These days whenever I hear Indian voice, I just reject call. They way they target grandparents is surreal. One day they told my my friends parents that their children is in accident and they have to pay in gift cards. It is so distressing to elderly people.
US must take strict actions and call out India publicly. Elderly people are weak, education isn't going to solve the scam problem. Scammers must be punished harsly. They erode the trust in system.
Also, Indian government is not doing anything. In many places like Kolkata, scammers can get away easily by bribing police. Our phone are being redirected to India, and they can abuse our phone number. I wish, the US government passes strict rules and regulations to keep these scammers in check.
Telco's could put a stop to this if they really wanted to. Start with disabling number spoofing for international calls, if the number presented isn't in the country of origin then reject the connection request. Another choke point is the gift card system.
There’s a common scam on FaceBook Marketplace for sellers. They contact you and are interested in buying what you have. Once they have your phone number they send a google verification code and ask you to send it back to verify each other.
The goal is to setup a US google voice number to abuse later.
I experienced this, but am tech literate, so did not reveal pin.
But I had wrongly assumed that Facebook marketplace would experience less scam than craigslist because verified users would be their competitive advantage
It’s bonkers to me that gift cards are so readily available to enable these scams. There’s no way the gift card providers (Target, etc.) don’t know about this, but they go out of their way to make it as easy as possible and make sure there is zero support available for scams.
It’s so infuriating. I know people who have lost hundreds of dollars to people impersonating US Social Security and immigration officers. The gift card providers do not care. The impersonated government agencies do not care. The local police do not care. The phone companies do not care. There is total and utter impunity for everyone perpetrating and enabling these scams.
Every store I've been in within the past couple of years has had warnings posted everywhere not to buy gift cards and read the codes to unknown people over the phone.
I'm not sure if there's an alternative, since I'd seriously rather not ID be required to buy or use a gift card.
Consider that many victims might be new to the language, new to the country, and know very little about the culture except that they absolutely must immediately and carefully comply with all instructions from US immigration regardless of how arcane and bizarre.
And as far as making gift cards safer, shouldn’t that be the responsibility of the gift card providers, not to mention regulators tasked with consumer safety? Why is it that the scammers seem to ask for gift cards rather than, say, banking details? (I’m sure there’s also some banking scams, but I have a feeling there’s non-zero recourse for victims in those cases.)
If it truly is somehow impossible to make gift cards safe to use, then I’m convinced society could survive without them. But I doubt it’s impossible. I suspect gift providers deliberately go out of their way to make sure victims have no recourse.
It can be very easy, depending on your comfort with breaking existing systems. Disable all inbound international calling and you no longer have a problem. That would remove 99% of spam and would have zero negative impact to 99% of individuals who receive calls.
Of course, businesses with a lot of money care about use cases in that last 1%.
A carrier could probably do that, individuals could not. The challenge is that caller ID is generally kinda like your email display name: It doesn't mean anything. The important part, which STIR/SHAKEN is adding verification requirements to, is what telcos are actually involved in the exchange.
I'd love a setting I could flip to disable inbound voice calls from any carrier that isn't like... Verizon, AT&T, T-Mobile, and Comcast.
Can't they implement DKIM, SPF etc. like system? Not aware of technical reality of Telcos but international number spoofing should be easily solvable as billing is done through the origin location
It's still in the early days of even deploying signing. Telcos are dragging their feet asking for exemptions and delays. Once virtually all calls are signed, then there has to be agreement on when to block unsigned traffic, and finally whack a mole with banning spammers and KYC to keep them banned.
Yes, that's exactly what STIR/SHAKEN does - in theory. In practice, like most complex systems, mandating a change like this requires software and hardware upgrades and compatibility testing, all of which takes time. The FCC tracks >10k telcos and providers. Last time I checked, only a quarter of the companies had fully implemented STIR/SHAKEN since the deadline and the FCC has recently started enforcement action on telcos that have ignored it. There is some evidence it has reduced spoofed calls, but just like email, the scammers have also moved to adapt their techniques.
You tackle these things one-obstacle-at-the-time. Telco's are borderline complicit in this today, they don't have to be. Note that in some countries these scams are far more prevalent than in others, they'll go for the low hanging fruit first just like any other business. Make it harder and definitely there will be a response and then you aim to tackle that one. Shipping a SIM box would already be much more work than just changing a number in a database. Require that a phone number is used in the country of origin before you allow it to roam is another step in that process and so on. Rome wasn't built in a day and I'm sure that getting rid of this problem is going to be a series of steps.
But as long as telcos willingly cooperate and allow remote call centers to basically pick any number in the locality of the recipient even though that number is not currently roaming in India they are making things much worse.
> Note that in some countries these scams are far more prevalent than in others, they'll go for the low hanging fruit first just like any other business
The reason for this is language barriers, it's not some countries doing things better than others.
> Shipping a SIM box would already be much more work than just changing a number in a database
They don't even actually need to ship one, there are thousands of them operational already. This is a massive industry.
Even if you cracked down hard on SIM boxes, the scammers will just purchase routing from botnets. This won't really impact their costs, and will be essentially impossible to take any meaningful action against.
Yes, but that would at least put them at the same level as burner phones with a physical presence required in the target country (or close to it).
Anyway, since you are willing to shoot down each and every suggestion in this thread short of rolling over and accepting the damage how would you tackle it?
Can you give a single example of similar fraud being successfully tackled? Not just the scammers being caught, but the entire scam being rendered unprofitable.
European authorities haven't managed to do anything about the car selling scams Romanians have been running for decades now. Nobody has managed to do anything about the Nigerian prince scams. BEC with truly shitty phishing pages keeps on growing and growing.
The best bet would be for US authorities to force India to crack down on these activities and prevent these scams from operating at an industrial scale.
The actions you propose would work well to address lower return activities, such as marketing robocalls. They can not work to address high-return scams.
If we can make it harder to run a scam call business by changing things on our end, and these changes do not impede non-fraudulent use, why not go for it?
I don’t see why you’re pushing so hard against this line of reasoning, I guess. You’re making it sound like a hopeless endeavor to even try, in a “don’t lock your doors because thieves will just use lock picks” kind of way.
> If we can make it harder to run a scam call business by changing things on our end
How much harder? If your changes increase the telephony costs of a scam call centre from 0.001% of revenue to 0.002%, you have not actually made their operations harder.
> and these changes do not impede non-fraudulent use, why not go for it?
> Can you give a single example of similar fraud being successfully tackled?
Plenty of such cases here locally. Your point about the language barrier is on the money though, I never really gave that much thought but the number of Dutch speakers in India is most likely so low and the market so small that it isn't worth a massive campaign to them. Especially not if there are millions of gullible people in markets that are more accessible to them.
As for forcing Indian authorities: I've seen up close how corrupt things are there and I have very little hope that that would be a viable avenue to resolution of this problem.
I'd be super curious to hear about any local success stories.
>As for forcing Indian authorities: I've seen up close how corrupt things are there and I have very little hope that that would be a viable avenue to resolution of this problem.
Then you're left with education. These scams are very profitable and can easily afford resistance from telcos and banks.
Most of these scammers already have physical presence in the US. I feel the solution is probably to be found in more policing and prosecution than in creating tiny obstacles.
There's no reason consumer SIMs should be able to call more than N distinct numbers in any 24h period. You can implement reasonable rate limits to prevent abuse.
However, even if we assume that SIM boxes are a magic solution to carrier interventions, that still raises the cost from the current status-quo. Implement enough of these barriers and the entire scam operation becomes unprofitable and no longer worthwhile.
The difference between this and cooking/toasting bread is that your bread-making activities have no way to negatively affect someone else - we don't have an epidemic of spammers paying people to bake "underground bread" in their homes.
Of course, an override should be provided - the restriction should be relaxed over time once the account is established for a long time without any complaints.
What you are describing is already done by carriers in countries with high sim box usage. (Basically, it costs ~$0.01/min to make a local call in Nigeria but $0.25/min to make an international call to Nigeria so people there set up SIM boxes and Asterisk to terminate calls locally and profit the difference between these rates. The reason it costs $0.25/min to call the official way is due to many governments taxing incoming international calls because they see it as an easy way to raise revenue at other people's expense). But anyways, because governments don't like this kind of arbitrage, they force carriers to add detection mechanisms. So they check for high ratio of outbound to incoming calls, high amount of distinct phone numbers called, 24/7 usage patterns, etc. Except Africa is still losing a few billion dollars a year to this kind of toll bypass because it is still massively profitable (see https://en.antrax.mobi/request-pricing/ for example) and these changes just require them to rotate sim cards slightly more often. Essentially what I am saying is that unless you can reduce the fraudsters' margin by a substantial amount you are wasting your time.
> Ther is no reason a consumer oven should cook more than 5 meals a day. There is no reason a consumer toasteer should toast mpre than 10 times a day.
Consumer ≠ business/commercial. A home oven (or toaster, fryer etc) isn't made for such use, a commercial one is. You should really spend the monies in commercial gear if you're gonna feed such hordes of people.
Similar thing with SIM cards. Why would a normal person be making 100+ calls a day on a simple, personal line? That's clearly commercial use and as such, it oughta be regulated somehow.
And what do you propose would be such a reasonable rate limit?
>However, even if we assume that SIM boxes are a magic solution to carrier interventions, that still raises the cost from the current status-quo. Implement enough of these barriers and the entire scam operation becomes unprofitable and no longer worthwhile.
Why do you assume that the call routing is a meaningful cost to these operations? For all we know they spend less than 0.01% of their revenue on call routing.
Using SIM boxes is already standard practice, sketchy VOIP providers and SMS spammers have been doing for years because it is cheaper to do this than to pay for legitimate routing.
Just put something along the lines of "sim box grey route" into Google and you'll find loads of relevant industry materials.
Besides, you're drastically moving the goalposts here. We went from "could put a stop to this" to minor obstacles.
I think the subtext is that given valid caller IDs, then block lists can be made. The US FTC might manage them like it does the do-not-call lists, or the perhaps the US Attorney's office, after some criminal complaints.
Ideally, the telco would implement these block lists, but also ideally, they could be traded around like web ad block lists for individuals to load on their phones.
I think we all know scam calls are a serious source of revenue for carriers, so they will need to be led to this conclusion by force.
None of that happy future would come without true caller id, thus the resistence from carriers to fixing spoofing.
Logically, there must be enough benefit for them carrying spoofed robocalls to risk regulatory attention AND driving away all their voice revenue. Many people have stopped answering their phones altogether since voice calls became unusable.
Enough minor inconveniences and the barrier to entry will go up, this will favor the larger players but those you can then go after with other means. It's never going to be a one-stop solution.
Ideally there would be a warning that a call does not originate locally, routing the call through a local representative would generate yet another signal that you might be able to close off, including the possibility to declare the possession or hosting of certain gear illegal. You'd have to maybe do some pattern matching to spot problematic numbers and/or have a place to report them easily.
If the will was really there I'm pretty sure this problem could be tackled.
> If the will was really there I'm pretty sure this problem could be tackled.
Probably, but not with any of your proposed methods. I have talked with some SMS spammers and none of what you proposed would affect them. And for SMS spammers these inconveniences are a much bigger part of the cost of doing operations than for a company which needs to have employees in a call center. They have to spend a lot of money on buying new SIM cards as old ones get blocked.
SMS spammers could be tackled with a couple of regexps if the will was there. The fact that these scams still work is a sign to me that there simply is no will to tackle any of this at the telco level. They know exactly what is going on.
There is already keyword filtering. Try using the word "election" in SMS at a certain time of year. A certain US political party complained about this. E2EE is not compatible with content based filtering.
Lots of telcos are doing exactly this, doesn't really work very well. The spammers just switch to more generic messages you can't realistically filter out.
Yeah, and this is almost the bottom of the food chain, the only people below crimemarket are those too dumb to use internet forums.
Anyone can easily buy European bank accounts opened with fake IDs, or money laundering services where you're provided an IBAN and receive a % of the money sent there to your cryptocurrency wallet.
Want a fake passport good enough to travel with? No problem, will just run you a 1000 euros.
Edit: I was thinking of a totally different gift card scam. Whoops
Gift cards should require some amount of destruction in order to get to the actual barcode… something to make tampering obvious.
The same way clothes have a little ink exploder the clerk removes… just a quick easy step that is destructive to the packaging… but still presentable when you give it to someone
Nothing can stop that. The goal is lowering the victims / profit. How to do that, that's the question. It comes to no surprise to me poor countries (with bribed police force) try to scam rich ones.
Gift cards don’t have a value until you purchase them, the package is meaningless. The barcode is scanned and the value is added when the transaction is completed.
They already do? Usually I see gift cards packaged in a sealed paper envelope that and the redemption code itself is covered up with tamper evident paint.
I had to instruct my elderly father to do the same -- any kind of accent and he hangs up. He got scammed by one of these people in 2018 or so -- he gave the person his debit card number over the phone to remove malware on his computer while I was out on a super-long run. Luckily he couldn't remember his PIN, and his bank was great at blocking the charge. There's a special place in hell for these animals who prey on old people.
These days I’d recommend just not answering any unrecognized number. If they’re waiting for a call for some specific reason, they can look at voicemail transcripts to see if it’s the call they were expecting and call back. Otherwise it’s best to ignore any incoming calls. Anything truly important won’t use a phone call as the only contact method.
You'd think India would be on top of this and come down hard. If folks just start associating Indian accents as 'scammers', businesses abroad that currently rely on outsourcing support and other services are going to eventually have to pull out. You can't run effective customer support if the customer assumes you're a bad actor just because of your voice and hangs up.
I’m not sure businesses care. Everyone I know associates Indian accent with either scam or useless call center rep who can’t actually see the account or help in any way. India is often given the informational customer service, and only Americans can make account changes. Or someone not in India at any rate.
And it's not just the accent. The popular guidance on /r/scams is that if an email uses the word "kindly" where a native English speaker would say "please", it is vastly more likely than not that it is a scam.
Unfortunately, that use of that word is popular among Indians, but any half-measure guidance leaves room for an already susceptible mark to convince themselves that maybe this email is not a scam.
These are people who don’t have accents but good job prejudicing your father against a whole group of people while not actually protecting him from scams.
I’m worried what will happen when deepfaked voices improve to the point that you can get a realistic impression with only a very small training set. Imagine receiving a phone call in the voice of a family member telling you that they’re in serious trouble.
I once got a spear phishing call from a scammer claiming to be the CEO of the company I work for. Even though I barely know the CEO, the phrases he was using was obviously wrong.
I'd imagine that's even more obvious for any family member. If a family member calls from any number that's not their number, my first question will be an honest "How the heck did you remember my phone number?"
The answer? A scam call answering AI bot which engages with the scammer (or the scammer AI bot) and wastes as much of their time and international call fees as possible without giving them a valid bank account or gift card number, Kitboga[1]-style. As soon as you detect the call is coming from a scammer, you push a button and your phone takes it over from there.
Eventually we'll just have a network of AI scambots calling up AI scambaiters and having completely useless conversations in synthesized English with each other for hours upon hours and nobody will remember why.
On a personal level I keep a referee's whistle handy in case I'm talking to a scammer live. They are usually wearing headsets and any damage I can do to their hearing with that may save an old persons savings in the following few minutes. Best technique is to speak softly so they turn their volume up then let rip on the whistle
Thankfully that’s still easy enough to spot - it sounds like a better version of those early speech synthesizers we played around with as kids in the nineties - but I can see the elderly having trouble distinguishing it from a real voice.
Make sure your voicemail provides a verbal escalation path for a loved one who needs to reach you from an unknown number (first responder, jail, hospital, etc).
They can leave a message or text. I have been doing this for years as this is the only way to be able to use a phone line without getting crazy. If your number is not in my phonebook you go to my voicemail.
That is a cost I will accept. I used to get about 3 robocalls per day, or 1000 robocalls for every legitimate unknown caller. There is a fundamental tradeoff between optimizing for minimizing false positives or false negatives.
Maybe they should have sent an FBI liaison earlier. Or maybe they should consider appointing an ambassador to India, 2 years into the new administration.
My grandmother got hit with one of these, she has a weak heart and was in severe mental distress all day because she couldn't get ahold of me to confirm what the scammers were telling her.
I try not to judge others, but what monster can do this for a living?
If someone is being told that yadda yadda (story doesn't matter) and they have to pay in gift cards, and they seriously believe that, then surely education seems to be the right fix.
Your intention might very well be good but this is very bad advice, please do not install Truecaller! This app is a privacy nightmare. From accessing your phonebook/contact info to location, it has been known to be responsible for leaking information of journalists and for storing user data without consent.
> While TrueCaller may have laudable intentions, the privacy implications for people who end up in their database raise concerns. When a number is tagged, the person who is tagged ends up having their name and phone number stored on the TrueCaller database, despite not having consented – or even being aware – that their data was collected.
My experience with Trucaller is that it does just about nothing. I suspect that by the time a number has been marked as spam, the offender has already switched to a new number. I wouldn’t be surprised to learn that scammers were monitoring Trucaller and it’s ilk to determine when to change numbers.
The basic problem is that in highly un-regulated & legalistic economy & polity like the United States, failures such as these are not easily corrected especially where everyone except the weak make money. Everyone who could stop this is making money, the telco operators, amazon, the banks and everyone is weighing the cost of taking any legal or other action and is maximizing their own gain... nobody is really looking to is this socially good.
Contrast this with how the Singapore government in a similarly highly capitalist economy dealt with this - basically telling banks - "you'd better make good the consumers & deal with your holes or else"
https://www.channelnewsasia.com/singapore/mas-will-consider-...
In many ways in domain after domain, US nowadays seems to act as the "economic proving ground of the world" where lax regulation allows a million ideas to flourish. Then folks in other parts of the world seem to take the best winning ideas, figure out how to make it work in a socially & governmentally acceptable way in other parts of the world and out-compete the US originators (eg. how Uber, Lyft, Amazon, US based social media firms have effectively been pushed out of dominance in Asia)
Consideration needs to be made when thinking that a policy which works in Singapore, one of the smallest countries in the world by area and one with a strong tradition of rather strict governance in the modern era, can be applied to vastly larger ones with some pretense of respect of constitutional civil rights and a history of distrust of strong government.
US must take strict actions and call out India publicly. Elderly people are weak, education isn't going to solve the scam problem. Scammers must be punished harsly. They erode the trust in system.
Also, Indian government is not doing anything. In many places like Kolkata, scammers can get away easily by bribing police. Our phone are being redirected to India, and they can abuse our phone number. I wish, the US government passes strict rules and regulations to keep these scammers in check.