“Hello, we’ve been trying to reach you about your car’s extended warranty.” After years of seemingly unstoppable scam robocalls, this phrase is embedded into the minds of many of us. Last month the Federal Communications Commission (FCC) announced it was ordering phone providers to block any calls coming from a known car warranty robocall scam, offering hope that U.S. phone users may hear that all-too-familiar automated voice a little less often.
But there is more work required to crack down on these calls. After all, car warranty warnings are only one type of scam. To understand how robocallers reach us, and why it’s so hard to stop them, Scientific American spoke with Adam Doupé, a cybersecurity expert at Arizona State University.
[An edited transcript of the interview follows.]
How big is the robocall problem in the U.S.?
I think it’s difficult to wrap our head around the scale. We can look at hard evidence of the complaints that consumers are sending to the FCC, but those are just people who actually complain. The FCC is claiming that one auto warranty scam operation is responsible for making more than eight billion robocall messages since 2018—that’s just staggering. That’s two billion a year from one campaign. Companies are sending out billions of messages, and that’s inherently going to affect you; you’ll get one to three a day.
A lot of these are done by companies that are selling real products. They’re just using an illegal marketing campaign to get consumers to buy those products. That’s distinct from robocalls that are trying to target people for fraud: the robocall itself is the marketing lure to get somebody on the hook, then they’re transferred to a real person who is defrauding them out of money.
Why hasn’t anyone been able to stop robocalls so far?
Robocalls are such a problem because they are cheap to make. They are highly effective because they’re so cheap and can reach so many people. The other thing criminals keep in mind is: What’s the likelihood of … being caught in this criminal activity? The number for that was shockingly low for a long time.
Spam callers are changing the caller ID that shows up on your phone to a number [with an area code] that’s close to you, and that’s illegal. The question to me is always “How come they can just change their number?” That seems kind of crazy, right? You place a phone call, your provider—AT&T, Verizon, whatever—knows your phone number. How could another number appear there? The way it used to be designed is the caller ID field was essentially optional, and so nobody had verified it anywhere along the chain. The networks got more complex—a phone call will just come in, and nobody’s checking to say, “Oh, wait, who is originating this call? Is it actually the same number?” It actually does have a purpose. A big company doesn’t necessarily want anyone external to know the phone numbers of anybody internal. So it changes the caller ID so that the number that appears is the general number of the company.
The other thing to remember is that the telephone system was created among trusting parties—all of the telephone companies knew each other. But as technology improves, and smaller companies get connected to the phone networks…, you have these untrusted parties in the network that are essentially causing a lot of these problems.
How does the FCC currently tackle robocalls?
There is a protocol that was created called STIR/SHAKEN, [or secure telephony identity revisited/signature-based handling of asserted information using tokens, which the FCC began requiring in 2021]. It adds a field when you’re making a voice call that says, “I am this entity, and I have verified the caller ID.” This allows anyone who’s transmitting that request to look at that header message and say, “Okay, I can verify with cryptography that, yes, this actually is the originator [of the call].”
Now the problem is if a call comes in from a VoIP [voice-over-Internet protocol] provider overseas. How does the U.S. carrier verify that phone number? What the FCC has done is create this system where it has a Robocall Mitigation Database. U.S. companies that act as connection points between foreign VoIP and other phone services have to register and say, “These are the steps we’re taking to verify these [overseas] phone numbers.” The [U.S.] phone providers are now allowed to drop traffic from providers that are not following these standards. The FCC actually orders companies to block [the known auto warranty] robocall scam calls.
So STIR/SHAKEN is not a defense against robocalling per se. It’s a defense against changing the caller ID, which is an important part of these scams.
What other techniques can be used to detect and prevent robocalls?
What you’d probably use is some type of pattern detection based on: Where are these calls coming from? What’s the number of times that people answer this call or not? How long are the durations of the calls? All these types of things [matter] as you try to identify as many different features as possible that separate good calls from bad calls. Putting trust back into caller ID is super important.
You could also set up fake phone numbers—in cybersecurity terms, a honeypot. You create fake numbers that you don’t give out to anybody, so any phone calls to those numbers are unwanted. You could use some automated system to answer the calls, listen to the recording, then maybe you either have a human or an automated system trying to make a determination: Is this a scam or a robocall? And then you could use that to feed back into your detection systems.
I think disincentives will make businesses say, “As a legitimate business, we shouldn’t do this.” There was a $225-million fining of Texas-based health insurance telemarketers that made about a billion robocalls. You can see a combination of technical measures and policy measures designed to try to close these loopholes. Is that going to stop criminals located in other countries who are trying to defraud people? Probably not. One thing we could do is make the cost of making a billion calls more expensive. I’m hopeful that this will help stem the tide.
What about stopping other ways scammers target people?
The key thing when you study cybercrime is: humans are very resilient in finding new ways to commit crime. [If calls become more expensive], the other option is the scammers will shift to other platforms, which we’re already seeing. They’ll switch to sending WhatsApp messages or Twitter spam. I think that’s a better situation. If you’re the phone company, you don’t know what’s going to be said when somebody answers that call. You have patterns in the network, and you have where it came from, but fundamentally, you don’t have the content of the scam. With a text message, you do have that content. The problem becomes more similar to e-mail spam. If you use something like Gmail, the spam detection capabilities are so good that you’ll maybe get one message a month there.
Fundamentally, right now, it’s hard to trust your phone when it rings. I think a world where we can trust phone calls again—or maybe be excited to receive them and not just [be] like, “Oh, somebody’s gonna try to scam me”—is a better world. And I think slowly we’re getting there.