Scam calls: Can you hear me, mother?

scam0.jpg

Introduction

Sandy Powell was a Yorkshire-born comedian who was well known for the catchphrase ‘Can you hear me, mother?’, with which he used to introduce his radio shows. It may not sound particularly amusing nowadays, but from time to time such catchphrases catch the ear of the world at large, often generating amusement simply through repetition, rather than any intrinsic wit. You might say that they become popular because they’re popular, in the same way that some celebrities seem to be famous for being famous, rather than for any special talent or achievement. In this case, it seems that a phrase originally used as a filler during an awkward moment on a radio show amused his audiences for several decades.

The world has been less amused in recent months by repeated stories concerning a scam where, it’s reported, cold-calling scammers ask the victim ‘Can you hear me?’. According to the Federal Communications Commission:

‘Scam callers [are] seeking to get victims to say the word “yes” during a call and later use a recording of the response to authorize unwanted charges on the victim’s utility or credit card account […]’

Voice signatures

The FCC states that the recorded ‘voice signature’:

‘… can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.’

Articles like this one based on the FCC’s alert have put this scam type in the same bracket as the (still ongoing) tech support scams we’ve talked about so often here, though support scammers have been moving away from simple cold-calling for some time now.

Well, I’m in no doubt about the existence of support scams – otherwise I wouldn’t have been tracking and writing about them for all these years – but I’m not convinced that they’re linked with the so-called ‘Can you hear me?’ scam. But many believe that the nature and (current) impact of the latter has been misinterpreted and overestimated.

Scam or not?

How would it benefit the scammer to accumulate voice recordings of people saying ‘yes’ or ‘OK’?

Snopes, which has a pretty good track record when it comes to sifting fact from fiction and semi-fiction, points out that it hasn’t been able to identify:

‘… any scenario under which a scammer could authorize charges in another person’s name simply by possessing a voice recording of that person saying “yes” …’

Aggregation aggravation

Of course, a scammer can acquire and aggregate other information, such as sensitive financial data, from a variety of sources. It’s all common for stolen credentials to be used to make purchases for the benefit of the scammer without the knowledge or complicity of the holder of those credentials. In such circumstances, I suppose an edited voice recording might conceivably benefit the scammer as evidence of a verbal contract, if a retailer or service provider was equipped with a database of voice signatures. I don’t actually know of a business that maintains a collection of voiceprints that it can use to verify a customer’s identity in this way (but I don’t know everything!).

The Sunderland Echo, in an article that is largely based on the claims of CPR Call Blocker, asserts that voice signatures really are:

‘… used legitimately by companies to show that you’ve agreed to some sort of a change, usually an upgrade in some sort of plan.

Similarly, the Independent (in an article also leaning heavily on CPR Call Blocker’s claims) asserts that voice signatures are:

‘… being exploited by scammers who have conned many Americans already, predominantly in Florida, Pennsylvania and Virginia.’

Voice signatures and the law

The Pittsburgh office of the Better Business Bureau cites reports that scammers claim to represent a home security agency, a cruise line, or a social security agency of some description. It suggests that such a recording might be used to sign a victim up for a product or service then used as evidence of the ‘contract’ to threaten the victim with legal action if they don’t pay up.

That might make more sense than a pure voiceprint exploitation scam, in that it doesn’t require the scammer already to have access to credit card data, for instance. I’d hope that litigation based on an easily-doctored audio recording would have little chance of succeeding in court, but then, scammers often rely on intimidation and lack of technical knowledge on the part of their victims: they don’t really want too much exposure in actual courtrooms.

Some articles compare saying ‘yes’ to clicking on an ‘I agree’ box or radio button, but such tampering with a recording is fraudulent and may also be detectable forensically. Bear in mind also that some states and countries have ‘two party consent’ legislation in place that makes it unlawful to record a conversation unless all parties have explicitly consented to the recording.

Any complaints?

Whatever its purpose, there is no doubt that there are plenty of reports and complaints about callers using this ‘Can you hear me?’ ploy. For CNET, Matt Elliot points out that other BBB offices are fielding lots of them. (Hat tip to David Bisson for pointing me to that article.)

But Snopes suggests that these are not reports from actual victims, but from people reporting contact because they’ve already seen warnings that made them suspect malicious intentions. And I’m not going to say that there aren’t scams behind these calls, or some of them at any rate. But, characteristically, people making these reports simply put the phone down, as they’ve been advised, so there’s no follow-through to tell us what these scams might be. Perhaps they’re the types of scam listed by the Pittsburgh BBB, perhaps not.

Any explanations?

Elliot suggests that there might be a simpler explanation: spammers and scammers simply wanting to confirm that there is a ‘live’ potential victim who ‘… will answer calls from unknown numbers’, perhaps with the intention of selling such numbers on to other cold callers.

Well, maybe. But there might be an even simpler explanation.

“WHILE SOME BUSINESSES ARE MOVING AWAY FROM UNTARGETED COLD-CALLING, SOME STILL USE A SCATTERGUN TECHNIQUE, AIMING TO HIT AS MANY PHONE OWNERS AS POSSIBLE.”

While some businesses are moving away from untargeted cold-calling, some still use a scattergun technique, aiming to hit as many phone owners as possible.

Call centers don’t just seat individuals at a desk to pick up a phone, dial, and wait for a response: they use dialer software/hardware rather than sit there all day wearing out their fingers on a telephone touchpad.

There are several modes in which dialers might be set up to work, but the most ‘productive’ (in terms of volume of calls processed) is often considered to be predictive dialing.

This approach aims to minimize or even eliminate the time between calls, by using a ‘pacing algorithm’ to calculate when to begin the next call, and matching it to the availability of an ‘agent’. Sometimes, the algorithm fails. That can result in that annoying phenomenon when you pick up the phone and all you hear is the call being disconnected, because there isn’t an agent available to make the sales pitch at that moment. (Alternatively, you may get a recorded message instead of a greeting from a live agent.)

And sometimes (quite often, I suspect) the agent isn’t connected to start the pitch at exactly the moment you pick up the phone, but does pick up before the software drops the connection. But he or she doesn’t want to waste time if you’re already in the act of putting the phone down, so wants to be sure there’s still someone on the line. At the same time, agents may not want to make it too obvious that they are being managed by an automated dialing system. Even if you aren’t aware that you’re lined up in a sort of queuing system, they don’t want you to think you’re not getting instant attention because they’re taking a sip of coffee or combing their hair. So they make some excuse such as ‘I must have had my headset on wrong or something.’ Which might even get them a little sympathy.

Well, that’s my theory, but it is just a theory.

Keeping your head down

So what can you do to reduce your exposure to risk from scam calls generally?

  • Well, it won’t do any harm to avoid saying ‘yes’, even if the risk of being recorded may be overstated. ‘I can hear you’ or ‘What do you want?’ will do just as well. Or you could just put the phone down, especially if the caller ID is withheld. That’s not practical for everyone: sometimes there are legitimate reasons for withholding ID, and some of us have to take that into account. But if you can’t think of a reason why you should accept a call from an anonymous source, there’s no harm in just letting the phone ring. (Bear in mind, though, that it’s also possible to ‘spoof’ a caller ID so that it appears to be from a legitimate source: the fact that a number has not been withheld doesn’t mean it’s genuine.)
  • Subscribe to the FTC’s Do Not Call list (or to a local equivalent such as the UK’s Telephone Preference Service). That won’t stop all unsolicited calls, of course. Some may be legitimate exceptions to the service, and calls from outside the service’s jurisdiction are likely to continue. But it will winnow out some of the chaff.
  • Don’t give out information over the phone to unsolicited callers, or to those whose identity is not verifiable.
  • Keep an eye out for anomalies in bank and credit card statements. If there’s something that doesn’t look right, contact the provider as soon as you can.
  • Don’t be afraid not to be too polite to cold-callers you suspect of wasting your time or trying some scam. Courtesy is a good thing, but some spammers and scammers will just regard it as weakness and try to take advantage of your good manners.

More information/resources

by David Harley, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s