve missed a legitimate call from a business, use a trusted source like the company’s website, the back of your credit card, or the number on a bill to call the company. Never call the unfamiliar number back directly from your phone.
• Know which calls to avoid – anyone offering to reduce your debt or credit card rates; provide a pre-approved loan, a free or low cost holiday trip, time share, home security system, or cheap medical supplies; or who claims to represent the government or a utility are likely scammers. Just hang up.
• Ask yourself if it is a high volume robocall day – robocalls are most common on Tuesdays and Fridays. Remain especially alert on those days, but don’t let your guard down on other days.
• Change your number to a less targeted range – in the US, robocallers target major city area codes. Consider asking your operator to change your number to an area code outside the city and its surrounds if the robocalling volume is just too much.
• Report them – report the call to an appropriate government agency or to the carrier. It can help to identify bad number ranges or to blacklist certain numbers or origination points.

Reporting is critical

Drake echoes Abagnale’s last point of advice saying, “Reporting abuse is really important.” Insight into bad behavior comes not only from analyzing network traffic, but also by correlating it with complaints from consumers. Attacks happen across networks, which means a single CSP may not see the whole picture that widespread consumer reporting can provide.

“Customers should have a button,” Drake says. “Where’s the button that says, ‘That was spam’ or ‘I never consented to that’?”

He suggests CSPs work together to provide a simple button, rather than a numeric short code or multistep forwarding scheme, to encourage consumers to report fraudulent robocalls. It seems unlikely that robocalling scams will ever be eliminated entirely, but minimizing them will require CSPs, regulatory agencies and other stakeholders to continue to cooperate on both effective technical solution and consumer education and empowerment. To learn more, check out our new report: