Sign up to our newsletter
The latest security news direct to your inbox
Facecrooks is a site that provides some useful information and alerts regarding Facebook scams: recently, though, it published an alert regarding a scam that isn’t Facebook-related, and a little further digging provided me with a whole load of recent warnings in the US media inspired by a warning from the Better Business Bureau.
The ‘One Ring’ scam is often referred to as Wangiri, the name by which it is known in Japan. (It means ‘one and cut’.) This kind of telephone fraud is by no means new, but the present warnings are specifically directed towards cellphone users. (Having said that, I certainly wouldn’t assume that landlines are never targeted.) The essence of the scam is that the fraudsters dial a random selection of phone numbers. It’s done with autodialling rather than manually, of course, for maximum spread. However, the dialler hangs up after the first ring, so the number is recorded as a missed call on the prospective victim’s phone. If he or she notices the call and assumes that it was a legitimate call, he or she may well dial the ‘missed’ number in order to find out what the call was about.
Typically in such a case they’ll be paying to hear some kind of advertising message, or calling a premium rate (often overseas) number where the intention is to keep them on the line as long as possible in order to get the maximum payment out of them. Or, of course, both. In the latter case, the victim may be connected to a lengthy recorded message, or held in a continuing call queue.
‘Pay-per-call’ numbers in the US normally have a 900 prefix, and there are regulations that require that the caller be notified of charges. (Also, some phones have a 900 blocking facility.) However, numbers outside the US aren’t subject to these regulations. The Facecrooks alert mentions the 268 area code (Antigua), but a number of other country codes have been linked with scams taking advantage of ‘pay-per-call’ numbers, including Belarus (375), the British Virgin Islands (284), the Dominican Republic (809), Grenada (473), Latvia (371) and Jamaica (876). The Better Business Bureau warning refers only to Caribbean country codes, however. Of course, these are all legitimate country codes, and you might not want to block them even if such a facility was available in your region. (It probably isn’t.)
Part of the problem is that these apparently look onscreen like US regional codes. It may be also that missed calls are more obvious on cellphones with pop-up messages and flashing LEDs: in any case, smartphones are used for many other purposes, unlike the average home handset, which the home-owner may or may not think to check after going out or being away from home for a while.
However, the usually-reliable Snopes tells us that while the scam hasn’t disappeared, its current prevalence has been overstated. I don’t know if that’s the case, but certainly some of alerts circulating on the Internet are severely misleading, like the one that claims that if you return a call from Belarus or Latvia your credit card details and contact list will be stolen, while some of the sums quoted – in one case, nearly $2,500 per minute! – are absurd. The Better Business Bureau warning that has been taken up by so many journalists cites an international call fee of $19.95 plus a further charge of $9 per minute, but Snopes quotes a much lower rate for Sprint calls to Belarus and Latvia (not referenced by the BBB), so this is clearly not universally true. In fact, basic charges for international calls vary according to region (yours and the callback destination!), subscription plan and provider, but can certainly be depressingly high on some cellphone plans. However, thousands of dollars a minute seems a little high…
Problems certainly arise when a telephone company in one country has an agreement with the premium rate service to charge the victim via his telephone company. However, Snopes implies that in the US, the telephone company will, more often than not, cancel the charges if the victim contacts them. Clearly, your mileage may vary according to where you live and who provides your services. But the moral seems to be that if you find that a number you don’t recognize has been registered as a missed call, at the very least it’s a good idea to check on where it appears to originate. Here’s an example – suggested by Snopes – of a site that offers country-code information: http://countrycode.org/.
I can’t say how much of a problem this is in the US: after all, I don’t live there. But personally, I can’t think of circumstances that would compel me to return a call from any number I didn’t recognize. Least of all if I knew that it had only rung once.
ESET Senior Research Fellow
Author David Harley, ESET