Why Your Phone Company Doesn’t Block Unwanted Spam Calls to Your Enterprise
By Richard Quattrocchi
Voice spam can be defined as any unwanted, irrelevant, unsolicited, or inappropriate call or voicemail message. Voice spam and email spam share many similarities. Both types of spam are annoying, disruptive, and potentially dangerous. Voice spam, however, is far more intrusive, especially for businesses.
Email is silent and there are lots of commercial email spam filters to minimize the shear tonnage of email spam to your inbox. Voice spam, on the other hand, rings into your business in real-time. Voice spam calls flow into contact centers, auto attendants, and direct business lines requiring organizations to take matters into their own hands and deploy voice spam filtering solutions. Phone companies are simply not equipped to know what is a wanted vs. unwanted business call.
The FCC has authorized carriers to block illegal voice spam, primarily “robocalls”, from telephone numbers that are spoofed. Carriers, however, are only blocking a very small percentage of these calls. Why is it so hard to stop such calls?
There are numerous reasons why carriers will not block calls:
- The STIR/SHAKEN framework to authenticate caller IDs designed to flag spoofed calls is not reliable enough to block calls but can be useful to label calls as “suspected” spam.
- Carriers are paid to complete calls, not block calls. There is no financial incentive to block calls. Carries will only block “low hanging fruit” calls from impossible numbers or numbers on the Do Not Originate list.
- Unlike email that can be scanned by a spam filter for content in the text, voice call content is unknown. Carriers have no way of knowing if a call is wanted or unwanted. They can only see signaling data.
- Safe Harbor rules protecting carriers are inadequate and the potential liability cost to stay in the “safe harbor” is simply too high for carriers to risk blocking calls.
The FCC, in consultation with the telephone industry, came up with a digital framework to authenticate and sign calls requiring the originating telephone carrier to attest that calls they pass along have a caller ID that belongs to the calling party and the calling party is authorized to use that phone number. The framework is called STIR/SHAKEN. When a signed call gets to the terminating carrier, they check the digital signature embedded in the signaling data. At this point the terminating carrier needs to decide to pass the call or block it.
The conundrum for the terminating carrier is that STIR/SHAKEN attestation scores are far from perfect. In fact, ten percent of legitimate calls cannot be validated due to formatting issues alone. The most common problem seen is the caller ID does not conform to the E.164 international standard for caller ID. This results in the telephone number identification “failing” the STIR/SHAKEN attestation test. Further, many small telephone carriers are unable to comply with STIR/SHAKEN requirements because they are still using old equipment that doesn’t support digital signatures for phone calls.
What is a terminating carrier to do? They simply pass the call along and insert a warning into the caller ID. You may have noticed the caller ID will sometimes say “SPAM RISK” or “Scam Likely”. Mutare has processed tens of millions of inbound business call records using call detail record (CDR) data provided by enterprise customers and has determined that, on average, 9% of all calls across industries are spam, and up to 20% of calls in some instances are unwanted and not from spoofed phone numbers. The problem with caller ID labeling is that once the phone rings the damage is done. An employee’s workflow has been interrupted. Even if the employee can ignore the call and let it go to voicemail, when they retrieve the voicemail message later, the time to dial in and check the message is wasted.
The terminating carrier will only block calls if the caller ID is from an area code that is not in service (Mutare refers to these as “impossible” numbers) or from a phone number that is registered with the national do not originate (DNO) database. These are typically toll-free numbers or conference call lines that are only used for inbound calls and never make outbound calls. These caller ID numbers are what terminating carriers call “low hanging fruit” and a no-brainer to block.
The problem with low hanging fruit blocking is that the scammers already know about the numbers and have already adapted their tactics. Analysis of those CDR records (both before and after STIR/SHAKEN was mandated) show that, on average, the impossible phone numbers ringing into businesses only account for 0.02% of unwanted CDR call records.
Voice carriers are regulated entities. They have legal obligations to complete calls. For example, carriers must pass calls that are anonymous. There are legitimate reasons to pass these calls. For example, let’s say a woman in a battered women’s shelter must contact here abusive husband. Calls from the shelter are made anonymously so the abuser cannot locate the women from the caller ID. The carriers must complete these calls and have a legal obligation not to disclose the caller ID.
Carriers also have legal obligations to block illegal spoofed calls. They are in an impossible position. To avoid legal liability to their customers, the safe play is to allow calls through and adjust the caller ID as a safe compromise. To demonstrate to the FCC they are blocking calls, the no-brainer way to comply is to only block calls from impossible numbers or phone numbers on the DNO list.
Now here is the kicker, many legal calls to businesses are unwanted spam. For example, political robocalls (perfectly legal) are a disruption that is unwanted and unwelcome by employers. Collection calls, also legal, fall into a grey area. Employers do not want their employees bothered during working hours with personal collection calls. Yet the business office of the enterprise (think of hospitals) may use those very same collection agencies to chasse unpaid bills. The same caller ID, that is fully attested, fully legal, from the bill collector may be wanted or unwanted depending on the called party within the organization. Voice spam, like email spam, is not so clear cut.
Unwanted voice spam calls to businesses must be blocked or routed BEFORE the phone rings. Because carriers are not in the position to determine call content or if calls are wanted or unwanted, only the enterprise can make informed decisions on inbound call rules. Just like email filtering, the business requires a voice spam filter it can deploy and control. That is where the Mutare Voice Spam Filter comes into play. The Mutare Voice Spam Filter combines business rules, dynamic spam caller data bases, STIR/SHAKEN attestation scores and spam storm detection to filter unwanted calls out, while enabling wanted calls to ring into the business. Filtering voice calls in this way reduces an enterprises cyber threat posture protecting the enterprise from callers with malintent. Filtering out unwanted calls before they ring reduces the network bandwidth required to complete spam calls. Lastly filtering voice calls at the network edge improves employee productivity resulting in higher revenues and lower labor costs.
Vice President of Digital Transformation
About the Author
Rich loves a challenge and thrives on start-up. As the Vice President of Digital Transformation at Mutare, he has found his dream job. Rich and his cadre of technology professionals have taken on the task to digitally transform voice messaging for a new generation of technology savvy workers.
Mutare has digitally transformed voice messaging workflow, with a novel technology designed to help businesses increase sales, decrease costs and meet regulatory compliance.
Rich is a graduate of the University of Illinois with degrees in Liberal Arts and Science and Flight Degree in Aviation. He holds six patents and is going for number 7 for the underlying technology for Mutare Voice™.