When a person sees a call from an unknown number and picks up to hear a recorded voice on the other end, they've received a robocall. Some are helpful, such as reminders of upcoming doctor's appointments or school announcements.
However, the vast majority are from unsolicited parties trying to convince people to purchase products or services, or to disclose personal information.
Robocalls are undoubtedly annoying, especially when they disrupt meetings, meals, or quality time with loved ones. But these intrusive calls pose serious threats to data privacy, too. And they're on the rise.
How common are robocalls in the US?
The problem with increasing numbers of robocalls in the United States is well documented. The Federal Communications Commission (FCC) receives over 200,000 complaints about robocalls each year, representing about 60 percent of their total complaint volume.
According to the YouMail Robocall Index, which measures robocalls placed and received nationwide, 43.3 billion robocalls were placed so far in 2019, with an average of 131.9 calls received per person. For comparison, YouMail's data shows more than 48 billion robocalls for 2018—about 18 billion more than the 2017 total. If 2019 numbers hold, we'll likely see at least 10 billion more robocalls than we did last year.
The YouMail Index also shows that each US person received an average of about 14 robocalls last month. However, the calls come much more frequently in some area codes. Households in the 404 area code of Atlanta, Georgia, and its surrounding suburbs, for example, received more than 60 calls in September 2019.
Robocalls are particularly unceasing for some high-profile people. One opinion writer for The Washington Post stated that she received more than 14 robocalls in a single day—by 10 a.m. Not surprisingly, 52 percent of people who responded to a survey carried out by B2B research firm Clutch said they received at least one robocall per day, and 40 percent got multiple calls.
Court rulings and formal complaints
Some people find their lives so disrupted by robocalls that they file formal complaints or take legal action. In 1991, the Telephone Consumer Protection Act (TCPA) was signed into law prohibiting all pre-recorded or auto-dialed calls and texts to cell phones without explicit consent. In addition, the National Do Not Call Registry (DNC) was formed, allowing users to explicitly opt out of telemarketing calls.
Since 2017, the Federal Trade Commission (FTC) found that 66.8 percent of complaints filed to the DNC registry relate to robocalls—totaling a little more than 12 million. Of all complaints filed, the most popular call topic was about reducing debt, while "imposters" was ranked as second.
While the TCPA states that consumers may receive monetary payout for individual violations, including robocalls, court cases haven't always supported this literal translation. An August 2019 ruling on Salcedo v. Hanna, a TCPA-related case, stated a single unsolicited text message was not injurious enough to proceed with a lawsuit.
Nuisance calls vs. high-risk
While users might be tempted to deduce they needn't worry about data privacy with robocalls, a high number of imposters, fraud, scams, and spoofing activities associated with robocalls indicates otherwise.
Transaction Network Survey looked at robocalls in a 2019 report and split them into two categories: nuisance and high-risk. Nuisance calls are not considered malicious and are often based on non-compliance, while high-risk calls center on fraudulent activity, such as scams delivered to collect money or personal details.
The report concluded that nuisance calls increased by 38 percent over the last year, while high-risk calls rose by 28 percent in the same timeframe. While nuisance calls are increasing at a higher rate than high-risk calls, continuing malicious robocall activity demonstrates the need for constant user awareness, as criminals are becoming more clever with their scamming techniques.
For example, robocalls don't just arrive as unknown numbers. One in 1,700 mobile numbers are hijacked by robocall spoofers every month, more than double last year’s rate of one in 4,000 mobile numbers. As a result, 2.5 percent of people who have had their number hijacked have disconnected their phone. In addition, spoofed numbers easily trick users into picking up the phone, believing they'll hear a recognizable voice on the other end.
Robocalls collect PII
A startling statistic from the Clutch survey revealed 21 percent of people accidentally or intentionally gave information to a robocaller. Various factors may compel them to do so. For example, the Clutch data showed health topics were a common subject for robocalls. Similarly, most of the FTC's DNC call complaint data related to debt relief calls.
Scammers of all types focus on urgency. They convince people that if they don't act quickly, they'll face dire consequences. When a victim hears about something related to their health or money, they may offer personal details without taking the time to investigate. Also, a phone call requires in-the-moment communication, and many people instinctually respond politely to avoid conflict.
The time of day robocalls happen could also make individuals more likely to disclose their data in haste. Insider scrutinized five years of FTC call data and determined that unwanted calls most likely occurred on weekdays between 10 a.m. and 11 a.m.
That's when many people are at work, or at least trying to be productive. If they answer the phone and hear a robocall recording, they may think the quickest way to get relief from the annoyance is to give what's requested, especially if the robocall seems legitimate.
Scammers use real data
Another threat to data privacy from robocalls threatening is the growing trend of scammers using genuine data to make their calls seem realistic. First Orion conducted a study of scam calls—not restricted to the robocall variety—and described a tactic called enterprise spoofing.
It involves scammers using actual data—often obtained from large-scale breaches—to impersonate real businesses and convince victims to give up personal details and money. The company's statistics showed three-quarters of people reported scam callers had accurate information about them and used those tidbits to put the squeeze on victims.
Indeed, most robocalls feature automated voices on the other end of the line, and people may never talk to humans. But, it's not hard to imagine how scammers could create a robocall message applying to a large segment of users, then snatch up individuals fooled by the scheme in follow-up real-time conversations.
How to protect against robocalls
The robocall problem opened an opportunity in the marketplace to develop apps that could block robocalls, or at least identify them. Many security vendors, including Malwarebytes, offer programs that flag or block scam calls and filter unwanted texts. These programs work in part by blacklisting numbers of known scammers, but also by using algorithms that recognize spoofing techniques or block numbers by the sheer volume of calls they place.
However, research indicates some scam call-blocking apps send user data to third-party companies without users' knowledge, or as specified deep within a multi-page EULA document. So we recommend users be critical about which apps they use to block unwanted calls.
Other ways to protect against robocalls include the following:
- Add your phone number(s) to the FTC's Do Not Call registry.
- Manually add numbers from robocallers into your phone's block list, located in "settings" for most devices.
- Don't pick up the phone if you don't recognize the number.
- Sign up for your carrier's call blocking service.
Data is king
If the last year of privacy scandals and data breaches from social media giants, educational institutions, cities and local governments haven't demonstrated this fact enough, the growing rate of robocalls further confirms that personal data is a valuable asset worth protecting from cybercriminals' greedy clutches.
Besides causing immense frustration for users, robocalls threaten user privacy by exposing victims to data-stealing scams. That reality gives users yet another reason to err on the side of caution when giving out personal information, even if the source seems authentic.