Telemarketing (Imposter) Fraud
Who hasn’t received phone calls from “Visa Security” or “Microsoft Support” warning you of imminent disaster unless you follow their instructions (and, as often as not, send them money). For most of us such calls are annoying. For a few, they’re the start of a financial nightmare.
It’s been estimated that phone scams fraudulently generate 10 billion dollars of revenue a year. And that’s just the result of attacks on phones owned by consumers in the US. Who knows what the total number could be when you factor in other countries, other technologies, and unreported events.
Besides the criminals who profit from these attacks, no one’s happy about all this. Governments, financial agencies, technology companies, and consumers have all invested significantly in efforts to counter the problem. This article seeks to answer a simple question: have those efforts been successful?
What is telemarketing?
Telemarketing is the the use of communication channels - including email, mobile and land phones, internet websites, social media, and even the post office - to reach potential customers. Using such channels can be a far more cost-effective way to advertise than one-to-one cold calls or physical meetings. The ability to automate the process using various digital technologies lets advertisers reach thousands or even millions in hours, rather than a few dozen in a week.
While some telemarketers operate legitimate businesses or charities and carefully observe industry regulations, the people behind most of the millions of attempted connections launched daily don’t. The sheer weight of all that communication changes the very shape of our infrastructure systems and makes it harder for everything else to operate optimally.
Robocalls to cell phones, for instance, have become so common that many users simply don’t answer incoming calls or listen to voice messages. People are paying good money each month for mobile services that are, to some degree, effectively crippled.
Similarly, many email accounts were overrun by early spam campaigns to such a degree that it wasn’t worth sifting through the garbage for a few useful messages. You can get a sense of how big the problem is through the numbers. As of April, 2021, Talos Intelligence reported that, on average, nearly 16 billion legitimate emails were sent daily, but that there were an additional 88.2 billion spam messages. That is, for every 100 real emails, more than 550 spam messages were sent through the email system.
Having said that, in recent years, major email providers like Gmail have done an excellent job filtering out the majority of spam and malware messages. But as spammers are always coming up with new tricks, maintaining control is a costly and ongoing task. And it’s made widespread adoption of true end-to-end email encryption virtually impossible.
What’s been done to solve the problem?
2003-4 was a significant time in the fight against illegal telemarketing. The US, Canadian, and New Zealand governments passed Do Not Call laws, requiring that telemarketers avoid phone numbers that were registered with an official list. Failure to respect the lists could result in legal prosecution and fines against offending companies. And laws like the US CAN-SPAM Act, authorizing the Federal Trade Commission (FTC) to enforce its provisions to enforce compliance with email sending restrictions were also passed.
In the four years that followed there were a number of high-profile convictions of major international spammers. And high numbers of consumers who had registered with the US Do Not Call service reported satisfaction with the results. But our shared experience of the two decades since have shown us that the problem wasn’t solved.
One problem with Do Not Call registries is that they’re easy to ignore if the caller happens to live outside the law’s jurisdiction. And, even worse, offenders can use the registries themselves as convenient databases of valid phone numbers. I believe that unwanted calls actually increased after I registered my phone number with the Canadian version many years ago.
The value of such laws also relies on them generating sufficient deterrence. But government agencies like the FTC have long been accused of lacklustre or non-existent enforcement. Why would off-shore criminal gangs worry about such laws?
Efforts within the IT industry have presented a happier story. Email host filtering, email origin validation tools like DomainKeys Identified Mail (DKIM), and traffic shaping technologies deployed at the network level are all helping.
There have also been some grassroots initiatives. Savvy consumers are encouraged to keep illegal telemarketers on the line for as long as possible both to demoralize them and to reduce their profit-per-labor-hour rates. I personally enjoy asking “Microsoft Support” callers which one of my dozen or so computers they’re referring to. Listening to them desperately searching their scripts for a credible response is amusing. By the time I tell them that none of those computers is actually running Windows (we’re a Linux-only shop, here), they’re usually ready to hang up on me.
Former NASA engineer and well-known YouTube science evangelist Mark Rober quarterbacked a sophisticated and ambitious campaign against money mules working in the US for illegal Indian Scanning call centers. With the help of private investigators, law enforcement, and ingenious video-equipped glitter bombs, Rober managed to bring down entire teams of mules and prevent the extortion of at least a few potential victims.
But it’s not clear whether such actions had any noticeable lasting impact on the problem. More to the point, it’s not clear what kind of tools we should be using. It might be helpful to have some good data so we can observe correlations between remediation efforts and historical scam call and spam rates.
What does the historical data say?
To be honest I haven’t found exactly the data I’d like to see. It would be nice to get a consistent set of global numbers representing a range of telemarketing rates from the all the way back in the mid 90s. But the FTC’s Consumer Sentinel Network reports, published for the years 2004 to 2020, are valuable. Of interest to us, the reports track complaints shared by consumers with the FTC website about their experiences with telemarketing abuses. The cases are broken down by category.
Using this data, we can see trends in complaints about scams arriving via email, physical mail, websites (including social media sites), phone and “other.” Figure 1 shows the raw numbers of complaints from each year.
Figure 2 covers the same set of complaints, but where each category frequency is displayed as a percentage of the total.
Both graphs appear to show a rather abrupt shift away from phone scams in 2020. This could be an anomaly that will disappear in next year’s report. But I suppose it is possible that all the chaos of the COVID-19 period is responsible. Perhaps even call center criminals felt bad ripping people off in the middle of a pandemic. On the other hand, modest growth in both the email and “other” complaint categories suggests that the fraud industry as a whole wasn’t feeling particularly penitent.
What we can clearly see (at least until 2020) is the steady decline of email complaints and the huge increase in phone complaints. This might be due to the industry’s greater success in anti-spam efforts vs the growing failure of Do Not Call registries. but it could also be the product of increased consumer adoption of mobile phones. There are, in other words, billions more phone numbers than ever before in history. And more and more of those numbers are served by digital (i.e., hackable) networks.
Note the rather obvious drop in email complaints in 2014. You can see the same drop in the graph shown in figure 3. This is based on Statista’s global spam data, rather than on data measuring uniquely American experiences.
The fact is that the data I found hasn’t given me the kinds of insights for which I’d hoped. For one thing, the FTC Sentinel data only covers Americans and, even among those, only Americans who took the time and effort to submit formal complaints. for context, I would also prefer data going back at least a few years before so much relevant legislation was passed in 2003-2004.
I’m also missing important domain information. A detailed timeline of major changes to Gmail’s malware filtering system would be particularly helpful.
So this is where you come in. I think I’ve taken the first steps, but it would be great if, together, we could tap into the wisdom of the commons. In other words, do any of you have access to data or historical inside information that could improve on what’s already here?
If you’ve got anything to share, please let me know.