Over the past year, voice spam calls, particularly robocalls, have received a great deal of attention from the FCC, FTC, the House of Representatives, US Senate and all fifty State Attorneys General. The government has called for voluntary cooperation from carriers to help stop these unwanted calls. While much of these efforts have been focused on calls to consumer landlines and cell phone numbers, little attention has been given to protecting the business telephone customer. To understand the impact of robocalls and voice spam on businesses, it is important to understand several things:
- The problem with voice spam calls in the business place is complex and multifaceted. What is voice spam and how does one “enforce” stopping it? Who is responsible? Is it the government, the carrier, the business or the individual worker?
- Fraud, combined with the ability to make VOIP phone calls virtually free from automated dialers, is at the root cause of the voice spam problem.
- The ability to manipulate the caller ID and Caller Name that displays on ringing phones has caused called parties to lose trust in what they see on their phone displays and often fools people, even savvy business people, to answer calls that put them at risk for fraud.
- Legal calls that are annoying, such as automated political campaign calls and persistent debt collection calls, have no place in the workforce but are perfectly legal to make.
- International revenue sharing fraud and kickback schemes targeting toll free telephone numbers in contact centers are a big incentive for bad actors, as are CNAM lookup “revenue” sharing schemes that don’t care whether you answer the phone.
- Government solutions rely on non-binding carrier cooperation.
- Businesses are on their own and can’t rely on the government or carriers to solve the problem – they must defend their enterprises with their own rule sets at the network edge.
Complexity | Responsibility | Voice Spam
So why is this problem so complex? First one must define what is voice spam. Everyone can agree that a bad actor calling and pretending to be the IRS or Social Security Administration with the intention to defraud whoever answers of money, is a spam call. So that was easy.
But what about the pharmacy calling with your permission to remind you that your prescription is ready, or the dentist calling to remind you of your appointment the next day? Clearly these are “robocalls” that are not spam. Or are they? Does your employer want you distracted with these calls on your DID line at work? Would these notifications be better if they were text messages to your personal cell? In our 24X7 always on world, is there even a distinction any longer between “personal” and “work” calls?
Spam can be subjective with a lot of grey area, especially in the enterprise space. For example, let’s say I am a C level executive at a multibillion company. I am responsible for 5,000 employees and hundreds of millions of dollars in P&L. Every second counts and there are a lot of people depending on me. According to the University of California at Irvine, the average “digital distraction” costs up to 23 minutes in business productivity. Can I afford even a single spam call? Political campaign season is about to get underway. Can I afford to interrupted by the coming “spam storm” of political calls? Can my assistant? Can the supervisor on loading dock?
Let’s say further, I also happen to be in the middle of a nasty divorce. I don’t want to be bothered during work hours with distracting calls from my wife’s divorce attorney. To me, such calls on my direct business line are spam. I can’t afford the distraction. Over 5,000 employees are counting on me. Not to mention the company shareholders. Blocking that call to my business line directly benefits the business. However, that same attorney calling the company HR director is a legitimate call and while annoying, it is business and not spam. My wife has a right for her attorney to understand all my financial matters including income, stock options, 401K plan and benefits. That call needs to ring through to HR.
The bottom line is that the problem is complex, but not insurmountable. The business must control the spam rules and decide which calls get through and to whom. These decisions can’t be made by carriers or the government. They must be tailored to the specific business.
The Root Cause: Fraud, Free VOIP Phone Calls and Auto Dialers
The breakup of the Bell System in 1982 was probably the single greatest moment of my professional carrier. I had graduated college in 1981 and was recruited by Centel Business Systems to sell PBX phone systems to businesses. Crushing AT&T was very lucrative on the equipment side, and in parallel, companies like MCI and Sprint made fortunes in the long-distance business. Prices for long distance, intrastate and local calling plummeted. Business prospered by falling telecom prices and increased productivity achieved through innovations such as call detail recording, automatic call distribution, voicemail and integration of voice and data over twisted pair wire.
But the icing on the cake was the Internet. In 1995, voice over Internet Protocol (VOIP) made long distance calling virtually free. Computers could now bypass carriers like AT&T, MCI and Sprint and connect directly with other computers on the web, as well as to the public switched telephone network hopping off to a local phone circuit, making “long distance” virtually free. Placing a voice call was no more expensive than sending an email. The genie was out of the bottle and the era of the free robocall was born. But there was just one more technology ingredient needed to make robocalls truly annoying…
Caller ID and Caller Name Spoofing
In 2004, the first mainstream caller ID spoofing service, Star38.com was launched to allow spoofed calls to be placed from computers. Spoofed caller IDs were used for crank calls, breaking into voicemail, “swatting” – the practice of sending swat teams to unsuspecting businesses and robocall scams. Organized crime got into the game using ISDN and VoIP technology setting elaborate outbound call centers to start scamming anyone who would answer a phone. Like any “cold calling” effort it became a numbers game. Make millions of calls and a small percentage of those calls will be answered by some who would be gullible enough to fall for the scam.
Here is how it works:
- A call center, say in India, China, Russia or even in Los Angeles devises a scam. Let’s call it the IRS scam. The call center spoofs a telephone number belonging to the IRS. When your phone rings the display is spoofed showing the caller ID 1-800-829-4933 which belongs to the IRS. So, the name IRS may also show up in the display.
- The call center auto dialer starts calling all the numbers in the United States starting with let’s say New York’s 212 area code. The auto dialer just starts dialing for dollars calling 212-200-0000, 212-200-0001 and runs through all 10,000 phone numbers in the area code and exchange and then moves on to the next 10,000 number block. The number of calls the call center can make is dependent upon how much Internet bandwidth they have.
- When someone picks up the phone, they are connected to an agent trained in the art of the IRS scam. And so, it begins.
- If the call goes to voicemail, so much the better, the auto dialer detects the “tone” and leaves a threating pre-recorded message.
- These calls are indiscriminate and sequential resulting in “spam storms” for your businesses. Let’s say you are Morgan Stanley in New York. Your main line is 212-761-4000 and you have 2,000 DID lines. The malicious contact center hits your range: 212-761-4001, 4002 etc. Today is your day and your business is slammed with 2,000 inbound spam calls from the contact center. Employees who answer get rewarded with an interrupted workflow. Now the folks at Morgan Stanley are very smart so don’t take the bait but are interrupted when they let the call roll to voicemail. Later, they get that silly red light and call to check their message to hear the IRS threat and are interrupted for the second time.
- The bad actors don’t make any money this time around but the folks at Morgan Stanley experience 4,000 workflow interruptions on the 2,000 calls that roll to voicemail and that is time that can never be recovered.
- Eventually the scammers call the proverbial “little old lady in tennis shoes” and hit pay dirt.
Legal Yet Annoying Calls Every Business Should Block
I was recently speaking to Aaron Foss, CEO of Nomorobo and asked about political calls. Aaron with a smile in his voice said, “The Monday before an Election is our Black Friday.” Nomorobo blocks these annoying political calls. Even though the calls are perfectly “legal”, no one wants an automated pre-recorded call to solicit a vote. People certainly don’t want such calls on their work line. Their employers are paying them “on the clock” to get work done and don’t want these spam calls interrupting the workday.
These calls are annoying as all get out but are perfectly legal. As the elected officials see it, it is in their own self-interest to make these automated calls to support their re-election, even if it interrupts your personal productivity.
The same holds true for collection calls. The sad truth is that many debt collectors will abuse the number of call attempts they make per day to chase you down on the off chance that if you didn’t have the money at 9:00 AM, you might at 10:00 AM or 11:00 AM. You get the gist. Once again, these calls, while legal and legitimate, are disruptions if made to you while at work. Businesses do not want their employees interrupted on the job. It is just that simple.
International Revenue Sharing Fraud and CNAM Lookup Fraud
One of the most expensive and annoying frauds to business lines involves international revenue sharing fraud. Also known as “toll fraud”, it is a scheme where bad actors artificially generate very high volumes of international calls on expensive routes to business “toll free” telephone numbers. These numbers typically ring into call centers. The company receiving the call pays the “toll” for the call. Fraudsters work with the providers of the toll-free services that get a portion of the money for the call, which is then “kicked back” to the originating overseas auto dialer company. The scammers job is to keep the call “up” for as long as possible, generating a bigger kickback. The losers in the scheme are the companies with the toll-free telephone numbers who are essentially paying the scammers to scam them.
Another revenue scam is Caller Name (CNAM) kickback scheme. In this instance, scammers make millions of robocalls to telephone numbers – including business lines with the objective of getting the caller Name ID to show up on the call. Turns out the CNAM data is managed by private companies that look up the caller ID and provide the terminating telephone company with the caller ID name. The terminating telephone company pays the CNAM database company a “micro penny” for the lookup. The CNAM company then pays a kickback to the robocaller company from the fees for the CNAM lookup. You can read more about it in a Wall Street Journal article here. The rub is that the called party doesn’t even have to answer the phone. The CNAM company gets paid its micro penny if the business answers or not. When calls are answered the auto dialer simply hangs up.
Why the Government and Carrier Efforts Will Not Work
Hanlon’s razor is an aphorism expressed in various ways, including: “Never attribute to malice that which is adequately explained by stupidity.” When it comes to robocalls and phone scams, the government is very well meaning but is not effective. In much the same way the government has made virtually no headway in controlling email spam, the government efforts in controlling voice spam will not amount to much.
The reasons are simple. First the government has made blocking spam calls by carriers “voluntary” on the carriers part. While the carriers are well meaning and want to serve their customers, keep in mind that carriers are paid to complete calls not block them. So, there is a built-in conflict of interest.
Next, there is no way to enforce the laws passed by governments. The bad actors are increasingly overseas and U.S. law enforcement has no jurisdiction to bring bad actors to justice. Even when bad actors are identified within the U.S., fines are seldom collected and make deterrence virtually non-existent.
Even if you pay the carriers to block calls, and some will take your money to do so, the carriers are using a technology called SHAKEN/STIR call authentication to attempt to bring “trust” back to Caller ID technology. The SHAKEN/STIR authentication system, if it works, will simply provide an “attestation” score giving a “confidence” rating that the originating party of the call is the party that “owns” the phone number. The attestation score will not tell the called party if the caller is a bad actor or not, it will simply give a score as to the authenticity of the phone number. While this methodology is intended to help stop “spoofing”, the fact is that is will take years to trickle down to tier 3 carriers where most of the fraud originates. SHAKEN/STIR will not stop fraud, it will in fact spur bad actors to use numbers that return higher attestation scores.
Businesses can not count on carriers to block such calls and even if they did, they will not want the carriers to do so. Take for example a hospital with a rural patient. The patient has a tier 3 carrier that doesn’t attest to the caller ID. The patient calls the hospital 3 days after discharge from triple bypass surgery concerned about chest pain. The carrier blocks the call because there is no SHAKEN/STIR attestation score. The patient keeps calling and keeps getting blocked. As the patient’s anxiety and blood pressure increases, the patient experiences a fatal heart attack and dies. The hospital, the carriers and every single entity involved in the fiasco now have legal liability, not to mention the pain and suffering the patient’s family must endure.
The Solution – Put the Business in Charge of Call Screening at the Network Edge
Mutare, a leader in communication software solutions has developed an enterprise application to enable practical voice spam filtering designed to “do no harm”. The Mutare Voice Spam Filter combines known robocall screening with enterprise-managed whitelists and blacklists to stop known bad actors from interrupting employees with spam calls. Businesses manage their own lists and create rules that work for their individual enterprise, ensuring good calls get through and bad calls are filtered out.
What about neighbor spoofing? Unfortunately, there is no way to distinguish between a spoofed call and a legitimate call. So, Mutare uses a voice CAPTCHA to automatically screen live callers from bots. When a call comes through from an area code and exchange that matches your business numbers, the call is diverted to the CAPTCHA. The CAPTCHA performs a reverse Turing test by speaking a short challenge to the caller. For example, “Thank you for calling XYZ company. To continue your call, enter two nine now using your touch tone keypad or speak the words two nine now” This simple automated test will confuse an auto dialer bot, but a human can pass easily.
No worries about blocking calls in the carrier network. No worries about damaging your business reputation with legitimate caller. While some robocalls will still get though, all your legitimate caller will also, and the bad actors will be filtered out. This means greater productivity for your staff resulting in higher sales, lower costs and improved regulatory compliance. After all, you never want to block an important caller.