Spoof-Proofing the Enterprise Voice Network
By Chuck French on 4/28/20
If you use a telephone, there’s high probability you’ve been spoofed – that is, received a spoof call from a phone number that looks similar to your area code and exchange (the first six digits of your phone number) or a caller ID displaying the name of a nearby town or local business. However, the person on the other end is neither a neighbor nor legitimate business caller. The caller is typically a spammer trying to lure you into a scam.
In fact, according to a recent First Orion Scam Call Trends and Projections report, 83% of all scam calls in 2019 featured a fraudulent phone number ID, such as an area code that matches that of the call recipient’s area code (“neighbor spoofing”) or a familiar business name or number (“enterprise spoofing”). The practice of enterprise spoofing, in particular, has been fueled by the recent spate of large data breaches, giving scammers access to the personal information of millions of prospective victims. The scammer can target segments of the population associated with a business, such as a bank or large retailer, change the number in the caller ID to one associated with that business, and, if the call is answered, further legitimize themselves with knowledge of the victim’s home address, email address etc. The result: In the first eight months of 2019, phone scammers were able to defraud the American public out of $285 million.
How Did Call Spoofing (Spoof Calls) Become So Prevalent, and What Can Be Done To Stop It?
For those wondering why call spoofing become so prevalent, and what one can do to stop it, there are a number of factors that come into play.
Robocalling, the practice of using a computerized auto-dialer to generate phone calls with a pre-recorded message, has been part of the telephony landscape since the earlier 90s. It was traditionally used for political messaging and telemarketing phone campaigns. However, robocalling crossed the line from an accepted practice to a disruptive nuisance when illegitimate players seized on the technology to begin delivering mass numbers of unwelcome calls. While the FCC stepped in with regulations limiting telemarketing calls to cellular phones, land-line protections were anemic at best, including fines for difficult-to-trace fraudsters and offering consumers the Do Not Call registry designed to limit the reach of telemarketers. While well-intended, these measures did little to stop robocall offenders already committed to malicious behavior.
As the volume of spam and robocalls has grown, so, too, has the practice of ignoring calls displaying unfamiliar or anonymous caller IDs. Thwarted by the decreased response, spammers began looking for other ways to connect with their would-be victims.
Their new path was paved when VoIP (Voice over Internet Protocol) entered the telephony scene. VoIP allows phone calls to be transmitted through Internet-connected IP devices, completing calls through the Internet rather than through traditional voice telephone. Developed in 1995 as a way to reduce the cost of long distances and international calls, VoIP capabilities were soon embraced by carriers and businesses anxious to capitalize on the higher quality, greater flexibility, and lower cost of voice over Internet.
As is often the case, this positive advance in technology came with a dark side. No longer bound by toll costs to make calls, spammers and scammers quickly discovered how easy and cheap it is to utilize VoIP and an auto-dialer to deliver mass calls to a targeted list of numbers. As Alex Quilici, CEO of YouMail stated for Consumer Reports, “It’s become very easy and cheap to make an enormous number of calls, to the point where you don’t even need technical expertise. If I wanted to pick a borough in New York City and hit every person with a voicemail telling them to go visit some website, I can do it for a couple of thousand bucks.”
More significantly, the caller ID of these calls can now be disguised. While caller ID spoofing has actually been available for many years to law enforcement and other specialized services requiring personal contact phone number protection, it required complex, specialized, and expensive ISDN PRI circuit connectivity with the telephone company. With the advent of VoIP came the ability to easily and cheaply create a personal Caller ID embedded in the call data through readily available open source software. While a legitimate and useful tool for individuals like remote workers wishing to maintain a workplace caller ID, it is also easily exploited by those with nefarious intent.
Criminalizing Call Spoofing (The Truth In Caller ID Act)
As the practice of illegitimate call spoofing increased, Congress moved to rein it in, passing the Truth in Caller ID Act of 2009. While originally written to criminalize the act of causing “any caller identification service to transmit misleading or inaccurate caller identification information,” the final bill used more qualified language, adding that call spoofing would be deemed illegal if done “with the intent to defraud, cause harm, or wrongfully obtain anything of value.”
The Act has done little to slow the exponential growth of scam calls as evidenced by a recent FCC report that reveals more than 60% of complaints from consumers are now related to suspected phone fraud. While consumers are encouraged to report suspected scams, efforts to trace the real source of a spoofed call is, at best, complex and usually futile as the scammer has likely moved onto another spoofed number by the time a report is filed.
New Legislation To Stop Spoof Calls (TRACED Act And STIR/SHAKEN)
The TRACED Act, passed in December of 2019, is new legislation specifically designed to address the problem of call spoofing. It requires carriers to implement specific measures for caller ID authentication (STIR/SHAKEN protocol) that is passed through from the source provider to the recipient provider in the form of a digital certification. Numbers that fail the authentication process are identified as potential spoof calls. While a step in the right direction, the legislation will take time – some even say 10 years – to fully implement as smaller carriers may not be equipped to carry out the authentication process, and more sophisticated scammers can simply move their operations overseas onto unregulated networks. The system is only designed to flag suspected spam in the caller ID. The call still rings through and how it is handled is left to the call recipient. The weakness with this approach is once the phone rings, the damage caused by digital distraction is done.
Clearly, until the STIR/SHAKEN protocol actually results in a reduction of voice spam, it will do little to help businesses eliminate the growing threat and distraction of unwanted calls. Companies seeking relief now may need to act on their own.
Call Spoofing Prevention Solutions For Enterprise Voice Networks
Several telephony solutions developers, like Nomorobo, have stepped up with innovative filtering systems that keep a dynamic database of known spammers and, when integrated with a voice network, blocks those incoming calls. However, these systems cannot detect the true origin of a call that is using a spoofed ID.
One developer, Mutare, Inc., stands out for having confronted head-on the unique challenge spoofed calls create for business. With its multiple layers of protection approach, Mutare’s Voice Traffic Filter integrates several advanced methods to identify spam and robocalls before they enter the enterprise voice network, giving administrators a set of tools that allows them flexible control over how those calls are blocked, passed, or routed before they ring an end device.
Integrated into that system is Mutare’s own, unique “spoof radar” detection technology, built on a platform that combines advanced call pattern recognition, heuristics and machine learning to spot robocalls or spammers with suspect caller IDs.
If the system detects an abnormal pattern of incoming calls, such as an unusual number of calls from the same source or a sudden increase in call velocity, the voice traffic filter triggers specific actions defined by the system. This includes the option to send those calls through the Voice Traffic Filter’s voice CAPTCHA system which employs a reverse Turing test to challenge the caller to enter randomized digits. Callers that pass the test are let through; those that fail are dropped. Humans pass the test easily, while robocall bots do not.
“We have been building advanced applications for business voice networks for more than 30 years. We have at our disposal not only a deep knowledge of enterprise voice communication systems but also a vast source of data that allows us to anticipate where to direct our efforts so we stay ahead of the voice spam bad actors,” says Rich Quattrocchi, Vice President of Digital Transformation for Mutare.
While STIR/SHAKEN is still in its early formulation, Mutare recognized early on the value of caller attestation scoring to further refine its Voice Traffic Filter spoof detection capabilities and has created an additional layer of filtering protection gleaned from that data. “Our ability to parse out information from what is being passed along by the carriers and then apply it to our other analytic tools is going a long way in helping the filter identify a suspected spoof call right down at the individual call level and is enabling even smarter automated call filtering,” says Quattrocchi.
Mutare Advanced Spam Filter Capabilities
Mutare recently launched a service using its advanced spam filter capabilities to run a detailed voice traffic analysis for other companies looking to better understand how much voice spam is in their networks and its impact on their operations. Says Quattrocchi, “The more a business knows about the source, type and volume of spam entering their voice networks, the better prepared they will be to combat it.”
Call Spoofing Q&A
Q: What is phone number spoofing?
A: Caller ID spoofing is the process of changing the caller ID to any number other than the calling number. When a phone receives a call, the caller ID is transmitted between the first and second ring of the phone.
Q: What is neighbor spoofing?
A: Neighbor spoofing is when scammers use reliable-looking phone numbers to disguise their identities. The phone number might have a prefix with your area code or look like it belongs to a local business or even someone you know.
Q: What is Enterprise spoofing?
A: Enterprise spoofing is when scammers change their caller ID to match an actual business’s phone number. For example, a scammer trying to get your banking account information or other sensitive financial information may call your cell phone and display your bank’s caller ID. For example Citi Corp’s customer service number: 1 (888) 248-4226
Q: Is caller ID spoofing legal?
A: Caller ID spoofing is generally legal in the United States unless done “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” The relevant federal statute, the Truth in Caller ID Act of 2009, does make exceptions for certain law-enforcement purposes.