The End of Robocalls?

The FCC took action recently to block certain kinds of robocalls. These are the automated calls we are all familiar with where you hear a recording when you pick up the phone. The FCC estimates that there are over 2.4 billion robocalls per month. If you read the news articles that came out after the FCC order you would assume that this order means the end of all robocalls – but it doesn’t.

The FCC action is intended to eliminate robocalls that come from spoofed sources. Spoofing is when the caller hides their phone number or changes the originating number for caller ID. Callers have numerous reasons to spoof calls. Some spoofers are scammers and use robocalls to initiate fraud. For example, the IRS says that over $26 M in fraud is done each year from robocalls posing as tax collection calls. Other callers use spoofing to avoid the Do-Not-Call rules which is supposed to prevent solicitation calls to people who have elected to not receive them. If the number that shows up on caller ID is wrong, then there is no way for the FCC to catch or fine a caller from violating those calling rules.

The FCC accepted a proposal from a ‘strike force’ of large companies like AT&T, Google, Apple and Comcast to tackle the issue. Some spoofed calls will be relatively easy to block, like when spoofers use numbers that can’t be real such as 000-000-0000. But spoofers also use disconnected or unused numbers and these will be more challenging to find. A spoofer could use a legitimate number for a short time and abandon it before being blocked. Spoofing is similar to computer hacking in that it’s a game of cat and mouse – and you’d expect spoofers to figure ways around any schemes to catch them. It will be interesting to see how effective the strike force is at blocking spoofed calls.

But it’s important to remember that a lot of robocalls are legitimate and will continue. First, anybody is allowed to make a legitimate robocall to people who are not on the Do-Not-Call list. But even if you are on that list, all sorts of entities are allowed to call you. For example, any merchant like a bank, credit card, insurance company, cell phone provider, etc. is allowed to call their own customers. Government are allowed to call citizens and that means that political robocalls are legitimate as well as calls from other parts of the government. Certainly nobody is against localities that send out robocalls to warn of tornados, flooding or hurricane evacuations.

And some robocalls are useful. For example, the high school where our daughter goes calls once a week to tell us about things going on at the school. For the most part these are things that you would never hear about from your child.

There is no doubt that robocalls are a huge issue. The FCC says they are by far the number one type of complaint they get. I haven’t had a landline in twenty years, but the last time I spent a few days at my mother-in-law’s house, who still has a landline, I was amazed at the number of solicitation calls she got per day – both robocalls and from live callers. She’s on the Do-Not-Call list and still gets 5 – 10 calls per day.

I think a lot of people will be surprised to find that the FCC’s action won’t stop legitimate robocalls – and that has to be a huge percentage of the calls made. Your bank and other vendors that call you are doing so legitimately and do not try to hide who they are when they call. And I think that when that sinks in that the public they will be disappointed. That fault lies with the many misleading news articles declaring the end of robocalling. The FCC was clear in its own declaration that this was an action taken to try to eliminate scam calls. But if history has taught us anything it is that scammers will always find a way to do what they do. This order may slow scammers down, but they will find other ways to scam people – including figuring out how to still call using robocalls. I hope the strike force can find a way to stop this, but my guess is they will just slow it down, at best.

Long Distance Fraud Again – Really?

I’ve been helping clients get into and stay in the long distance business since the 80’s when long distance was a new line of business for many telcos. I remember when the industry was new that it was a challenge. If you were a rural LEC you had to convince the RBOC who owned the regional tandem switch to help you set up a trunk group to get to a long distance company. And they were reluctant and slow to respond. So a company had to fight to get into the long distance business.

But over time it got easier and fairly routine and most rural telephone companies added long distance as a product line. It worked pretty well until the time in the early 90’s when calling cards became the rage and customers all wanted them. With a calling card a customer could make a long distance call from any other phone and bill it to their own home phone number.

So companies in the long distance business started giving out calling cards, and eventually they gave a calling card to every customer. This generated a lot of new traffic, and since this was back in the day when it still was not unusual to pay 10¢ to 15¢ per minute for long distance it also drove a lot of new revenue. But within a few years after calling cards were introduced calling card fraud followed. Calling card fraud was pretty straight forward. There were people who would try to find a valid calling card number that they would then send to places like the Middle East where street vendors would hawk cheap minutes. And dozens or even hundreds of people would use the calling card until somebody figured out that fraud was going on and cut off the card.

When the fraud first started the losses got huge because nobody was looking for it. But over time the carriers that sold the long distance began monitoring for unusual usage and policies were established such as making the cards only good for domestic calling, and over time the big calling card fraud got under control, but never quite stopped.

Over the years since then I have run across cases of fraud, but it has been a random thing here and there and not widespread like the calling card fraud had once been. The companies that sold wholesale long distance got more sophisticated and monitored usage closely and for the most part the industry stopped worrying about fraud.

But recently I have seen cases of significant fraud happening again to my clients. Within recent months I have had two clients hit for over $25,000 in fraud in a single month, which in both cases was as much as they had been paying for wholesale long distance for most of a year. So for these companies this was a really big deal and it effectively doubled their cost of buying long distance for the year.

And both of these companies were buying long distance from ‘big name’ carriers and not from some small VoIP provider. I must tell you that I was surprised. Not surprised that fraud could still happen, but surprised that the big company selling the long distance did not have a fraud monitoring process in place to stop it. It’s not that hard to monitor for fraud at the large carrier level. If they process the long distance in real-time it is not hard to set some flags to look for unusual usage. When my clients decided to buy wholesale long distance from these vendors they were assured that those carriers had fraud monitoring. It turns out to not to be true.

The fraud in both of these cases was allowed due to faulty connections between my clients and their customer. In one case if was my client’s own connection that was not secure. They had installed an IAD (Integrated Access Device) at a business customer in order to supply voice and data from their fiber connection. The IAD was not properly configured and had very weak passwords and was not configured to only accept commands from my client.

The second case was similar in that another client had a connection to a customer PBX. And of course, being a full service provider, they made the connection for the customer to his PBX. As it turns out there was a backdoor connection available into the PBX into the internet, which means that the PBX could have a connection from somewhere other than my client.

Neither of those problems automatically leads to fraud, but there is a new set of bad guys in the world. They use computer worms to test against millions of phone numbers looking for phone numbers connected to PBXs or IADs. Once they find such a device they use normal hacking techniques like cracking easy passwords to gain access to the device. They then sell calling in the same way as was done in the old days of calling card fraud. In one of these cases the calling went to the Middle East and in the other went to INTELSAT calling to satellite phones – both very expensive calling. My suspicion is that these bad guys are not selling these minutes on the street like in the past, but instead hawking cheap minutes to International VoIP minute sellers who have no idea where these minutes come from.

Certainly my clients had some liability in their loss since they contributed to the customer connection being made in an insecure manner. But they also ought to be able to rely on their underlying long distance provider to protect them against a flurry of suspicious calls. The biggest worry about this new kind of fraud is that it pumps a large volume of calling to expensive places in a short period of time. So it can cost a telco a large amount of money in a hurry.

So my caution to companies that sell long distance is to beware. It has been a while since fraud was of this level of concern, but it’s back again. There are two steps you can take to protect yourself. First, make absolutely certain that the company you are buying long distance from has good fraud detection and policies. You want a carrier who will not only find the fraud but who will cut off the calling before they even contact you. But second, the responsibility rests with you to use good network practices to make sure it is hard for somebody to hack the connections to your customers. If you want to know more about how to protect yourself contact Derrel Duplechin of CCG at (337) 654-7490.