[Updated footnote in line with information received from Ontinet.com about coldcalling regulation in Spain.]
Yesterday I had a phone call. Well, several, of course, but this was yet another irritating cold call. If you've read some of my many blogs on the subject, you might think that it must have been yet another support desk scam, but it wasn't.
The first question I asked was "who do you represent": it turned out to be one of many companies in the UK that offers a service to people who feel they may have a claim against a mortgage lender or insurance provider. That's not really my field, so I find it harder to distinguish between legitimate and less legitimate businesses in that field, and I can't say that this wasn't a legitimate call. Except that, like many people in many countries I'm subscribed to a "do not call" register. In fact, the European Union’s Data Privacy Directive 2002/58/EC requires members states to enact legislation to control cold-calling, using either an opt-in or an opt-out model: for example:
Hence my second question: "Are you in the UK?" Unfortunately, the answer was no. And therein lies a problem that goes beyond support scams. The telephone network, like the Internet, isn't very good at recognizing national boundaries. Which is why I have a couple of rules of thumb when it comes to cold callers (apart from the fact that I don't expect UK companies to contact me at all, which doesn't mean it never happens). I don't talk to cold-callers who withhold caller ID*. And I won't do business with a company that uses offshore call-centres to avoid do-not-call registers.
*While Spanish telecom providers appear to be pretty relaxed about the extent to which businesses cold-call, at any rate on weekdays and Saturday mornings, there is at least an agreement between most of the major providers that callers are not allowed to withhold the number from which they call. And my colleague Josep Albors tells me that there is, in fact, a Spanish do-not-call list called Robinson's List, which seems to be well in accordance with the EC directive. See: https://www.listarobinson.es/default.asp. Josep also tells me that the restriction on withholding caller-ID is working very successfully there.
And back in the US, the FCC is upping the penalties for those who spoof Caller ID for malicious purposes in accordance with the Truth in Caller ID Act (hat tip to Aryeh for that info). Not that these measures will impact on offshore scammers, but at least they make my rules of thumb just a little more effective.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security