My phone vibrates and I glance at the screen, noting the call’s “917” area code — the same as my own number. “New York City,” I note. “Might be important.”
It’s not. It almost never is anymore.
The call is from a fake credit card company urging me to talk about lowering my interest rates. I grip the phone tightly and consider throwing it against a wall.
Later that day, my landline rings. Again, it’s a New York City number, and my caller ID lists it as “Apple, Inc.” Having dealt with fake Apple support before, I ignore it. But “Apple, Inc.” is persistent, eventually calling five times in one day. Finally, I pick up and inform them I’ll be contacting the FBI.
They back off — for now.
Later that day, I decide to call that number back. It resolves to the actual Queens, New York- based Apple Center, which has pre-recorded a message that says, “Apple is aware that some customers are receiving unsolicited calls claiming to be from this Apple center.” It recommends not giving out any information and tries to steer affected customers to support.
Spam, robo, and spoof calls, especially those that masquerade as calls from your local area code, reached crisis proportions on landlines almost two years ago. Now, according to some estimates, the same is about to happen to our mobile phones. A 2018 study conducted by First Orion, a scam protection provider, predicts “44.6 percent of calls to mobile phones will be scam calls in 2019.”
What First Orion described sounds to me like an epidemic, and one that needs some sort of immediate vaccine. A one-shot solution doesn’t exist, but hope does lie, as it so often does, in new technology.
It turns out that both the Federal Trade Commission (FTC) and the Federal Communication Commission (FCC) have enforcement oversight for this problem, with each having jurisdiction over certain industries. It’s like a gentleman’s agreement: The FCC can bring actions in industries where the FTC does not have jurisdiction, like airlines and banks. While the FCC has specific anti-spoofing rules and can bring cases that specifically target spoofing, the FTC’s robocall cases respond to the simple fact that the calls were placed. The FTC also brings cases against companies that use robocalls to commit fraud, and, of course, it enforces the Do Not Call Registry.
“We average 400,000 to 500,000 complaints a month. It’s far and away the top complaint category we get.”
I attempted to contact the FCC regarding its anti-spam and spoof-calling work via phone and email but have yet to receive a response. The FTC responded almost immediately.
While FTC officials couldn’t confirm First Orion’s spam call findings, their own numbers don’t exactly dispute the disturbing trend. “At the FTC, the data we see on unwanted calls and abusive and fraudulent calls comes from consumer complaints,” Ian Barlow, the FTC’s “Do Not Call” program manager, told me. “We average 400,000 to 500,000 complaints a month. It’s far and away the top complaint category we get.”
Though the National Do Not Call Registry was launched in 2003, it predates affordable voice-over IP products that make robocalls and phone number spoofing mobile-app-level easy. (Think VICIDial, an open-source standby for telemarketers.)
According to Verizon, spammers and robocallers use “community spoofing” to “mimic the first six digits of your phone number and then randomly generate the last four to get you to think someone local is calling you.”
The scammers know that when you see a local number on caller ID — another technology that’s been weaponized against us — you’re more likely to pick up. “A lot of the fraudulent and abusive [spoofers] use a different caller ID number with every call now, so [you] can’t detect, ‘this is the call number I should detect and block,’” said Barlow.
Plus, finding local numbers to seed millions more spoofed calls is easy.
“The database they’re using can come from any number of sources,” a Verizon spokesperson explained. “Just Google your own phone number for instance and you can see where it’s listed.”
In my house, the number of spam calls outnumber real calls five-to-one. My current favorite are the Chinese calls, where I hear a single English phrase followed by a minute of Mandarin. (These scams apparently target the growing Chinese population in the U.S.) In some cases, I’ve stayed on the line long enough to hit whatever key I need to get added to the spammer’s own “do not call” list. This turns out to be a rookie mistake.
“In some cases, they do work, but we recommended hanging up as soon as you know it’s not a call you want to work with,” Barlow said. That’s because, no surprise, most scammers don’t actually keep lists of people not to call. Hitting a button is simply proof you exist, and it puts you on a sucker list of sorts, guaranteeing you’ll get more calls.
As soon as I started investigating the nuisance call epidemic, I stumbled on STIR (Secure Telephony Identity Revisited)/SHAKEN (Secure Handling of Asserted information using toKENs), a framework of call-handling and authentication technologies that could be used by all mobile and landline telecom providers (and VoIP companies) to verify that the number you see on caller ID is the actual origin number.
STIR/SHAKEN grew out of a partnership between the FCC and telecom partners. It uses public key cryptography and digital certificates from trusted authorities to verify that the local number you see is legit.
If the telecom industry was run by the FCC or FTC, or if there was a single telephone company (like the old “Ma Bell” days), it would be easy to flip a switch to make STIR/SHAKEN a reality.
That’s not our world. I’m on Verizon and my neighbor’s on Sprint. Your friend is on T-Mobile or Google Fi. Normally getting a whole industry to support such an initiative would be next to impossible.
But after FCC Chairman Ajit Pai’s call to action late last year on STIR/SHAKEN (around the time we learned that consumers received over 5 billion robo calls in a single month) nearly 14 providers quickly fell into line. Even though these companies will need to work together to make SHAKEN/STIR work, they’re positioning it as a competitive advantage.
“We were first to announce readiness for STIR/SHAKEN in November 2018 and first to deploy it on our network earlier this month (before Verizon Wireless),” said a T-Mobile spokesperson via email.
T-Mobile calls its deployment “Caller Verified.” The company already blocks scam calls by checking numbers against a global database of known scammers. Knowing how often scam callers change numbers, I question the effectiveness of this solution. However, the FTC told me T-Mobile does an excellent job blocking these calls.
Verizon launched a series of spam and call blocking tools last year, and, starting next month, it will offer those tools to all Verizon smartphone customers for free. Landline customers get Verizon’s Spam Alerts service, also for free. Verizon told the FCC last year that it “expects that a large portion, possibly a substantial majority, of Verizon voice call traffic to be signed in 2019.”
It will take some time for all telecoms to fully implement the framework, but the process will certainly accelerate this year. Sprint and AT&T have also committed to implementing and deploying STIR/SHAKEN in 2019. By 2020 or 2021, problem solved, right?
“I’m hopeful. I don’t want to sound naive,” said Barlow, “[It’s] not some kind of panacea.”
Meanwhile, as we wait for more free spam- and spoof-call blocking solutions, there are a few steps you can take today to protect yourself. Barlow had this advice:
He still believes consumers should register with the National Do Not Call Registry at donotcall.gov. It will not block all those calls, but for the legitimate businesses that do comply with the rules, it will ensure they do not call you.
As I noted above, my interactions with some of these scamming bastards might make me feel good, but anything I say or do on the line with them is simply a validation that my number is real. “The more you stay on, the more it looks like you’re interested,” said Barlow. As soon as you realize it’s not a legit call, hang up.
Barlow said there are a number of call-blocking apps you can download from the App Store, like Call Blocker and Hiya. Obviously, you can use your phone’s native software to block individual numbers, though, in our robocalling world, that seems like a near pointless solution.
Consumers might also find some relief on the the CTIA’s How to Stop Robocalls page, which features tips and a list of 550 mitigation apps.
Barlow also told me the FTC pursues many robocaller cases and has helped collect judgments totaling $1.5 billion. They also get court orders that essentially shut the spammers down.
Even though the FTC and FCC do not pursue these cases together, they do coordinate anti-spam and spoofing efforts through both informal and quarterly calls. As Barlow explained this I wondered, just for a moment: Do they pause and stare at the caller ID on the screen before picking up? I know I would.
Update: An earlier version of this piece contained inaccurate information about the FTC’s jurisdiction