Scam calls are a nuisance at best, because they’re intrusive, and a social and financial evil at worst, because they prey on those who are vulnerable.
You probably get dozens or hundreds of them a year, often in waves of several a day, where the caller claims to be from Amazon (about a credit card charge charge that doesn’t exist), from Microsoft (about a computer virus that isn’t there), from the police (about a copyright infringement you haven’t committed), from your bank (about suspicious transactions that haven’t actually happened), from the tax office (about penalty charges you don’t owe)…
…or from any of a number of sources that fraudulently put you under pressure to agree to do something you later regret, such as transfer money from your bank account, hand over personal information such as passwords or payment card details, or install malicious software that lets the scammers remotely rummage through your computer.
Scammers of this sort are typically based in high-pressure criminal call centres outside your country, but they make use of internet-based calling services that costs pennies a minute to make calls anywhere in the world, yet show up on your phone with a local number to give them an air of legitimacy and traceability.
Not quite a scam
Sometimes, however, the callers aren’t quite scammers, and they really are based in your country, working for a registered company, calling from a number that really is local.
They might be promoting a legitimate service, such as something environmental to do with green energy, roof insulation or double-glazed windows, but they may very well call you against your will, even calling you repeatedly after you ask them to stop doing so, use high-pressure sales tactics, and make disinguenous or even dishonest claims to legitimise their calls.
We receive a lot of unwanted calls, and although outright scammers (those who have nothing real to sell and nothing even vaguely legitimate to offer) outnumber the “chancers”, we nevertheless still get plenty of calls that genuinely do originate locally, and represent local registered businesses claiming to be operating lawfully in this country.
We’re on our local equivalent of the national Do Not Call list (known in the UK by the very bland and neutral name TPS, short for Telephone Preference Service, as though anyone would ever prefer to opt into this stuff), so none of these callers, whether they’re outright cybercriminals or just local telesales chancers, are supposed to be calling at all.
And that raises two related questions:
- Is it worth reporting the outright scammers? They’re almost certainly outside the jurisdiction of your own authorities, and even if they get kicked off their current internet phone service, they’ll soon be back via another one. The names of the callers are fake and they don’t work for the companies or organisations they claim anyway. Why report them if nothing is ever likely to come of it?
- Is it worth reporting the local chancers? Given that they know they can be traced, and aren’t really trying to hide, it often feels as though they must have some sort of regulatory cushion. Certainly they sometimes couch their calls as though they’re part of an official government programme, to give the impression that they’re entitled (or even required) to call you. Why bother to report them if they’ve got an apparently valid cover story?
Report rogues if you can
The answer to both the questions above is, “Yes, it is.”
To be clear, we’re not suggesting that it’s your civic duty to report every scammy or dubious call you get, because even in countries where call reporting has been made very efficient, it does require you to record the caller’s number, write down as many details as you can remember, and then go to a website to input all the offending information.
Doing that every single time you get an unwanted call is an undertaking most people simply don’t have time for.
But if no one ever says anything, then something you can be sure of is that the regulator in your country will be able to do nothing.
On the other hand, if enough people do take the trouble to submit reports, then regulators will sometimes be in a strong position legal position to do something, even if it feels rather modest compared to the scale and efforontery of the operators they’re acting against.
For example, the Information Commissioner’s Office (ICO) opened its account for this year’s Cybersecurity Awareness Month with enforcement actions against four British peddlers of allegedly environment-friendly products and services: Posh Windows UK (fined £150,000 for calling nearly half-a-million “do not call” telephone subscribers), Green Logic UK (fined £40,000), Eco Spray Insulations (fined £100,000), and Euroseal Windows (fined £80,000).
These fines (or, more precisely, monetary penalties) may seem very modest, typically clocking in at well under £1 for every person who was illegally called, but they do at least make a point that companies who don’t play by the rules will be punished.
We also suspect, or at least hope, as more and more fines of this sort are issued and publicised, that the excuse that a company “didn’t knowingly set out to violate privacy regulations by making unlawful calls”, or words to that effect, will carry less and less water…
…and that more and more victims of this sort of call will be willing to provide evidence to the regulator to follow up on complaints.
For example, in one of the cases linked to above, the ICO’s rebuttal of the company’s claim that it had acquired consent via in-person house visits was greatly helped by a complainant who reported:
[The claim that I gave my details to a canvasser who called at the house] is totally fictional as I always send door to door salesmen packing, especially double glazing salesmen. I am not sure where they have had my land line number from. I asked them several times to remove my details from their database. They continued to phone me on several occasions and every time I asked them where they had got my details from…
Likewise, even if there is little that your regulator can do directly to prosecute pure-play scam callers from other countries, regularly reporting offenders does at least draw attention to the internet telephony companies who are happy to provide services to these scammers.
Ultimately, this may occasionally turn up enough evidence about the clients of the service provider to persuade the authorities in the country where the scammers are based to investigate at their end, and to tackle the scammers in their home jurisdiction.
What to do?
Here are links for reporting rogue calls in a selection of countries:
Report in the US: https://www.usa.gov/telemarketing#item-37207
Get on the US “do not call” list: https://www.donotcall.gov/
Report in Canada (English): https://lnnte-dncl.gc.ca/en/Consumer/Complaint/#!/
Get on the Canadian “do not call” list: https://lnnte-dncl.gc.ca
Report in the UK: https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/
Get on the UK “do not call” list: https://www.tpsonline.org.uk/
Report in Australia: https://www.donotcall.gov.au/consumers/lodge-a-complaint/
Get on the Australian “do not call” list: https://www.donotcall.gov.au/
Get on the blocklist and report in France: https://www.bloctel.gouv.fr/
Fred
The idea of a phone number blacklist registry is plain dumb.
Especially if each country has its own blacklist instead of making a standardized checking service.
Why would I have to explicitly opt out of unwanted marketing calls by manually registering my phone number on every single country blacklist in the world?
That’s not how it actually works but you get the idea.
This phone number blacklist idea looks like a Windows 10 configuration screen after install where you have to visit every single privacy page and uncheck everything manually.
I would rather make a phone number whitelist, where only people who consent to being called have to let you know by freely subscribing to a ‘Phone Call Authorization’ service.
If lawmakers believe in explicit blacklists instead of requiring whitelists, next we’re going to have to list exactly which phone numbers aren’t allowed to call us.
Then prepare for a wave of bot apps that automatically add every single possible phone number to your blacklist.
‘Nice ~4 billion phone numbers blacklist you have there…’
‘I’m gonna blacklist every single phone number I don’t know as well, ~4 billion entries for me too…’
Having to register on blacklists is as absurd as blacklisting 4+ billion phone numbers just because you only want to allow 3 numbers to call you.
If lawmakers were smart, they would just make whitelists.
Automatic & Marketing calls consent should be denied by default.
Paul Ducklin
In a world (and a world of governments) that accepts opt-out rather than opt-in, a blocklist is the best you are going to get. (Avoid the word “blacklist”. It has an odious origin, referring as it does to secretive lists aimed at restraint of trade; it has needless racial undertones; and it’s not a very good term anyway. “Blocklist” and “allowlist” are not only culturally and historical neutral, they are actually better words that say exactly what they mean.)
When I lived in Oz, my wife put a “Addressed mail only” sticker on our physical mailbox. I laughed, but she argued that it was unlikely to increase the amount of junk, and might discourage some of it from companies who were willing to comply. She was right. Our junkmail and the amount of wasted paper in our recycling bin dropped noticeably. When “do not call” came along, I adopted a similar attitude and opted out. It did reduce the number of spam calls I received.
As for an allowlist instead of a blocklist, if a caller has already decided they aren’t going to bother with checking whether you’re opted in or out, they’re going to call you anyway.
(As an aside, the blocklist process requires you to register in one country only, given that phone numbers are tagged to countries anyway. The caller is supposed to check the call list in the recipient’s country, not their own. That works whether you go opt in or opt out.)
Phil
Voicemail has changed everything for me. If the caller is unwilling to leave a message (and most aren’t) then I have no reason to return the call. What’s more, in order to report a scam phone call, I’d have to waste the time necessary to answer the phone–from an unidentified caller–and interact with someone solely for the purpose of reporting them. Even if I do answer the call, I’ll be talking to a robot anyway. No thanks.
Paul Ducklin
I feel that way, but every few days I figure it’s OK to take one for the team, as it were, and answer the call just to be able to report it.
However, one mind-numbing annoyance in the UK is that if the other end doesn’t say anything (which frequently happens if you just pick up and keep silent yourself, because their robocaller waits until it thinks a real person is on the line, so you have a standoff-of-silence), it’s a different sort of offence, and you have to report it via Oftel.
I assume this is a leftover from “silent stalker/heavy breather” rules in the pre-internet era… you can’t be anoymous, and there’s a load of PII paperwork to fill in, like reporting a physical crime at a police station. This seems bizarre in the era of robocallers, but that is HMG’s position on the matter.
Cassandra
With (in the UK) the end of POTS calls in favour of VOIP in the next few years why can’t all calls be wrapped in a PGP style encryption?
1) Then I can verify who it’s from (preferably automated by my “telephone box”) and decide if I want to answer (hopefully it would be less spoofable than CLI)
2) By keeping my PGP:VOIP “public key” fairly private, scammers etc just can’t contact me
3) I know my call can’t be intercepted
If email had been built from the ground up to use PGP or similar, spam would be next to impossible (or at least easily filterable); is it to late for VOIP?
Paul Ducklin
The problem is that once your “phone number” (number + public key) are known to robocallers, you’re back where you started. GPG-style certificate-based identification will not give you any more certainty about the relevance of the *content* of the call than TLS gives you certainty about the downloads on a website. So anyone using a VoIP service will have the same apparent infrastructural legitimacy as website providers do by using an HTTP hosting or proxying company.
Places that currently require a working phone number in order to sign you up for a service (or home delivery, or medical appointment, or membership of a book club, or a hotel bookngor whateveritis) will request number+public key instead…
…which doesn’t get us much further ahead. It just neutralises existing phone number lists for a short time, until the new ones leak out :-(
Well, that’s how I see it, anyway.
Fred
I think that the commenter above got a point:
However the ‘end-to-end encryption’ part is pretty useless since official institutions will store call recordings unencrypted anyway.
Usually those who want end-to-end encryption also won’t use the phone network for personal exchange either.
I think something that could’ve been done according to this same ‘PKI calling system’ would be a sort of mutual TLS authentication.
You generate your own ‘x509 root authority’ locally and issue certificates with it to people who can call you (the CN= attribute of the generated certificates would be their phone number).
You could this way certify with your own root certificate someone’s phone number.
If your phone number leaks then nobody else cans call you since it would require a valid ‘x509 certificate’ for the scammer’s phone number (scammers would need to compromise both the phone number & certificate of a known person for this).
You could also store certificates for your phone number you got from other people’s root CAs.
Your caller ID would still be ‘verified’ by the Telco, but a data breach would not lead to lots of spam calls this way due to the better x509 verification that follows.
However, we need to realize that it’s pretty much 30 years & higher too-late.
We should’ve done this way earlier back in the time unfortunately.
You can however do this with most online Internet-based calling apps, by only letting known contacts be able to call you.
Nonetheless this ‘PGP call verification’ idea is pretty much like Mutual TLS Authentication with self-generated x509 certificates, and it could’ve been a good concept for phone calls.
Paul Ducklin
Good luck with that in a world where people like shopping online via giant warehouses that deliver to their homes via gig economy contractors… there’s generally a requirement to give the delivery company a phone number that they can pass on to whoever happens to be on bicycle duty that day, so they’d need to give you the delivery rider’s number so you could generate a certificate… and that wouldn’t scale (plus they might not decide on the rider until the last minute), so there would have to be some sort of PKI whereby you authorise them to authorise your phone number to any of their riders, and I can’t imagine that ever working out well, much as I like the idea.
Also, phones are still used in emergencies for random people to let you know they’ve found your missing dog or your wandering great-grandmother… not sure how you would handle that sort of situation, which is a surprisingly handy use-case for old-school telephony…
Cassandra
The problem is that once your “phone number” (number + public key) are known to robocallers, you’re back where you started.
Well not quite; it knocks out point (2), but since one of the main problems seems to be CLI being spoofed, PGP style key lookups should be able to verify or fail to verify the caller’s ID.
In respect of delivery services surely VOIP can be extended at relatively little cost to enable a delivery agent to press a button on his app against my delivery code (only valid when they are doing the route which has my delivery) and this will connect them to base and relay their call on to me via a verified number – so I know it is say Amazon calling about delivery order no xyz – which they have already informed me about previously.
Is there any reason why say Amazon cannot inform me beforehand (via a “trusted app”) of the specific public key that they will be using for that delivery etc.? And why I cannot have a key pair that will only work with a call from a specific source (so I have a Key pair for Amazon to use when contacting me, they have told me of the public key they will use; the call comes in and stage one of the unwrap happens using Amazon’s specific public key and then my app tries to do the remaining unwrap with my specific private key – and if that works it is a valid call and my phone rings.
it is complex to explain, but is surely code-able and could be built into VOIP calling apps?
When I have to give an email address to a trader, I give them a “gashable” one – but then know that any incoming email to that address has to come from that trader, and if it doesn’t, they have been hacked and I junk the email address. (Thank goodness I did that when register Photoshop Essentials with Adobe so many years ago – I am still “getting” junked email from the address I used then almost every week.) We want something similar but more robust for telephone calls.
Paul Ducklin
Most of the nuisance calls I get and many of the scams don’t have spoofed CLI numbers (caller ID if you are from N. America).
They reveal the actual number they called from, and if you return the call you will be connected to the nuisance caller’s/scammer’s call centre. So the call starts (from a CLI point of view) exactly where it says.
Also, if the problem is CLI spoofing (i.e. you can inject data of your choice at source), what would stop the caller signing the fake CLI data they want to show up on your phone with your genuine public key? (In the same sort of way that malware that’s been encrypted and signed when served up by an HTTPS website will pass TLS verification but will still be malware, albeit untampered-with malware…)
Jonathan Ingram
A few thoughts.
Not answering the phone works really well. If it’s really important, they’ll leave a message.
In the US, answering the phone “Federal Communications Commission” tends to result in an immediate hangup. “Federal Bureau of Investigation” also works.
If you’ve time and want to have fun, see how long you can keep them waiting. Let them start talking then ask to be excused for a moment. Take a few minutes, come back, let them get going again and need to be excused again….time is money, and if you play along without revealing anything personal you’re costing them money.
Another fun thing is to play along but LIE — give them fake account numbers, fake passwords, etc.
My absolute favorite though is to answer, talk *really* quietly so that they’re forced to turn their volume up really loud, and then sound an air horn into the phone.
Paul Ducklin
There used to be a free service (“Jolly Roger Telephone Co”) that would do the timewasting for you. You have to pay a modest fee now, but some of the calls are very amusing, and entirely inoffensive:
https://nakedsecurity.sophos.com/2016/02/05/tired-of-telemarketers-one-man-has-the-answer/
The operator or the service just recognises when the other person pauses for breath and goes, “Uh-huh”, “Yeah”, “Yep”, “Mmm-hmm” and so on to keep them rolling. Occasionally he’ll say things like, “Sorry, can you hold on a moment… there’s a bee on my arm!” Then you’ll hear him shooing the bee out of the window and then saying, “Phew! Got rid of the bee. Tell you waht, can you start over from the beginnning, I sort of lost the thread…”
In another one his wife comes into the room and there’s a bit of a “domestic argument”, after which the caller is invited to start again from the top. Rinse, repeat.
s31064
I did this for years. The calls come any time of day, pretty much every day now, but at one time they mainly came around supper time because they assumed you’d be home. I would answer the phone, get them started, then put the phone down on the table. I’d pick it up every few minutes and say something like “uh huh” and put it back down again. My record was 37 minutes before they gave up.
Paul Ducklin
Did you ever try the Jolly Roger approach of “getting sidetracked” and saying you had lost the thread and would they mind starting again from the top?
One of the amusing ones in the Jolly Roger archive is the “sound like a school buddy” trick. After 10 mins of so the system would say, “Y’know, you sound just like someone I went to school with”, then some random banter, then an apology, then, “Aaah, where were we? Sorry, lost the thread there, can you start over?”
Larry Marks
The VoIP provider for my residence added a free option to the service several months ago. I discovered it as a web-page option before it was actually announced and joined the beta test and have been using it ever since. Incoming callers receive a simple verbal challenge before the call is alerted at my residence. If the challenge is met, the call is delivered. If not, it is dropped.
Robocalls here dropped from ten a day to zero. They are still coming in. The provider emails me Call Detail Records (CDRs) each month and the blocked calls are distinguishable on the report. The only drawback is the occasional desired robotic call (2FA, password reset, severe weather warning, etc.) does not get through.
If I had just a little more spare time, I’d code an Android app to perform the same function. The app would accept the call, of course, but only alert (ring) if the challenge were passed.
Arie
VOIP allows the perps to get phone #s very close to your own as a means to look local, so you’ll answer. My land line is basically useless due to the amount of spam calls I get. It’s interesting to think about the economics of a human making cold calls, the call centers in India, etc. What’s the break even point for 1000 outbound calls? Who knows, but it sure is annoying. Someone should start a comedy show on talking to spam operators and the back and forth. Could be a hit. But I put the blame on VOIP companies who give these operations the ability to make outbound calls by the millions per year.
John Knops
This may not work for all robocallers but my spam volume dropped to near zero when I changed my voicemail response to this “Hello …… ( here I pause in silence for 8 seconds) Hi, it’s John. Leave a message.” My friends get used to it and new legitimate people don’t seem to mind. Besides, the legitimate calling numbers pops up on my recents list and I can call my Mistress a few minutes later. Many spammers have the do not show number switch on. So does my doctor which creates awkward moments. As Paul says the robo callers wait for a while on the number before passing it on to a human. I found 8 seconds worked. Now that everyone knows my trick the fraudsters will be reprogramming their machines to wait 10 seconds before leaving a fake message to claim the inheritance left in my great aunt Rebecca’s will.