Recently, I began a charitable endeavor, and networked through people I know to talk to corporate task forces responsible for remitting charitable donations to the community. On the call, they asked me how I know my contact (a VP of the company), and if I really did talk to him - because they are getting people who research their company, learn the names of executives, and use those names to say they were referred by them, to try to garner credibility for the scam. And this isn't a really big company to begin with. That's how aggressive and researched and intelligent some of these scammers have become.
All the more surprising to see the old "I am a prince with millions of dollars trapped in offshore accounts, and I need your help to move it" type of scam even be attempted.
Some very clever e-mails try to look legit. For example, my wife and son got emails claiming that their e-mail was hacked, their password was such-and-such (a password they had used on some site that had actually been hacked), and that they need to transfer bitcoins to this account if they wanted to avoid their social media (all of them) and others being controlled. This was blatantly idiotic, but had some intelligence behind it as it used an actual hacked password from somewhere else on the presumption that they use the same password everywhere.
Phone Call Scams
There are many phone call scams, too. Again, they seem so stupid to me, that I wonder at the level of people who fall for them. They are typically of the type that says things like "This is Card Services, we can help you lower your credit card interest rate" (hilarious they call my kids who are too young to have cards...), or "Don't hang up" (I immediately hang up). Every once in a while, I get a call that says they are from Microsoft (in an Indian accent) and that they were notified a virus was detected on my PC (I have Macs). So, why are these calls so prevalent today, and what can we do about them?First, let's look at WHY these occur. On the driving end, many of us eventually fall for these scams and it is very cheap to attempt them, so if even a small percentage of marks fall for the scam, it more than pays for itself. On the enabling end, people are using 2 very old, ancient technologies with absolutely no or little security to communicate. These are e-mails and telephone.
Most e-mail systems support POP and SMTP, which are mail protocols developed in the 1960s and not updated much since. Some security has been added, but they are typically optional, and depend on each mail server being set up with those security options enabled. For example, requiring the sender to authenticate to the server (e.g. enter a name and password) is optional when a mail server is set up. If you look at the POP protocol, it was designed with the Internet way back, when the entire purpose of the Internet was to provide a system of interconnectedness between computers that could survive a nuclear war, and possibly an entire city being destroyed, and yet still function and route traffic. Thus, POP relays e-mails from the originating server, through any number of intermediate servers, until it finds the destination server. The originating server is in charge of whether or not it requires authentication, and then the e-mail goes along its merry way. If some scam artist or criminal sets up an e-mail server, it finds other e-mail servers to relay through, and some sort of trust is established such that no real security is in place.
In order to fix this issue, it would require a whole new e-mail system that requires senders to authenticate who they are, and a trust between each mail system that each individual mail system has vetted its users for illicit activities.
Now let's look at telephone systems. Back around the 1970's and 1980's, they were developing a Caller ID system. In this system, if you think about how telephones worked back then, one switch the caller was connected to routed the call based on the number he dialed, to another switch, and so on until it reached the final telephone terminal. All of these systems were over copper wires with electricity, using old "analog" signals. They broadcast tones over these signals that were the precursors to digital, called DTMF tones, to communicate the phone number dialed to the switches. So, on top of this ancient and very simple system, they created a protocol that would work with all these old phones, that basically says the calling phone gets to say who it is (as in "Hello, my number is 555-111-2222") and that is relayed to the receiving phone. Absolutely no security, no way of verifying that's who it really is. So anyone can put anything they want. And guess what? That's the Caller ID system still in place today, globally. So guess what? Anyone can say they are calling from any number, there's nothing that forces them to prove via a more secure system they are who they say they are.
Supposedly, phone companies have been working on a solution to this, but this is really where government regulation has dropped the ball and not forced them to do it by a certain date.
So, because of this massive lapse in security and regulations on behalf of the public good (thanks, Government), it's a wild west out there for scammers. They can do anything they want and get away with it - and they have systems that generate a phone number that looks like it is local to you, and that's who it says they are calling you from. Then, when you call it back, it is either an invalid number, or someone's phone, but they never called you.
Tips to Handle Spoof Calls
The vast majority of these calls are computerized, because that's the way to make it so cheap that it costs them almost nothing to try to find stupid, gullible people to give them their money. So, knowing that these are stupid computers, it is pretty easy to figure out if this is a real person or a computer. Answer it, and don't say anything. If you were calling someone and they answered and it was total silence, what would you do? You'd say "Hello? Is anyone there?" However, computers wait for someone to start talking. Typically when you answer a phone, you say "Hello?" so it waits for some sound, and then it starts its scam.If you don't make a noise, it will hang up shortly, and you know it was a robocaller. If someone says something, you know it's a person.
Should you block the number? Not likely to help. Like I said, they can say they are calling from any number, and their software picks a random local number every call, so forget trying to block callers.
How does the phone company help? There are apps for your phone that try to identify callers - but again, this only works for those who legitimately give their Caller ID. This is actually a large enough list, so it is helpful. A third-party app, Mr. Number, will identify incoming callers and show whether they are a telemarketer, debt collector, or suspected spam caller. Similarly, your cellular carrier offers apps that do the same, and there may be some additional numbers in its registry that Mr. Number doesn't have, so I have both AT&T Call Protect and Mr. Number installed. Contact your cellular carrier and ask them what apps they have to help protect you from unwanted spam calls.
What about long-term? In the United States, you can contact your Congressional representatives in the House and Senate, and pester them (yes, over and over and over) to introduce and support legislation that will correct this issue. Namely, force Internet mail providers to switch to a new system that is secure, and force phone providers to vet their caller ID and force it to be both more secure, and transparently notify users when it is not security authenticated the caller ID is genuine.
They say that "the squeaky wheel gets the grease," meaning the more you complain and say something, the more the problem you are complaining about is likely to get addressed. Congress already knows this is a big issue, but they are slow moving, and typically need a push. Just because I say to do it at a Federal level, doesn't mean you can't attempt something at the State level as well, but to be really effective, the FCC has to regulate it since it is by definition an interstate system.
No comments:
Post a Comment