Adam Doupé's lab working on tech that could build level of trust in a caller's phone number
Scammers can leave voicemails without causing your phone to ring. They can mask their number so you think your bank is calling you. Their next trick is combining phone and computer scams for a double hit. Robocallers, scammers and spammers continue to find new ways to get people to pick up the phone and give them sensitive information, money or both.
Adam Doupé, an assistant professor in ASU’s School of Computing, Informatics and Decisions Systems Engineering and affiliate faculty member to ASU’s Global Security Initiative, has been researching the techniques robocallers use and their success rates and has been developing new tools to protect consumers.
Here he talks to ASU Now about his findings.
Question: How do spammers and robocallers leave voicemails without causing phones to ring?
Answer: There are companies, several companies in fact, that offer services for this type of call. Based on their patent filings, the way this works is that the company calls your phone twice at the same time. There is a delay between when a carrier received your call and when your phone rings, and as soon as your line is busy, the other call goes to your voicemail. The company drops the call that is connecting to your line, and leaves open the call that has gone to your voicemail.
Q: Why are phones so vulnerable to spam calls?
A: The core problem is that caller ID can be easily and inexpensively spoofed, meaning the phone number you see on your screen for the incoming call is not actually the phone number that is calling you. Spoofing only costs a few dollars, and systems to generate lots of calls aren’t expensive either.
Additionally, caller ID is an optional field in the "initiate call" message that is sent to start a call. No one checks the validity of that field, and the number added to that message is what shows up on your display. As part of my team’s research, we looked into what tools and techniques have been tried to prevent robocalls and scams, and none have been successful.
Q: Do any legitimate companies use spoofing? If so, why?
A: Yes, companies will change their outgoing caller ID to be the phone number they want customer-service response calls to go through when returned. Fundamentally, a legitimate company should never spoof a phone number they don’t actually control.
Scammers, however, sometimes spoof their caller ID to look like a familiar company’s phone number. For example, maybe you recognize your insurance carrier’s customer-service number or your bank’s number. Or, if you Google the phone number while you’re on the call, you might see that the number is affiliated with a trusted company. Scammers rely on that trust to make their scams successful.
Q: What solutions are in the works to protect consumers?
A: When you’re browsing websites, you’ll see what we call a “security indicator,” also known as a green lock. If you’re on Google or Facebook, you’ll see the lock and know that you’re talking to the real website. It’s a visual indication that your communications are secure. In my lab’s work, we’re creating a similar mechanism for phone calls to build a level of trust in the caller ID phone number.
We have filed for a patent on this technology, and we are working with the International Telecommunication Union, a global telecomm standardization body, to have this technology standardized.
Q: With the new tricks scammers are using, does the Do Not Call Registry matter anymore?
A: It is useful. The Do Not Call Registry is still a useful step to avoid calls from companies that are using telemarketing legitimately. The bad thing is, the registry information is public, so scammers can try to use that information. Ultimately, people doing illegal things aren’t going to be deterred by regulations. And many scammers operate outside of the U.S. using VOIP — Voice Over Internet Protocol — to make calls via Internet services like CallFire, which provide virtual phone numbers.
Q: What do you see as the next wave of scams?
A: We are seeing a growing amount of tech-support scams with a mix of viruses and malware. The scammers will get you while you’re visiting a website, you’ll get a popup window that says to call a tech-support number because your machine is infected. When you call, you’re giving the spammers remote access and from there they are in control.
Generally, we’re seeing the merging of computer frauds with phone calls.
Q: What should we do if we’re receiving spam calls?
A: If you’re in any way skeptical about a phone call you receive, hang up right away and Google the number to find out if it’s legitimate. Even if it was a legitimate number, let’s say Google tells you the phone number is from Chase, that doesn’t mean Chase called you. That said, if you call the company back on their publicly listed customer-service line, you’ll speak directly to the company and you’ll know whether the original call was spam.
Also, it’s important to know that big companies, or government agencies, are not going to call you and ask for sensitive data. Your bank or the IRS will not call and ask for your Social Security number. If you are asked for that information, hang up and call the company or organization back on its publicly listed customer-service number.
Another important thing to remember is that robocallers and scammers tend to target people who are in the U.S. on visas. People from other countries may not be familiar with IRS or government agency protocols and may not know that they shouldn’t provide that information over the phone.