Robocalls: where is RoboCop?

Some years ago I came across the story – I can’t say whether it’s true – of a decommissioned server that, at the time it was powered down for good, still had a task left unfinished after something like seven years. This was due to its being constantly deprioritized as other jobs demanded the server’s attention.

It sometimes seems to me that email is a little like that. When I left one job a few years ago, I was still clearing my email backlog weeks after I’d officially left the organization. A few days ago, while catching up with my ESET email (now down to no unread messages, though I don’t suppose that will last) I found a message reminding me to write something about automated tech-support scam calls. Happily, this one was only about seven months old, rather than seven years, so it isn’t yet totally irrelevant: the robocall problem isn’t likely to disappear any time soon. I can’t say what percentage of nuisance/scam robocalls are related to tech support scams, but most of what I’m going to say relates to robocalls in general, not just the support scam variety.

My PC left a message

“In July 2015, Aaron Foss reckoned that 35% of all phone calls were automated”In fact, I’ve never received any examples of this particular brand of automated nuisance call myself, but my understanding is that they often follow a classic pattern. It’s one that will be familiar to you if you’ve encountered the cold call scams that we’ve been hearing about for years, and the pop-up support scam messages I’ve discussed here several times before. They take the form of a warning that your system is infected (and apparently has been sending out SOS messages) and an invitation to speak to a support person (in this case by pressing a key rather than by following a URL or dialling a phone number). However, most of the stories I’ve heard focus on the dialogue with the live scammer rather than on the format of the robocall, so there may well be variations of which I’m not aware.

However, robocalls are certainly very common. Aaron Foss apparently reckoned early in 2015 that 20% of all phone calls are automated and that the volume is increasing. In July 2015 his estimate was 35%, so I guess that’s a self-fulfilling prophecy. Consumer Reports told us in 2015 that ‘Every month more than 150,000 consumers complain to the Federal Trade Commission and Federal Communications Commission.’ Not all those automated calls are technically scams, however annoying you and I might find them, but many of them certainly are.

Let me count the ways …

Among the other types of scam known to be delivered by robocalling in the UK are scams relating to mis-sold PPI (Payment Protection Insurance), mis-sold pensions, and debt management. Last year, the FTC shut down one offender in the US. The UK’s Information Commissioner’s Office recently fined lead generation company Prodial Ltd £350,000 (the largest fine it has imposed to date) for making more than 46 million automated nuisance calls related to PPI. However, since Prodial went into liquidation late in 2015, it seems unlikely that the fine will be recovered. Still, it’s encouraging that some agencies oriented towards consumer protection do have some impact on offenders.

Robocalling is also commonly associated with IRS scams, home improvement scams, and home security scams, but practically any phone scams such as accident compensation scams, may also be delivered through automated calls. After all, all you need is the ‘right’ message to persuade the victim to call you back.

Cheap crooks and cheap calls

Unfortunately, it’s possible to make cheap and easy phone calls from anywhere using Internet technology. (So why are my phone bills so high? I don’t even have teenage children anymore.) What’s more, it’s all too easy to display a fake caller ID, so despite the demands from enraged victims to step up action against the scammers, there is no way to guarantee you’ll never receive another nuisance/scam call.

do-not-disturb

Unfortunately, services like the the US National Do Not Call Registry are unlikely to block illegitimate calls.

Don’t call us, we’ll call you

While subscribing to a service like the US National Do Not Call Registry (or the UK’s Telephone Preference Service) does indeed reduce the risk of nuisance calls from legitimate organizations, it has less impact on callers whose intentions are clearly not legitimate, and who are taking pains not to be identified. In general, they simply don’t care about such lists. In fact, the TPS doesn’t actually apply to automated calls, although – according to EC legislation – you shouldn’t receive such calls unless you’ve already given permission. But it’s obvious from the size of the problem that many companies don’t care about that either. With an attack surface the size of the internet, it would be naïve to expect problems like these to be solved by legislation alone. On the other hand, challenging suspicious callers when they ignore such registries may help (dis-)establish their bona fides: indeed, as the FTC asserts on a page offering advice about the National Do Not Call Registry, just the fact that you’ve received a call despite being registered increases the likelihood that it’s a scam call.

Be aware, though, that some types of unsolicited call are permitted by these services: surveys, for example (which is why sales calls often start off trying to sound as much as possible like a survey). Other exceptions to the ‘no call’ rule may vary from country to country, but can include purely informational calls, calls from charitable institutions, and so on.

Cell (and landline) block

Sometimes a phone company can block calls from known ‘bad’ numbers, and some models of telephone may include blocking functionality. However, there are an awful lot of numbers that are misused for sales/spam/scam calls, and it’s easy to change or spoof a caller ID. (Spoofing is a term used in this context when the caller ID appears to indicate a genuine and trustworthy caller.)

“The good news is there is a wide range of call-blocking apps available for smartphones”The sheer volume of misused phone numbers is not well addressed, in general, by providers of telephony service and hardware. That, in part, accounts for the disgruntled tone of some debates on consumer protection sites and forums. Once the scamming community has your phone number, you may receive calls from lots of numbers, but the average service provider will offer blocking for only a few. (And a fee is often charged for this service.)

It may be possible to block calls from withheld or international numbers, which does cut down radically on the number of spam/scam calls received, but for some of us that would mean losing some legitimate calls, too.

For the landline user, there seems to be an increasing range of handsets and hardware devices that may help, if testing by organizations such as Which and Consumer Reports can be trusted.

The good news is that there is a wide range of call-blocking apps available for smart phones (or blocking may be part of the service). Unfortunately, I’m not in a position to recommend specific programs (or hardware for landlines, come to that).

In 2013 Aaron Foss and Serdar Danis were each awarded $25,000 by the FTC for ‘intercepting and filtering out illegal prerecorded calls using technology to “blacklist” robocaller phone numbers and “whitelist” numbers associated with acceptable incoming calls.’ Foss’s Nomorobo service (which at the time of writing claims to have blocked 68,848,688 robocalls) sounds quite successful for people using VoIP carriers that support Simultaneous Ringing. However, I’m not in a position to try it out. For many of us, the options are more restricted.

So what can I do?

Unfortunately, RoboCop isn’t answering my calls.

Still, if you’re not in a position to do much to reduce the number of scam robocalls you receive, you can at least follow some guidelines to protect yourself against following up on an automated call and thereby falling for a scam.

  • It usually makes sense to assume the worst if someone calls you out of the blue with no real proof of his or her identity. (Because Caller ID is so easy to spoof, it shouldn’t be regarded as ‘real proof’.) So it also seems like a good idea not to give away information that might be of use to a scammer, such as sensitive financial data or personal details (let alone PINs and passwords).
  • As we’ve pointed out on this blog time and time again, there is never a good reason to download software on the advice of a random caller, especially in order to give that caller remote access to your computer.
  • Subscribing to a ‘do not call’ register does at least reduce the number of legitimate but unwanted calls you receive, and does provide some sort of heuristic for gauging the probable scamminess of a call. If you do subscribe, check what calls are and are not permitted by your service.
  • I’ve also pointed out on this blog that the circumstances in which a provider will ring you to tell you about a problem with your computer are pretty rare. If such a circumstance does arise, it’s unlikely that the provider will rely on an automated call to alert you.
  • In the event of an unsolicited call that does seem to come from a legitimate source, it’s still a good idea to call them back on a number you know is genuine. Bear in mind, though, that there are known scams that fake disconnection from the original call, so that you may not be calling back at all. This is because sometimes when you put your phone down, the line may not be cleared immediately. Scammers taking advantage of this have even been known to play a recording of a ringing tone.

For people in the US, the FTC has a resources page that specifically deals with robocalls. The organization also suggests that you don’t interact with an ‘illegal’ robocall in any way: just hang up. It says:

“Don’t press buttons to be taken off the call list or to talk to a live person. Doing so will probably lead to more unwanted calls.  Instead, hang up and file a complaint with the FTC.”

You can also submit a complaint to the Federal Communications Commission.

The Information Commissioner’s Office in the UK has information on marketing calls, including automated calls, here, with links to other relevant pages.

Image: Cath Vectorielle / Shutterstock.com

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.