Controlling Telemarketing Fraud
Who hasn’t received phone calls from “Visa Security” or “Microsoft Support” warning you of imminent disaster unless you follow their instructions (and, as often as not, send them money). For most of us such calls are annoying. For a few, they’re the start of a financial nightmare.
It’s been estimated that phone scams fraudulently generate 10 billion dollars of revenue a year. And that’s just the result of attacks on phones owned by consumers in the US. Who knows what the total number could be when you factor in other countries, other technologies, and unreported events.
Besides the criminals who profit from these attacks, no one’s happy about all this. Governments, financial agencies, technology companies, and consumers have all invested significantly in efforts to counter the problem. This article seeks to answer a simple question: have those efforts been successful?
What is telemarketing?
Telemarketing is the the use of communication channels - including email, mobile and land phones, internet websites, social media, and even the post office - to reach potential customers. Using such channels can be a far more cost-effective way to advertise than one-to-one cold calls or physical meetings. The ability to automate the process using various digital technologies lets advertisers reach thousands or even millions in hours, rather than a few dozen in a week.
While some telemarketers operate legitimate businesses or charities and carefully observe industry regulations, the people behind most of the millions of attempted connections launched daily don’t. The sheer weight of all that communication changes the very shape of our infrastructure systems and makes it harder for everything else to operate optimally.
Robocalls to cell phones, for instance, have become so common that many users simply don’t answer incoming calls or listen to voice messages. People are paying good money each month for mobile services that are, to some degree, effectively crippled.
Similarly, many email accounts were overrun by early spam campaigns to such a degree that it wasn’t worth sifting through the garbage for a few useful messages. You can get a sense of how big the problem is through the numbers. As of April, 2021, Talos Intelligence reported that, on average, nearly 16 billion legitimate emails were sent daily, but that there were an additional 88.2 billion spam messages. That is, for every 100 real emails, more than 550 spam messages were sent through the email system.
Having said that, in recent years, major email providers like Gmail have done an excellent job filtering out the majority of spam and malware messages. But as spammers are always coming up with new tricks, maintaining control is a costly and ongoing task. And it’s made widespread adoption of true end-to-end email encryption virtually impossible.
What’s been done to solve the problem?
2003-4 was a significant time in the fight against illegal telemarketing. The US, Canadian, and New Zealand governments passed Do Not Call laws, requiring that telemarketers avoid phone numbers that were registered with an official list. Failure to respect the lists could result in legal prosecution and fines against offending companies. And laws like the US CAN-SPAM Act, authorizing the Federal Trade Commission (FTC) to enforce its provisions to enforce compliance with email sending restrictions were also passed.
In the four years that followed there were a number of high-profile convictions of major international spammers. And high numbers of consumers who had registered with the US Do Not Call service reported satisfaction with the results. But our shared experience of the two decades since have shown us that the problem wasn’t solved.
One problem with Do Not Call registries is that they’re easy to ignore if the caller happens to live outside the law’s jurisdiction. And, even worse, offenders can use the registries themselves as convenient databases of valid phone numbers. I believe that unwanted calls actually increased after I registered my phone number with the Canadian version many years ago.
The value of such laws also relies on them generating sufficient deterrence. But government agencies like the FTC have long been accused of lacklustre or non-existent enforcement. Why would off-shore criminal gangs worry about such laws?
Efforts within the IT industry have presented a happier story. Email host filtering, email origin validation tools like DomainKeys Identified Mail (DKIM), and traffic shaping technologies deployed at the network level are all helping.
There have also been some grassroots initiatives. Savvy consumers are encouraged to keep illegal telemarketers on the line for as long as possible both to demoralize them and to reduce their profit-per-labor-hour rates. I personally enjoy asking “Microsoft Support” callers which one of my dozen or so computers they’re referring to. Listening to them desperately searching their scripts for a credible response is amusing. By the time I tell them that none of those computers is actually running Windows (we’re a Linux-only shop, here), they’re usually ready to hang up on me.
Former NASA engineer and well-known YouTube science evangelist Mark Rober quarterbacked a sophisticated and ambitious campaign against money mules working in the US for illegal Indian Scanning call centers. With the help of private investigators, law enforcement, and ingenious video-equipped glitter bombs, Rober managed to bring down entire teams of mules and prevent the extortion of at least a few potential victims.
But it’s not clear whether such actions had any noticeable lasting impact on the problem. More to the point, it’s not clear what kind of tools we should be using. It might be helpful to have some good data so we can observe correlations between remediation efforts and historical scam call and spam rates.
What does the historical data say?
To be honest I haven’t found exactly the data I’d like to see. It would be nice to get a consistent set of global numbers representing a range of telemarketing rates from the all the way back in the mid 90s. But the FTC’s Consumer Sentinel Network reports, published for the years 2004 to 2020, are valuable. Of interest to us, the reports track complaints shared by consumers with the FTC website about their experiences with telemarketing abuses. The cases are broken down by category.
Using this data, we can see trends in complaints about scams arriving via email, physical mail, websites (including social media sites), phone and “other.” Figure 1 shows the raw numbers of complaints from each year.
Keep reading with a 7-day free trial
Subscribe to The Audit to keep reading this post and get 7 days of free access to the full post archives.