Anyone interested in the details of how these scams are pulled off might want to check out "scam baiting" youtube channels like Kitboga [1]. They use a virtual machine and pose as a computer-illiterate person long enough to observe all the techniques. They are also pretty funny sometimes.
I'm astonished by how blatant their techniques are. For example, in the "refund scam", the caller pretends to be offering a refund for some tech support contract. The steps are:
- Get remote desktop access to the victim's PC.
- Tell the victim that they must log into their online banking account to get the refund.
- Use "inspect element" to edit the banking page, making it look like victim got too large of a refund.
- Convince the victim that they can't pay back the difference by another bank transfer, but instead must pay it back in the form of gift cards.
It's outlandish. It goes beyond computer-illiterate victims. The victim needs to have a diminished sense of skepticism, which can come from age-related senility but also cultural unfamiliarity, anxiety, etc.
Unfortunately the comments include a lot of casual racism against Indians, with little awareness of the structural conditions causing these scammers to exist.
>The victim must have severely diminished critical thinking ability for the scam to work.
This is why lists of "elderly owned" phone numbers go for so much on the black/gray market. The cost of running these scams is so low that they spam everyone with their bait, but I suspect the real cash cows are elderly people who have large savings / Social Security checks.
Part of the problem is that it is super difficult to teach a parent or grandparent what inspect element even is without delving deep into Web infrastructure and how browsers work...very complicated, technical explanations. Simplification works to a point, but if you just tell them "don't trust what you see on the screen" they'll ignore actually important warnings, blast through alert boxes faster than they can read them, and when your next lesson includes "look for the green padlock next to each address" they'll just get even more confused since, you know, you just told them not to trust anything.
You don’t need to teach them about inspect element. You just need to teach them today’s basic rule of thumb: if someone contacts you over the phone or Internet asking you to do something, no matter what it is or how serious the person sounds... just don’t do it.
Bank branches mostly exist as an anti-fraud device for mortals.
The lesson is, someone call tell you there IS a problem on the phone, but don't trust ANYTHING else, not even the description of the problem.
The absolute only thing they're allowed to tell you is that you need to visit your banking provider tomorrow, not some other bank but your own bank, with only family, and ask what the actual problem is.
Your suggestion, while well intentioned, does not fully appreciate the scope of the problem as it relates to elderly social engineering and the inherent weaknesses (fear, loneliness, mental deterioration) that are leveraged by attackers.
This. Loneliness is powerful; I suspect that if you're lonely enough, even a scam call conversation has appeal. There are even suggestions that loneliness has physical implications [0].
My father suffers from vascular dementia. He's pretty agreeable these days (a lot more so than he used to be). Fortunately an underlying suspicion of strangers calling to talk about money on the telephone has triumphed thus far, but I do expect that this balance will change over time.
Unfortunately there's a scam for that,apparently. The scam caller tells the victim to call their bank, but doesn't hang up. The victim hangs up, calls the bank, the scammer is still on the line.
If you're concerned about that, wait a minute. I can't find any discussion of the scam online, but I would hazard a guess that this isn't really an attack vector these days.
It happened to an old lady in switzerland recently - she didn't hang up, the scammer just got quiet after saying he would hang up so she could call the police, and then had someone else answer the lady when she assumed she was talking to the police.
..and for those who might not be comfortable trying to find this information on the internet, it's almost always listed on your [credit/debit/atm/etc] card itself.
As mjevans says above, it's fine if they tell you there's a problem, but you should never try to solve that problem over the phone based on a call by a stranger.
Unless you know exactly what you're doing, what you should do in the case of any over-the-phone problem like that, is first contact someone you trust and knows what they're doing. Your own bank, an expert of your choosing (and not chosen by the stranger on the phone), or a knowledgeable friend or family member.
> This is why lists of "elderly owned" phone numbers go for so much on the black/gray market.
My grandmother started developing dementia about three years ago. What is really disturbing, is that the scammers somehow figured it out about a year before her symptoms started really presenting themselves. It eventually got to the point where they were calling and asking for her by name several times a month.
She has a fairly large retirement fund, and I think they may be try to get access to it specifically. I am horrified at how sophisticated these operations have become. When they had her on the phone, they must have asked her lots of questions that they used to make a dossier of her, and have been passing this dossier from scam agency to agency. It is clearly a call center calling her, and I have experimented with them. I ask them to call back, and they asked when would be a good time to call back. And then a different person returns the call, clearly reading from a script and already knowing personal information about her.
One thing I am concerned about is that they are simply pumping her for information, so that they can impersonate her and try to initiate a money transfer directly with the bank.
It is so disturbing that there are people out there who know who my grandmother is, and are trying to take advantage of her.
The YouTuber Kitboga mentioned above got into the scambaiting thing because someone took advantage of his grandmother suffering from dementia. It really is a terribly abusive con, and one can learn a lot about their methods and intents from watching his channel.
Re teaching them inspect element: the scammers use a driver they install to black out the screen “for security” of course so the victim doesn’t actually see what they’re doing. Kitboga and others stop the install but act like it’s blacked out when asked about it.
Really all they need to learn is that gift cards are not payment. Also the sites that allow gift card reselling need to be held a little accountable too. If someone is going on there and listing thousands of dollars of gift cards that should be a huge red flag.
> If someone is going on there and listing thousands of dollars of gift cards that should be a huge red flag.
There are legitimate reasons for doing this. Buying gift cards using a rewards-earning credit card and reselling them online is a great way to rack up airline/hotel points if the gift card can be sold for anything close enough to face value.
> The victim must have severely diminished critical thinking ability for the scam to work.
I don't think that's true. It can happen to immigrants to a country who are entirely unaware of banking/legal/taxing practices, etc. who can be scammed into thinking a call is from a legitimate authority figure and who simply do not have enough cultural familiarity to know which things "don't seem right."
About the racist comments: I have engaged these scammers myself and to a person (usually male) they will shout expletives at me once they realize I have wasted their time and I will not be their next victim.
Interestingly enough they all use the same “insult” that they will have relations with my mother (insert relevant expletives). These people are fraudsters preying on older people and do not deserve pity.
Yes, some (most?) of the scammers are bad people. That doesn't mean you can conclude that all Indians are bad people. Those are the comments I was talking about.
I don't know the specific comments you're talking about, but it should be pointed out that truthful observations such as most of these scammers being indian isn't racist. Nor are warnings that if someone with an indian accent calls you out of the blue, be on your guard.
At the end of the day, not all humans are thieves, but I still attempt to prevent all humans from entering my house.
OK... Your point is that there exist comments that could follow from the racist premise "all Indians are bad people", but are also justifiable by non-racist premises like "most scammers are Indian"? Thanks for explaining logic, I guess.
I work as a care giver was in washroom with a slightly demented client and the phone rang. She asked me to get it as she could not get up quickly. It was of course Microsoft Support. This lady has never owned a computer and I knew right away scam. I said “you piece of shit scum of the earth” and before I could finish he says “oh shit” and hung up on me. Luckily this lady has no access to credit cards or money but if she did she would be the perfect victim. Easy to fool and no way to tell you how it all happened. I normally act highly professional speaking on other people’s phones but in this instance I knew it was for sure a scam and really hoped by showing I knew exactly what they were they would not waste time calling back.
That only works for remote support type calls, you'll get opposite results if you try those tactics with free cruise or fake credit rate adjustment calls.
I finally got one of the credit rate adjustment calls to not immediately hang up on me, kept them on for about 15 minutes.
They incorrectly claimed that I only gave them 15 digits for my credit card number-- I think to make sure I read them the same digits back. Next time I'll make sure to have a fake credit card number handy that passes the checksum.
>>It's outlandish. It goes beyond computer-illiterate victims. The victim must have severely diminished critical thinking ability for the scam to work.
That's the whole point. MS Research actually pointed out that the pitch--full of speeeling mistakes--was designed to attract the less educated /intelligent ones, since smart ones are a waste of time.
Certain types of crimes and scams tend to gravitate into certain demographics. This community is full of drug dealers, that community is rife with protection rackets. This other community tends towards phone scams. There are particular circumstances that have lead certain scams to be rife in Nigeria, and another that have led this sort of scam to operate in India.
It’s not necessarily that Indians generally are more corrupt or venal, it’s just that this is a particular way venality and corruption manifests over there. Other communities manifest their venality and corruption differently, due to different structural reasons. So the simple logic that goes this is bad, predominantly only people from this demographic are doing it, therefore this demographic must be worse than everybody else, is overly simplistic. There are bad people everywhere, they just do different things depending on their circumstances and opportunities.
> The victim must have severely diminished critical thinking ability for the scam to work.
That's oversimplifying, and insulting, and unsupported.
It's more accurate to say more likely scam victims are more likely risk tolerant. As this study puts it, they see "the potential for high benefits as outweighing the risks."
I don't think severely diminished critical thinking ability is too far off the mark. Perhaps it sounds harsh, but the reality is that many elderly people do have diminshed mental capacities. It's how life works. It does not even need a citation because we all know it. I have never heard of a scam that was highly successful of bilking 30-somethings for millions (other than our consumer culture, but that's a different story).
Also, you can watch hundreds of vidoes on Youtube and hear exactly the types of scripts that are used in these scams once a live person is on the line. To anyone running at average mental capacity these are clearly scams, regardless of how computer-literate you are. Also, in TFA, as well as in reality, most scams are against the elderly: https://www.fbi.gov/news/stories/results-of-elder-fraud-swee...
There's a reason for this. It is because all of our mental faculties decrease as we age. That diminished capacity may cause people to be more trusting, but the root cause is diminished capacity. And it is neither oversimplying or insulting, it is real information that can help direct actual solutions.
Many scams, including the example parent gave, trade on fear rather than a fake reward. How does "more risk tolerant" play when the victims are cooperating because they think they will be prosecuted by the IRS or sued if they don't pay up?
If you comply, then you risk losing the money (what if it was a scam?) versus the benefit of avoiding jail.
If you refuse, then you risk jail (what if it was real?) versus the benefit of keeping the money.
If you get a scam IRS call, then refusing is correct. But the risk-tolerant person considers the alternative: the potential for benefits of compliance over the risk of compliance; they might think "Could be a scam... but I'd rather not go to jail!"
If you get a real IRS letter, then complying is correct. But the risk-tolerant person considers refusing and benefit of keeping their money; they might think "Could be a scam... I'm not paying!"
You acknowledge it yourself. There’s “risk” to both complying and ignoring the call.
Anyway, risk tolerance isn’t the right lens to look at this. It’s about knowing whether that’s the way the government would actually issue demands and take payments. That requires some savvy and insight about the world. Some people have it and some people don’t. And relatedly, it’s about being skeptical vs. trusting in general.
This is exactly it. I have received several “your social security number will be cancelled” calls. The caller id is the real social security 800 number. If you didn’t know better and relied on disability or social security benefits, I can imagine that would be pretty frightening.
edited. I don't think greed plays a big role in the refund scam I described because a lot of the victims are on the "mark list" and actually did pay for some tech support contract in the past from another scammer. So it's not fair to say that they are all being greedy trying to accept an erroneous refund offer. But I agree that greed plays a big role in many other common scams.
Can we really not acknowledge that some people are dumb or ignorant and easily taken advantage of? It’s harsh but if you’re not willing to accept that, then you won’t be able to understand the world and make it better.
The GP was, and now I am, objecting to your speaking "brutal truth" and then acting like the brutality of it is a virtue. As if it's courageous to be mean to people. And then talking about being unable to understand the world, it being like sticking your head in the sand, without it! .. It's not 'euphemism' to speak respectfully about people. The point is less brutality, not less truth.
I would never advocate for being mean. There’s no warm and fuzzy way to put it, that some people are taken advantage of because of their low intelligence. I was responding to someone who said that the suggestion was “insulting”.
You simply could have said "easily taken advantage of", omitting the needless offensive words; you were not in a discussion where it was necessary to provide a root cause diagnosis for why people are easily taken advantage of, nor is your diagnosis especially useful, since the overlap between credulousness and low intelligence is significant but not perfect.
More importantly, in that conversational circumstance, why double down on it? Wasn't your point that we should acknowledge fallibility and use it as a policy premise? Why get off track?
In my opinion, we could all use a little more "brutal truth" in our life.
Yes, the words "dumb" and "ignorant" are harsh, but so is truth.
Marcoperaza wouldn't use those words to insult them to their face, and neither would I, but it's important to be able to talk about things honestly.
Next time you get a call, waste their time a little pretending to be slow and then do something to make them angry such as explain that you've been wasting their time and don't approve of their business methods. They'll put you on some uber-mark list as retaliation, and you'll get a couple of dozen calls over the next few days.
>get a couple of dozen calls over the next few days.
For me, it's been years. I've irritated a lot of scammers. I've also a fake bd of 01/23/45 for most of my online life so I fit right into their target group.
> Next time you get a call, waste their time a little pretending to be slow and then do something to make them angry such as explain that you've been wasting their time and don't approve of their business methods. They'll put you on some uber-mark list as retaliation, and you'll get a couple of dozen calls over the next few days.
Iunno, I do this every time and they usually hang up on me quickly.
If they uber-marked me, they'll just waste even more time. But alas it hasn't happened.
It is very low effort to just put the phone down and waste their time until they realise. They are usually so deep into their script that they will talk for minutes.
I was on my way out the door one morning, taking my dog to the vet to have a lump removed.
I was in a bad place.
The phone rang. I knew I shouldn't pick it up, but I was in a bad place.
It was "microsoft", and they needed immediate payment to avoid legal action.
I am a little ashamed of what happened next but I dumped every curse word I could think upon that indian guy. It had nothing to do with him really, but I really let him have it.
Honestly, I feel bad looking back at it.
He may have been wrong, but I was wronger.
He is trying to survive like everyone else.. who the hell am I to sit in the comfy first world and judge?
Nothing to be ashamed of. The person on the other end of the phone was a criminal attempting to defraud you. You could have done much worse than just cursing them out.
> He is trying to survive like everyone else.. who the hell am I to sit in the comfy first world and judge?
This line of reasoning ultimately leads to the conclusion that morals only apply in situations where it’s comfortable and convenient to apply them. Perhaps any particular scammer has been the victim of their own set of injustices (or just as likely, perhaps not), but that in no way excuses their victimisation of others. They’re adults too. Not some poor lowly Indians who had no choice but to defraud the vulnerable.
> He is trying to survive like everyone else.. who the hell am I to sit in the comfy first world and judge?
He doesn't know you from a senile person living in poverty. They'll steal your money regardless of who you are. There's no moral justification for that. They are evil.
This. I used to have long commutes. I really enjoyed getting scam calls during the commutes and seeing how long I could keep them on. It was completely a game. I look at it that the longer I can occupy them the less time they have to take advantage of someone else.
These people are the lowest of the low, they prey on the senile and ignorant, stealing from them regardless of their economic status. There should be no pity. If I can end the conversation making the scammer regret their life decisions, or at least waste their time, it's a win.
He generally plays the part of an old person 100% of the time. Also he has a huge following and fans submit numbers to him, so he generally calls them back
> Do you know what Kitboga and the like do to get themselves targeted by scammers?
From my experience: have a phone number. The real reason that I decommissioned my old landline was that it had become unusable: calls at all hours of the day and night, none of which were wanted and most of which were illegitimate.
> Unfortunately the comments include a lot of casual racism against Indians, with little awareness of the structural conditions causing these scammers to exist.
Thank you for this. It's easy to say "they" when referring to a particular race or group of people that happen to be dealt the cards in life such that they end up doing this.
Sadly those who take on this work are many times themselves in an even worse situation and many put their blinders on when scamming others because there's nothing else or left for them.
Or...it's a relatively easy job with little risk and a good opportunity for upside? If you are sufficiently lacking in morals? Frankly, I consider it just as much 'casual racism' to say "poor Indians, they have no choice but to commit crime because things are so bad where they are"; that's stereotyping too.
I have to deal with way too many of these folks (it's not just from India...Nigeria, Eastern Europe, etc). Let's break this down a bit: we aren't talking about people for whom the only alternative is begging in the street or something. They're literate in English. They've had some education. They're mentally nimble enough to run the scam. They work in an office. And they are deliberately seeking to manipulate and defraud the weakest in society. These are folks with options, not either being a criminal or selling organs to feed themselves.
So perhaps it makes me a bad person, or insufficiently compassionate. Or something. But I've been to Hyderabad and Lagos and a bunch of other places and seen people who really have no options. So I can't quite gin up forgiveness for someone who is targeting the feeble, the more feeble the better, for fraud, and would consider taking everything they had a success.
The same can be said for drug dealers, or mob enforcers, or any number of other jobs that prey on other people. While it may explain why they're doing what they're doing, it doesn't excuse it.
To be clear, I'm talking about the people perpetrating these scams, not any racial group; Indians or otherwise.
Jim Browning is another great channel related to this, in that he does his best to infiltrate the callcenters he gets calls from and find the info needed to alert (or even refund!) the victims:
While Kitboga's scambaits are definitely entertaining and a waste of the scammers' time, Jim seems to be doing the work that a police unit should be doing.
I always wonder if that channel is real or fake. I swear I've heard the same scammer more than once and I don't see why the scammers wouldn't check to see if they're running in a VM as soon as they get remote access.
After watching a few of these, I think many of the scammers are not very tech savvy, but are simply following directions they have been given. Some of them are very easily fooled by Kitboga's tricks.
He's hiding the most obvious signs that it's a virtual machine to some degree. The scammers that in 99% of the cases fail to change a number with the browser developer tools because he added an invisible div on top of his fake bank page are just too incompetent to check for a VM, though some do or at least try to. Kitboga specifically also livestreams on Twitch: https://twitch.tv/kitboga for hours at a time, multiple days a week. I see don't really see a chance that's faked.
another scam involves getting remote access and then setting the windows password so they have to call another number and pay ransom to get in their own pc, the screen saver text is usually to unlock your pc call xxx-xxx-xxxx
About 10 years ago, I was able to get a scammer to run a malicious Java applet. I just insisted that if they really wanted my money, they were going to have to use this fake bank portal I made.
Wish they'd do something about internet scammers. One of them got my mom to pay $150 and she lives off disability. She asks me all the time about these messages she gets about how her computer is damaged and to call a number. I tell her not to, but she has dementia and forgets. These assholes are preying specifically on our old population.
My parents aren't equipped to deal with the amount of deceit online. They grew up in a different time. For example, my mom went online to buy flowers and didn't realize the top ads on Google are all scams where they overcharge you and forward your order to a real local shop.
Or how about the Marketplace investigation into fake locksmiths in the GTA?
I didn't downvote it, but remote control of your PC is only a subset of the scams. So, helpful to have them use an iPad or Chromebook, but not a panacea.
Defense in depth of the vulnerable. Being a trusted contact at financial institutions and having access and authority to screen and monitor calls are also components.
People can be monsters (as the story mentions). Prepare accordingly.
Websites telling you that your computer is broken will load just as well on mobile Safari as they do on desktop Safari. I've clicked a search result link that has redirected to them before on iOS myself.
Maybe if the scammer's script absolutely insists you use remote-desktop you might get lucky, but scammers can still scam without remoting in to your computer.
I hope this happens while I'm in the presence of an elderly relative. I will pick up the phone, naively try to get them to give me any personal info, and record the receiver with my phone. Then I'll inform them I've just done that.
I'm not sure if that's the point of an iPod, though - those scams go a lot further than remote computer access.
Serious question, from an anxious person whose parents are nearing "that age": Is it normal for a person with dementia, and family support for their condition, to have control of their finances to the point where they can give large amounts of money away?
There needs to be felony-grade criminal liability for the VOIP providers who are giving the scammers access to the US phone network. It's funny how many things are a serious, unsolvable problem until someone is in danger of being perp walked in front of reporters, at which point it's easily solved.
I don’t know why the US government is entertaining a game of whack-a-mole here. Just make more than X reports per customer per year of connecting scam calls an instant non-trivial fine for the phone service provider, where X is some small value, and let the big telcos figure out how they want to stop it.
This requires cooperation from the telcos at minimum. That's assuming they even keep records of the origination of the call, and not just the (spoofed) incoming phone number.
We really just need to switch our signaling infrastructure because it is just plain insecure. Legislation could make that happen.
I've had 3 separate calls today from the "IRS" about an enforcement action against my social security number. I've been waiting for a very important call from an undetermined number and it's infuriating to keep picking up to hear these stupid scams.
I accidentally called one back a few days ago and incoming robocalls have gone through the roof. I have no proof that that's why, but I won't rule it out.
On a more positive note, Hiya has been working really well identifying spam/robocalls, so I don't actually pick them up.
Anecdotally, I've noticed a decrease since a few months ago (my call blocker log shows 1 call in all of January) and I've been picking up, striking up a conversation for 10-15 seconds then continuing the same with hardcore insults in a relaxed, deadpan manner, as if we were still discussing their IT assistance/credit card "refund"/cruise/security system offer. If they start yelling I just hang up. Some people try to keep selling me their crap, that is funny; I've got quite a few stunned silences punctuated by huffs and puffs, and I made one scammer sob, that was great (I guess whatever I told him about his call center job was accidentally well targeted); so it's also great entertainment and takes very little time, you can have them on speakerphone and keep working/reading/working out/etc.
I like to think they put me on an actual do not call list since I tie up and annoy their operators for as long as possible. One time getting the same guy a dozen times before he finally gave up and from what I can guess just went on a long lunch lol.
That doesn't sound like a worthwhile use of time though. What would be cool is if we could transfer the call to a robo responder and have it be smart enough to act like a really dumb person.
It should also learn the caller's speech and slowly overtime change it's own voice to sound more and more like the caller. Eventually the caller would be talking to themself... same accent, cadence, vocabulary, etc. LOL
I have downloaded an app called RoboKiller and it has worked well so far. I used to get spam calls from Russia, India and Indonesia at 3 am in the morning and wake me up. After downloading the said app these calls have drastically even though once in a while a spam call gets through.
Sorry that was vague - Waiting for a call from an insurance company that's nationwide and I have no idea what number they'll be calling from, so it's not just a matter of screening for a certain area code, which is forcing me to answer and talk to scammers instead of just ignoring all incoming calls like usual.
The DOJ press release [1] mentions that a majority of these calls are coming from India. Does anyone know what the Indian government has done to try to fix the problem? I would assume enforcement should start there.
Why? The US has the prime responsibility for enforcing US laws. And the US also has plenty of control over the calls, because they have to go through US equipment before reaching the phone of a person residing in the US.
I mean if they even took the small step to ensure that these calls do not spoof the caller ID, and appear as coming from India, this would decrease a lot of the scams.
Trade deals and sanctions are carrot/stick. And in practice..
folks share intel all the time.
Digital crime has been increasing ~20% YoY for awhile now, matching the rise of e-commerce and weaponization, and is very much a global thing -- this stuff is why we have governments, the NSA exists, etc. (Our startup builds GPU graph viz analytics & automation often used for scalably mapping this kind of stuff, both for fraud+attacks, and the defender side is very much a team sport both at enterprise and gov levels.)
As I pointed out a couple of hours before your comment, there's certainly plenty of news articles about the Indian police arresting people for call center scams -- often in cooperation with international authorities -- search [india call center scam arrest]
I'm aware that they do. I'm suggesting that the answer to "why?" India might want to address the issue is because their own legal system also prohibits fraud, and is not simply a concession to foreign interests.
True and USA has a gazillion ways to force other states to crack down on stuff that hurts USA. Fraud is illegal, but in a way, this is hurting USA and bringing money to India (see Mexico and drugs)
Agree, also there are quite a number of robocall and voice bot scams that originate within the domestic US. FCC doesn't seem to have an interest in forcing carriers to do anything about this other than develop products in which they charge you for providing some layer of security which should have been there in the first place.
Indian justice system is a joke. Not sure what you could hope for there.
I don't see why this can't be fixed client-side? The vast majority of people don't need to receive calls from overseas, problem solved.
As a former shiftworker who was on call I begged my telco to only allow Australian numbers to my phone, they couldn't do it, despite trying to escalate the issue it was fruitless, all day while I was sleeping I would get phone calls from the Seychelles, Mexico, etc.
Short of MitM'ing all VoIP traffic, how could this be proactively enforced? It's far more practical to focus proactive enforcement where actual phone lines are used, which is exclusively in the U.S.
Scam call centers employ 1000s of people. You just need one of them to talk and collect evidence. The companies pay poorly and have high turnover, so they shouldn’t be hard to find.
That is not proactive enforcement. Also, it has been done before, and is clearly too slow - they may arrest one or two people, while the other thousands can easily relocate their laptops and headsets.
The most effective place to stop it is at the "border", and that is what DOJ is doing here.
The big telecoms get call traffic from a manageably small number of interconnect companies/organizations.
They probably can’t figure out the initial source, but they can figure out which interconnect it’s coming from.
They should call them at their 24/7 NOC and tell them to trace it back a later to trace back another layer to trace it back another layer. Or else they’re getting shutdown in 24hrs.
Same as AT&T would do if Cogent was sending them spoofed scam traffic.
The problem is that the telecoms get paid for these 4th string interconnects by the minute.
How do you enforce that with how disposable DIDs are?
It is trivially easy to acquire a block of numbers from any number of sources with easily falsifiable information, connect them to a SIP application to robocall/robotext victims using easily falsifiable CID data and disappear just as trivially.
Programmatic voice via SIP trunking only makes this worse-not critiquing services like Twilio, Plivo or Telnyx, just highlighting one of the unfortunate risks the technology available to us enables.
CID enforcement is a grand idea but I have no clue how you'd actually accomplish it.
How about the number? If I'm making a SIP call on, say, Alianza, shouldn't what I present as my number for Caller ID match what Alianza thinks my number to receive calls is? Or, if I'm a large organization, shouldn't it at least be one of the numbers registered to my organization?
I may be able to spoof the name. The number? Not so much.
You also send your number as part of the invite. Responsible VoIP providers limit this to numbers you own, but it's totally possible to send calls using a number you don't own. There are CNAM databases but not all carriers make use of them and they aren't a source of truth. How would your solution deal with numbers which go back into a carriers pool? How would your solution deal with newly claimed numbers? How do you verify the numbers on file for an organization?
I was thinking along these lines: It may be possible to send calls using a number I don't own. It should not be possible to send calls using a number that the VoIP provider doesn't own. If I'm sending a VoIP call to someone's cell phone, and I'm saying that I'm a cell phone in the same block of numbers as the destination phone, a responsible VoIP provider should block that, even if they don't restrict me only to my number.
But we both used the word "responsible". I think that's the problem - there are some irresponsible VoIP providers. Maybe even deliberately irresponsible. For obvious reasons, they attract the spammers and scammers. And that brings us back to this lawsuit as a reasonable response to that kind of irresponsible behavior.
I repeatedly get scam calls from a fake "Verizon" that show up on my caller ID as Verizon on my Verizon phone. When I call back I end up talking to the REAL Verizon who basically say "oh yeah that thing ... we'll never call you so don't pick up, that's a scam"
If they can't stop someone impersonating their own name/number on their own network, we're all screwed.
I KNOW for a first-person fact that Comcast periodically calls their broadband customers, at least their business customers, just to "check in and make sure you are happy," etc.
If anyone from the iOS team is reading this, it would be so very cathartic if I could select a call from my history and "mark as spam" instead of just "block caller".
I want the phone to block made up numbers. There is a North American Numbering Plan that defines the ranges of valid numbers. I should not be able to receive an incoming call from any number that is not part of the numbering plan.
I don't think that would work too well. I have actually received a call from my own cell phone...on my cell phone. Now that I think about it I should have answered it to see if it was someone or if it was busy. Either way this is getting out of hand.
It could be one prong on the fork that stops robocalls. It sure doesn't solve everything. There is no silver bullet that just stops all robocalls, its going to take a multi-faceted approach.
Spoofing aside (that's a telecom problem, and it obviously needs fining and fixing), if enough VOIP-owned numbers get blocked, the services running those numbers will raise prices and/or step up their banning game. It's not a sure-fire fix, totally agreed, but I don't see how it'd make the situation worse.
I don't see how they can do much to take down the groups making the calls. Where's the negligence lawsuit against the telecom companies allowing it to happen?
> The companies named in the suits include Tollfreedeals.com, Global Voicecom Inc., Global Telecommunication Services Inc and KAT Telecom Inc.
I guess it's not clear to me exactly what role these companies play in the process. They aren't AT&T and Verizon. Tollfreedeals.com sounds like it would be one of the scammers, not one of the phone companies, but I can't tell from the article.
These companies get paid by the scam call centers overseas, so they are the gateway. They then route it through a series of middlemen until eventually going to AT&T or Verizon.
I am glad they're not jumping straight to the first approach - that seems much shadier to me and a way for the Telcos to start forcing more fees on external carriers. Giving them the power to cut off call carrying unless the partner agrees to audits and other expenditures (like customer list sharing) for "security reasons". There are legitimate issues here, but the first option seems like throwing out the baby with the bathwater.
They're VoIP service providers—they sell PBX access and US numbers to the scammers. Without a VoIP provider in the US to route through, the scammers would have to be calling from India using their own +91-country-code numbers, which could be pretty easily ignored. (Most people don't have any genuine reason to expect a call from India, and could just set up rule-based blocking for the whole country. It would probably become a feature you could enable on any residential phone provider's account page.)
> Calls may be traced through these records
back to their gateway carrier, and thus to their foreign source. The telecommunications industry
refers to this tracing process as "traceback."
Gee I am glad there is a presidential election coming up so that they are actually dealing with this. For the last several years robocalls have gotten so bad that I have stopped answering my phone for numbers that are not in my address book and now I have to ask anyone that is planning to call me for their phone number so that I know to answer.
And these have been illegal the entire time. It is not like they had to pass any laws about it or anything. They just had to get off their buts and enforce the laws.
The problem is that the majority of the robocalls come from India [as per the article], the only thing that would get the foreign Government to deal with it is threatening sanctions which most likely isn't going to happen. The lawsuit here targets a few select entities, but there are many more and the ones mentioned in the suit could disintegrate and pop back up tomorrow under different names.
No, that is not the only thing. I already suggested another thing -- force the phone companies to correctly identify the phone calls as coming from india. The phone companies know where incoming calls are coming from.
That's still a tough issue. Ever since we had phones that could move around, phone numbers weren't linked to physical location. Should my Skype For Business VoIP number change when I'm on client site in a different location?
Here's one telecom complaining to one of the defendants:
> “These types of scam calls are prohibited from our network and further fraudulent calls from the same customer account will result in termination of said customer account. The number of 844-xxx-xxx has been removed from your account in order to protect the integrity of our network"
Sooo, it sounds like getting caught with spam calls doesn't even result in a ban....
> organization sent an additional 6 emails... notifying him... the Resp Org was removing eight additional... numbers from the accounts of two TollFreeDeals customers
Ugh. No wonder these have been going on for years.
I'm interested in opinions on why only these companies have been targeted. Would not the US carriers too have been instructed to block calls from the identified sources? It seems inconceivable that the US carriers can reliably receive payment for the calls but unable to refuse them. I feel that if these were political robocalls originating from offshore rather than financial scams that this would have been addressed far sooner.
Kudos for doing something though. I expect a surge over here if scamming the US becomes non-profitable.
is there some better way to break apart the criminal gangs that do this? how about offering large bounties for turning your confederates in? this might be an annex to the racketeering laws where you get immunity and a huge payday for ratting out your co-racketeers.
complexity is working against us right now. criminals have 193 national jurisdictions to move around and hide in. better to give them the complex task of maintaining 100% loyalty among their ranks at all times.
I've been presented with several offers over the last year to renew my car's warranty as it's expiring soon.
I don't own a car nor have a driver's license.
I usually get through to a person then ask them which of my many cars is expiring. Somehow they never know, and just keep asking me for the make and model of my car.
Maybe I should look up some really obscure model to further troll with?
Just insure your 1995 honda civic with 300k miles that's been stuck in the garage because you are not legally allowed to drive because of vision loss. I was amazed that they didn't care about my condition, and pushed me up to a senior warranty specialist that hung up on me when I asked " and where are you located sunny" in my oldest voice possible. Waste as much of their time as possible.
Oh, it's full of holes.. not only that, but there's no verification system for even caller id data... That's why you'll see a lot of scam calls looking like they're from your areacode and prefix.
Would passing a legislation which requires these gateway carriers to verify the billing addresses of their customers through their banks(IRS scammers) force these companies to filter out most of them ?
By the time the lawsuit wends its way through the courts, all that will be left is a shell and a secret bank account in the Cayman islands that we cannot discover.
And the scammers will be on to something new.
But at least I won't be getting calls in Chinese any more...
The current problem is a kind of technological loophole. Scammers outside the US can anonymously and for (almost) free perform what are basically phishing attacks on everyone with a phone. Unlike other kinds of internet-based scams, there is no technology layer like spam filters that can screen calls for people since they spoof whatever area code and number they want. It needs to be fixed.
And you should read about these "scammer districts" in India. They didn't exist not that long ago and sprang up overnight as this "opportunity" arose. Most of the employees aren't exactly the cream of the crop by India or anyone else's standards. Make it take more effort and brain power to scam people and you drastically reduce the number of scammers.
The spoofed caller ID thing really needs to be fixed. Our office number ends in a nice round number XXX-XXX-8000 and several times a day we get calls back saying "WHY DID YOU JUST CALL ME" and they don't believe me when I tell them we didn't and somebody's spoofing caller id. Spoofing Caller ID to someone else's number shouldn't be possible. (But it's very easy. I can enter any phone number I want in our phone system here!)
> Spoofing Caller ID to someone else's number shouldn't be possible.
Right, this is why we have certificates for websites. I want to know it's my bank I'm logging in to. I'd also like to know it really is my bank that's calling...
The scammers are. The companies being targeted are onshore. Which is why the USA can get to them.
My point is that the people in charge have every reason to believe that the government will crack down on them, and have had all the time that they need to try to hide the money. By the time the courts are done, there will be no money to find.
Note that this action does not target the individuals conducting the calls; this lawsuit targets VOIP "gateway carriers" based in the U.S. who carry the VOIP calls onto U.S. copper telecommunication (as described in the article).
And the "gateway carriers" have a corporate shell and people who are intimately involved with scams of all sorts. Which is why they got in the business of enabling other scams.
When they see the writing on the wall, do you not think that the ones in charge won't try to sneak all of the money that they can out of the company into somewhere it can't be traced, that they can pick up later?
Nick Palumbo who is named lives 5 minutes away from me and I see him at Trader Joe's regularly. He is a real person, now both him and his wife are screwed pretty bad
They are going after the VOIP providers, exactly as they should.
Here in Canada we've had years of various frauds -- spoofed calls pretending to be the government, the police, etc -- and it almost always comes down to a single VOIP provider.
I'm astonished by how blatant their techniques are. For example, in the "refund scam", the caller pretends to be offering a refund for some tech support contract. The steps are:
- Get remote desktop access to the victim's PC.
- Tell the victim that they must log into their online banking account to get the refund.
- Use "inspect element" to edit the banking page, making it look like victim got too large of a refund.
- Convince the victim that they can't pay back the difference by another bank transfer, but instead must pay it back in the form of gift cards.
It's outlandish. It goes beyond computer-illiterate victims. The victim needs to have a diminished sense of skepticism, which can come from age-related senility but also cultural unfamiliarity, anxiety, etc.
Unfortunately the comments include a lot of casual racism against Indians, with little awareness of the structural conditions causing these scammers to exist.
[1] https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw