As we’ve reported in a previous Malwarebytes blog, what spam is to email, a robocall is to telecommunications devices, such as home phones, mobile phones, and VoIP landlines. There is usually no real human behind a robocall, only an automated, pre-recorded message. And as the name suggests, the calls are made by computers.
Illegal robocalls generally contact recipients with the intention of stealing something from them. As such, they use scams, attempting to swindle you out of your contact number, your financial information, your identity, or anything else of value through dishonest means.
There is legislation that addresses robocalling and the scams they attempt to pull off. Just for good measure, here’s how The Telephone Consumer Protection Act of 1991 (TCPA) defines a robocall, also known as “voice broadcasting.” It is any telephone call that delivers a prerecorded message using an automatic (computerized) telephone dialing system, more commonly referred to as an automatic dialer or “autodialer.
When the call is answered, the autodialer either connects the call to a live person or plays a prerecorded message. Both are considered robocalls. Some robocalls use personalized audio messages to simulate an actual personal phone call.
With some exceptions (political messages, flight delays, et al.), the TCPA prohibits robocalls to consumers’ traditional landline numbers without prior written consent, to consumers’ Voice-over-Internet-Protocol (VoIP) landline numbers, and to all mobile numbers—both consumer and business (again, without written prior consent). Even political robocalls to mobile phones are illegal without prior consent.
Despite the legal restrictions, the volume of automated calls continues to grow, having reached an estimated 3.4 billion in April 2018, according to YouMail, which collects and analyzes calls through its robocall blocking service. That’s an increase of almost 900 million a month compared with April a year ago.
“The volume of robocalls continues to grow, having reached an estimated 3.4 billion in April 2018.”
We all rely on caller ID to screen our calls, but how effective is it as a measure against robocalls? The answer is, not very.
That’s because scammers like to use Voice over Internet Protocol (VoIP) technology to hide their actual number and location. VoIP calls are almost free, which is why they can do this 24/7, and why you can’t trust your caller ID to flag suspicious numbers.
Here’s how that works. The responsibility of caller ID lies with the originating call. And if that caller is a scammer, then they know caller ID is very easy to disguise, or “spoof.” In that way, no matter where in the world they are actually located, the scammers behind a robocall can make it appear as if it comes from a trusted business, or from your same local area code, complete with a familiar first three digits of your own contact number. So the effect is a nefarious bit of social engineering, making it more likely that you’ll pick up the call if you see what looks like a familiar number, say from a friend, co-worker, local dentist, or even a major business or government organization such as Microsoft or the local police department.
Whether the intrusion starts out as just an annoying robocall pitch, or succeeds in its ploy to pass you on to a live scammer, you’re likely to encounter a variety of typical robocall-initiated scams, such as:
Tech support scams. You pick up and immediately hear a distressing message, pressuring you to act fast: “Hello, we are calling from Windows and your computer looks like it is infected. Our Microsoft Certified Technician can fix it for you.” If you fall for it and get connected to a remote technician, he may sell you phony security software at a cost of hundreds of dollars in order to “clean up” your alleged problem. Or worse yet, he’ll persuade you to give him remote control of your computer, and he can plant malware to ferret out and steal any valuable data (social security number, credit card information, bank accounts, etc.). Among the bad news downloads that malware can plant on your computer are those that hold your data hostage, spy on your computer activity, clog your screen with popup advertising, or take over your computer’s resources in order to mine for cryptocurrency.
Charity requests. After all, who wouldn’t want to contribute to wipe out world hunger? Cure cancer? Or save the endangered snipes? Such robocalls prey on trusting souls, and count on them to take the bait and make a pledge by credit card.
Bogus Surveys. These scams can come at you as telephone, text-message, or even online surveys—asking you to answer questions or give your opinion about the merchandise, service, or quality of your favorite store. They may even claim that there’s an incentive to participate, such as a gift card for your favorite retailer, or some similar prize. But more often than not, they end with pitches for dubious products or services. Questions may also focus on the bank or financial institution you use, whether you are happy with their service, and if you would consider changing banks. And as part of the survey, they might ask for your bank account number so that they can provide a “competitive comparison” with the fake bank they represent. They may even request your banking and credit card information, because it is “necessary” to claim your supposed reward.
Banks, FBI, police, the IRS, and other institutions of authority. This will be another call that seeks to alarm you with a sense of urgency in order to derail your common sense. The script usually centers on some alleged wrongdoing that you’re guilty of, with the threat of imminent fines or arrest. The call might even involve abusive threats, which are a sure sign of a scam.
Stranded grandchildren. This is a particularly cruel form of social engineering, which targets older folks. The caller claims to be a grandchild calling from jail, and seeks to first fluster the recipient, and then ask for bail money, to be sent via a cash transfer service.
One-ring scam. In this scenario, the scammers place calls to blocks of phone numbers (often using robocall devices), and then hang up the call after a single ring. If the owners of some of those numbers are curious enough to call back, they might connect to a pricey international call. And during this call, scammers may use social engineering or outright harassment to persuade the consumer to subscribe to a pay service or to provide credit card information.
Tech support scams have often historically originated in India. Operating out of boiler rooms, these fraudsters call internationally to consumers in Australia, Canada, the UK, and the U.S., whom they find from public records. They also attract calls from their targets by placing legitimate-looking technical assistance advertisements in popular search engines and high-traffic websites.
“Tech support scams have often historically originated in India. Recently, Chinese robocalls have been bombarding the U.S. in growing numbers.”
Recently, Chinese robocalls have been bombarding the U.S. in growing numbers. The calls go out in Mandarin, apparently indiscriminately but in hopes of tapping into a Chinese immigrant population. The robocall’s voice typically claims to be from the Chinese Consulate, insisting that the recipient needs an important document that affects legal status in the U.S. Or it is a warning that the person is being investigated “back home” in China for financial crimes, and that family relatives still living there face arrest if the call recipient doesn’t cooperate. If the recipient panics enough to press a button and speak with a live scammer, the call escalates to a demand to transfer substantial money to, say, a Hong Kong bank account.
The Federal Communications Commission (FCC) offers the following advice:
“Never give out personal information such as account numbers, Social Security numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.”
If you’ve registered your home and mobile phone with the National Do Not Call Registry, you’re one of about 200 million people who’ve done so. The fact that you’re still getting robocalls trying to scam you might indicate that the registry does not work, but it actually does. Telemarketers who ignore the list can be fined up to $40,000. So for the legitimate businesses within the U.S. who do adhere to the law, the Do Not Call list is a useful barrier.
The trouble is, the law has never stopped scammers willing to break federal law. And that’s who makes most robocalls these days. They know that enforcement is a problem for the government, since the FTC doesn’t have the budget or manpower to track down and prosecute the robocallers. So the scammers are willing to take the risk.
Still, adding your phone numbers to the list will stop legitimate telemarketers from contacting you, which can at least reduce the number of calls by some measure. So it’s definitely a place to start.
Your Android or iPhone is a handheld computer, so it makes sense to protect it from any potential infection that might result from a robocall scam in the same way you do your other devices, whether they are Windows or Mac, in your home or business. Malwarebytes for iOS, for example, blocks all incoming robocalls and text message scams. The Malwarebytes iOS app also protects you from phishing attacks and malware. If, by chance, you click a malicious link or attempt to navigate to a fraudulent site, Malwarebytes will block the site from loading.
Wireless companies are also providing new services, which will display some variation of the message, “possible scam” on the screen for unknown numbers that are ringing you. T-Mobile's system is automatic, with nothing to sign up for or download. At AT&T, you can sign up for its free Call Protect. Verizon has also added a feature to its Caller ID, which will show “SPAM?” before a caller’s name that has been identified as a possible unsolicited call.
“Wireless companies are also providing new services, which will display some variation of the message, ‘possible scam’ on the screen for unknown numbers that are ringing you.”
One more thing. As we mentioned previously, we don’t recommend talking to scammers yourself. However, if you’re the mischievously vindictive sort, look into the Jolly Roger Telephone Company, which offers a program that lets you put the phone on mute and patch a live scammer call to a robot. Friendly and patient, the robot understands speech patterns and inflections, and strings the caller along, complete with realistic background interruptions, vocal fillers like “Uh-huh, OK, OK,” and requests after several minutes of talking to have the caller repeat his entire sales pitch from the beginning. Check out the recordings on the site of the angry telemarketer meltdowns it inspires.
Bottom line, robocalls are a complicated problem with no single easy solution. But by taking sensible precautions and approaching unknown callers on your ID with skepticism, you can help protect yourself and deprive robocallers and the scammers behind them from their illicit income.
Select your language