One in five unknown calls is spam. Despite the minuscule success rate, millions of people fall victim to scammers because of the sheer number of attempts. Now scammers have a dangerous innovation that will make them even more productive and persuasive.
If you want to protect yourself from scammers, it’s important to understand how they operate.
Jonathan Nelson is Director of Product and Data Management at Hiya, the company behind the anti-spam solution that protects over 400 million users worldwide.
Having worked in the anti-fraud industry for nearly a decade, Nelson has seen first-hand how voice fraudsters have evolved into well-organized, established companies with large call centers and clear KPIs.
Phone spam is becoming a growing problem, despite measures in place to curb it. In the third quarter alone, Hiya recorded 6.55 billion spam calls worldwide. In the US, 22% of unidentified calls were suspected spam.
In other countries, the situation is even worse. The average spam rate worldwide is 24.3 % and in some countries such as Chile, Indonesia, Russia or Argentina the rate exceeds 50 %.
Brazilians receive an average of 26 spam calls per month, most of which are banking scams. For Americans, the number of spam calls is 11 per month.
“Fraud is a pretty big business. There are literally billions of dollars spinning around in it. So most of the scams that are going on right now are organized as businesses. These are typically established companies. They have call center offices, maybe not very posh, but still with employees. And often we find that the same call center can be doing tax fraud one week, and the next week serving clients of a legitimate company. It’s just a different scenario for agents,” Nelson explained in an interview with Cybernews.
KPIs of fraudsters
Sometimes the same infrastructure is used for both legal and illegal calls. Their agents have certain quotas they have to fulfill to get paid.
“The main thing that drives all of this is profit. These companies have a bottom line. They have key performance indicators that they’re trying to meet,” Nelson explains.
He has personally seen only two ways this industry has evolved: fraudsters either find new ways to increase revenue and profits or cut operating costs.
“They can increase their profits by getting more customers, more victims, more people who fall for the scam,” Nelson says.
And criminals are eager to experiment with their plots, targeting and scripts. Scammers often react to high-profile news stories and seasonal events to enhance their bait. And even the tones they use in conversations are subject to A/B testing.
How do researchers find out? They run “honeypots,” which are essentially collections of phone numbers that have no use other than to wait for someone to call, either by mistake or for fraudulent purposes.
“We can record the audio of that conversation. I heard the exact same pre-recorded call, but one version had silence in the background and the other had call center audio. But the conversation track was exactly identical,” Nelson said.
The other big shift now is efficiency. People are very expensive compared to robocalls because one operator can only fool one victim at a time. So criminals have started to innovate.
“They’re using what’s called interactive voice response (IVR) systems, which you can recognize from customer service calls, and you know you’re talking to a robot,” Nelson explains. “But they started creating versions of them with a lot of pre-recorded messages so they could try to pass them off as human. The robot could actually say something like, ‘How are you doing?’ And then, depending on how you answer, it could go down one path or different paths.”
Cash flow is accomplished in several different ways. The most direct is to convince a victim to make a transfer or provide remote control of their device and lure them into sharing their bank account information. Some “sloppy” scammers try to convince victims to buy gift cards as a way to “pay off debt.”
Another lucrative activity, which can be both legal and illegal, is called “lead generation,” which helps interested parties find potential customers or victims.
Illegal “lead generation” is when they just make phone calls. Often they make false claims, say you’ve won a trip, and collect your details. And then they make money by selling your information to travel agencies or companies offering trips.”
“Ignite and burn.”
Nelson discussed how scammers are adapting to security innovations by detecting and blocking their calls.
Using voice-over-IP (VoIP) technology, fraudsters spoof internal phone numbers.
“The problem is that there is tremendous flexibility in the telephony industry. With VoIP, it’s very easy to create these calls. It’s very easy to get phone numbers. And you don’t just get one phone number and use it. These days, they’re used to what we call hit-and-burn. They take a number, call it quickly until they get caught, and then they just burn the number, discard it and move on to the next one,” says Nelson.
He explains that Hiya analysts or other service providers can easily detect a number being used for spam. Therefore, criminals have to be “much more subtle.” Scammers have moved to short-term phone number rentals and frequent rotation, where criminals don’t use the same number for more than a couple of phone calls – perhaps even one.
“They rent 100,000 phone lines for a day, then they make their calls, and then they just release those lines and get another batch of lines. That way, they’re constantly moving around.”
Right now in the U.S., one-third of spam calls come from phone numbers that have been spotted for illegal activity on the same day, and there are millions of such calls every month.
The three main topics that scammers want to talk about are
A less novel aspect is what scammers tell their victims. This is where the old becomes new again. Usually all the schemes to seem believable revolve around personal finance (debt, loans), health (insurance, programs, treatments) and legal help. Of course, there are other types of scams, such as tech support.
“We haven’t seen any really big creative shifts – just very short-term ones. Scammers are kind of constantly chasing what’s in the news. It’s all just social engineering. They’re trying to tell a compelling story so that as many people as possible will believe it,” Nelson said.
He noted that the scammers’ tactics travel around the world: first, many scams are tried in the U.S., and depending on success, the experiments are moved to other English-speaking markets such as Canada, the U.K. and Australia. Then the Europeans come in for a taste. Again, it all depends on the profitability of the market with the lowest costs.
Nelson also has some ideas as to why some markets may be more susceptible to fraudulent calls than others, as Hiya’s statistics show.
“Brazil, I think, has one of the worst spam problems in the world. I guess the quick answer is that it’s partly a cultural problem, partly a federal problem, and I think the federal plays a pretty big role. It’s a question of how protected the rules of behavior are when it comes to making calls. Are cold calls illegal?” – he opined. “In the United States, you can’t just call someone. Consent is required. Some places don’t have those protections, and that’s why a lot more telemarketing and phone fraud is popping up.”
Nelson noted that in Brazil, telecom operators themselves may be responsible for a large percentage of spam calls, service advertisements or sales pitches.
Even in the U.S., there is debate over how much authority carriers should have to fight back, whether they should be allowed to block suspicious calls and how they will choose which calls to let through.
The KYC, or “know your customer” principle is now gaining traction in the industry. Someone is allowing these calls into the network. Somebody actually connects them to the telephony network and lets them call your cell phone,” Nelson noted.
Telecommunications providers need to be involved in this process to identify fraudsters earlier in the call routing process.” Nelson hopes that ISPs’ awareness of what calls they are routing through them can be a viable basis for combating fraudsters.
“They can try to hide behind lots of different phone numbers, they can do all the short-term operations, but there’s still only one customer for someone. It’s much more expensive to change your business than it is to change your phone number.”
The future could be bleak for AI calls
Generative AI is already being used to deceive. Hiya researchers point out that scammers using voice cloning technology may try to convince victims that a child, grandchild or other loved one is in trouble and needs immediate financial help or a ransom for their release.
In addition, conversations such as: “Hello, can you hear me?” – “Yes” – “Thank you for shopping.”
This is a “yes” scam where callers ask a simple question and the recipient instinctively says “yes.”
That “yes,” recorded and edited later, can be used to authorize a large purchase. In August, the Better Business Bureau issued a “Can you hear me?” scam alert.
The next big wave of spam calls, according to Nelson, will be based on large language patterns, allowing scammers to generate real-time audio without pre-recording, adjusting scripts on the fly.
“This is probably going to be one of the fastest shifts in this industry that’s ever happened because it’s so simple, so easy to use generative AI to do this. So far, we’ve only seen a few cases of voice impersonation attacks,” says Nelson.
So far, phishing attacks targeting specific people have required attackers to gather some personal information about the victim, such as checking their social media accounts. Nelson fears that unique campaigns will become fairly commonplace, requiring little effort.
“Right now they’re just floundering in the water, starting with phishing ideas. But even the mainstream industry is looking at using generative AI and generated voices for customer support centers to provide us with a much better experience of regular calls. So these scammers will probably be the first to do that,” Nelson warns.
Fraudsters have been known to use information from cybersecurity breaches and leaks, allowing them to tweak history, including personal data.
Defense methods remain the same
Although scammers are inventing new methods and developing new lures, it still comes down to their ultimate goal of stealing identity and money or obtaining information.
“The methods of defense are largely unchanged. If you don’t have some level of protection from your carrier, find an app, purchase something that can give you some information before you answer the call. And the only call you can trust is the one you created. Scammers can fake the call they created. They can’t fake a call that you make. So be very careful with incoming calls. If in doubt, just hang up and then call the person you need to talk to. Don’t call them back,” Nelson advises.
Reporting spam calls to the applications or services you use helps providers protect other users.
“Services like ours desperately need this data. It is very useful for us to know firsthand what actually happened during the call,” assures Nelson.