Over the past several months, we’ve seen the Pallone-Thune TRACED Act, a bill to deter criminal robocall violations and make it easier for authorities to assign financial penalties, signed into law; the FCC strengthen efforts to fine robocallers and drive implementation of the SHAKEN/STIR call authentication framework; and carriers work to more aggressively protect consumers besieged by robocalls.
So…mission accomplished? Not so fast. Reversing the 200 million unwanted calls that Americans received every day in 2019 is not an overnight process. At the same time, scammers, spoofers, and bad actors are not simply throwing up their hands in surrender in the face of new policy, technology, and financial obstacles.
For carriers, combating robocalls in 2020 will require anticipating how bad actors may adapt tactics, building on strategic investments and efforts from last year, and staying attuned to the most important factor in all of this — what their subscribers want. To succeed, there are seven areas where carriers should be focused.
Scammers will set sights on legitimate business numbers
The good news is the Federal Communications Commission has proposed bold action to help consumers block unwanted robocalls and to provide safe harbor for providers that want to deliver networking blocking using the SHAKEN/STIR call authentication framework and broader use of advanced call analytics systems. These actions will make it more difficult for scammers to launch campaigns from invalid telephone numbers. The bad news is that bad actors will change their behaviors.
Carriers should anticipate that scammers will continue to spoof legitimate business numbers in an effort to trick subscribers into providing personal and financial information. This trend accelerated in the second half of last year, as subscribers started to receive calls from what appeared to be legitimate customer care numbers such as Apple Customer Care and from local telephone numbers of Apple stores.
This shift will create a big problem for carriers’ business customers as it becomes more difficult for their subscribers to differentiate illegitimate spoofed calls from the real thing. Carriers will have to more actively help educate and inform businesses when these spoofing scams materialize and ensure businesses are more proactive in registering their numbers and calling campaigns to avoid being listed as a fraudulent calling line which will degrade customer trust.
Scammers will live on the edge… of SHAKEN/STIR
Caller ID spoofing is hard to identify for over the top (OTT) detection apps and systems that rely solely on whitelists and blacklists to recognize and block calls because scammers use a number for a short period of time, minutes and hours rather than days and weeks, making it difficult to keep the lists accurate and up to date.
Carriers should expect that bad actors will continue to look for vulnerabilities along the edges of SHAKEN/STIR. This also means that scammers will continue to launch campaigns from smaller and regional VoIP providers and carriers where SHAKEN/STIR deployment lags behind Tier 1 carriers. This isn’t just relevant for those smaller carriers, but also for larger ones that will still see subscribers receive robocalls from outside their networks.
Finally, STIR may only be used to authenticate and validate origination of the call for U.S. domestic calls, and is applicable for SIP-to-SIP calls only. STIR is not applicable for TDM, nor will it work if the network path of the call traverses a legacy network, as opposed to an uninterrupted SIP-to-SIP call. As a result, scammers may look to use TDM numbering sources or international SIP gateways because SHAKEN/STIR relies on domestic IP networks for call authentication. A layered analytics approach, which can act as an anti-spam filter similar to email, can help stem this problem.
Scammers may launch more sophisticated and targeted attacks
Robocall scams to date have predominantly been high volume, blunt-force operations operating under the theory that the more consumers that are called, the better the chance some will fall for the scam.
That approach won’t change anytime soon; however, there is evidence that scammers are getting smarter and more sophisticated when it comes to extorting information from unsuspecting victims over the phone. In one recent scam, the caller claimed to be an employee of the call recipient’s bank who asked for the recipient’s PIN number to confirm the operator was speaking with the owner of the account, when, in fact, the caller was the actual scammer.
As scammers become more in tune with the social engineering tactics required to extort sensitive information, we could see the robocalling industry shift away from tactics that involve high volume of calls with low payout amounts to a model with a lower volume of calls which are targeted at individuals who could provide higher payouts. These higher-reward scams will also benefit from increasingly convincing AI-based deep-fake technology, whereby call recipients might hear convincing audio from family, friends, bosses and other co-workers in an effort to generate a desired action. The scammers might also use this technique by recording a victim’s voice through an innocuous phone call and use that to contact a legitimate customer care organization to receive personal account information.
Expect push for more consumer education
Banks, healthcare providers, carriers, and legitimate enterprises everywhere will need to do a better job developing communication programs for customers to prepare them to effectively deal with scammers and scam calls. For carriers, joint initiatives with business customers – where carriers can supply data on emerging scams, trends and tactics to businesses in oft-impacted industries which can be used to protect customers – should be considered. There is also a need, for instance, to help subscribers understand where calls can and cannot come from (for example, the Social Security Administration would typically never call a customer unprompted if not part of an existing customer service interaction).
The burden of determining which calls are real and which are scams cannot be solely placed on customers to make judgements in real-time. Carriers, industry participants and the government must step in to assist in this education effort.
Texts or calls? Pick your poison
As SHAKEN/STIR is more broadly deployed and carriers begin to do a better job of shutting down scams via voice channels, the use of text messages for illegitimate purposes is a natural next phase of the robocall evolution.
Similar to phishing emails, robotexts offer a potentially easier path for scammers to acquire sensitive info, as the text can include a hyperlink that sends users, who are more comfortable communicating via text than voice calls, to illegitimate sites. Of course, not all robotexts are from scammers trying to acquire personal information – some are simply spamming consumers with offers that may be real, but no less frustrating.
With new channels for scams via phone, regulators and industry participants will need to adjust their tactics to prevent scams using robotexts from increasing in volume the way robocalls have.
The call blocking pendulum may swing too far for consumers
Yes, consumers are fed up with robocalls. But it is important for carriers to consider the fact that not all subscribers want all unknown calls blocked. While the FCC voted to authorize carriers to block incoming calls, our consumer survey released earlier this year found only 39% of U.S. wireless subscribers would like their carrier to automatically block all calls from numbers not in their mobile phone contact list. While survey data on other types of calls was more nuanced, the message is that subscribers still want to retain some level of control on which calls are blocked, which go to voicemail, and which go through.
If carriers begin to block too many legitimate calls (for instance, from a doctor’s office, school, or financial institution) and subscribers feel they are missing important calls in a way that has negative consequences, frustration may change from subscribers feeling they are receiving too many robocalls to a sense that carriers do not have an effective system to make accurate filtering decisions. The need to strike this balance underscores the importance for carriers to have an advanced call analytics solution in place.
Overall volume of negative calls will likely drop
Americans received 106.8 billion negative (nuisance, scam or fraud) calls in 2019, a 49% increase from the previous year, according to TNS’ recently released annual data analysis. That said, the collective impact of STIR/SHAKEN implementation by the carriers, the enablement of a safe harbor allowing carriers to block unwanted calls, new tools given to the FCC for enforcement, and potential additional resources for the Federal prevention and prosecution of criminal violations should lead to a drop in the volume of unwanted calls in 2020.
The past several months have seen tangible developments by carriers, government and other industry participants to combat robocalls. And while 2019 data did not reflect the fruits of this collective labor, the foundation is now in place to finally turn the tide and position 2020 as a transformative year for restoring trust in voice calling. Building on that foundation will require a commitment by all stakeholders to pursuing and executing a layered approach that includes analytic engines to accurately identify robocalls; the expansion of STIR/SHAKEN to more carriers; and increased penalties for originators of unwanted calls.