Why Phone Fraud Starts With A Silent Call
Here's an experience some of us have had. The phone rings. You pick it up and say "Hello. Hello. Helloooo." But nobody answers.
It turns out there could be someone on the other end of the line: an automated computer system that's calling your number — and tens of thousands of others — to build a list of humans to target for theft.
Build A List
Vijay Balasubramaniyan, CEO of Pindrop Security, a company in Atlanta that detects phone fraud, says that in any number of ways, the criminal ring gets your 10 digits and loads them into an automated system.
Maybe you gave your number to Target or some other big retailer that got hacked. Maybe you entered an online raffle to win a free iPhone.
That initial call you get, with silence on the other end, "[is] essentially the first of the reconnaissance calls that these fraudsters do," Balasubramaniyan says. "They're trying to see: Are they getting a human on the other end? You even cough and it knows you're there."
Gather Account Information
The next step is gathering information about your bank or credit card account. You get a call with a prerecorded voice that tells you, for example, "[we're] calling with an important message about your debit card. If you are the cardholder please stay on the line and press 1. Otherwise please have the cardholder call us at 1-877..."
If you're thinking about ignoring it, the message tries to scare you into paying attention with a warning: "A temporary hold may have been placed on your account and will be removed upon verification of activity."
That number leads to another automated system that prompts you to share personal details like your date of birth, your card number and secure PIN, the expiration date, your Social Security number.
It can be tricky because many real banks have a similar system. And, Balasubramaniyan says, fear does kick in. He recalls a big scam in 2014 in which criminals pretended to be the IRS calling to collect back taxes. (The agency says the scam is still going on.) If you wanted to call back or have time to talk to your spouse before paying over the phone, the fraudster wouldn't let you go.
Balasubramaniyan recalls, "They're like 'OK, if you want a moment to process this, we're going to send the law enforcement in front of your doorstep.' "
Pindrop keeps a "honeypot" — about a quarter-million phone numbers that aren't being used by real people, which the company uses for research. Workers enter the numbers into sweepstakes and online databases, to see what kind of fraud hits.
Company researchers estimate 1 in every 2,200 calls is a fraud attempt. And they've observed an interesting detail about the fraudulent 1-877 numbers. If you call back from your phone — which the criminals dialed — you get the prompt to enter personal data. If you call back from somewhere else, you get "this number has been deactivated." So a regulator or police officer that's trying to crack down will think, incorrectly, it's out of commission.
Once the criminal ring scrapes enough information on you, it has humans call your financial institution. Banks and credit card companies hire Pindrop to help them detect fraud.
In a real-life example, provided by one call center, the operator has a hard time hearing the caller and apologizes.
The caller, who is pretending to be the account holder, wants to know his available credit — to make sure the account is worth pursuing.
"Got it," the operator says, eager to provide good customer service. "Your available credit is $34,999."
That's good money. The caller says, "OK, can you help me update my address today?" and he proceeds to take over the account.
Now, there are clues that the guy calling isn't legit. There are long breaks in his voice when he says, "I'd like to know the available credit in my account."
Internet-based phone services divide your voice into little packets, wrap them up and ship them across the network. If a packet gets lost, you get a break in the audio. The size of the break varies, by country and by network conditions. The specific device you use (Samsung Galaxy, MacBook Air, for example) and the voice itself give additional clues.
Pindrop has a tool that puts about 147 clues together and rates how trustworthy the caller is in real time. So an operator can tell, Balasubramaniyan says, "this call is supposed to come from a landline in Atlanta, but the audio is telling us it's a Skype call from West Africa."
There's no similar tool available for the average person. Balasubramaniyan says your best bet is to make sure the number you're calling matches the number on the back of your credit or debit card, or the bank's website.
Pindrop declined to name its clients, because of nondisclosure agreements, but it says three of the four biggest banks use its services. The startup has gathered millions of samples from call centers and, based on analysis of unique callers and devices, Balasubramaniyan believes his team has identified a specific criminal group in Nigeria.
The ring, nicknamed "West Africa One," has a dozen members according to Pindrop. And they have varying skill levels. If a bank account has a larger credit line, it goes to one particular fraudster who's particularly adept at manipulating call center operators.
"The fraudster who's attacking the $100,000-and-more account has so much information at his disposal, he's done so much research on the account, that he's flawless on his call," Balasubramaniyan says. "When the call center agent asks him a particular question, the way he answers, the pauses that he takes, all of that is a work of art as compared to someone going after the smaller-sized accounts."
Balasubramaniyan says while Pindrop has shared this information with its clients, he does not know if they are pursuing criminal investigations.
'Just Hang Up'
The FTC is trying to combat the rising number of illegal automated phone calls.
"It is the No. 1 consumer complaint that we receive," says Patty Hsue, an attorney who leads the FTC's effort against robocalls. The agency receives an average of 170,000 complaints per month about robocalls, she tells NPR's Audie Cornish.
The FTC recommends that consumers "just hang up" on the robocalls.
"We don't want consumers to engage in any way with robocallers," Hsue says. "A lot of times when you get a robocall you have the option of pressing 1 for more information or pressing 2 to ask to be removed from the list. And in either case, pressing 1 or 2 basically lets the robocaller know that it's a live person on the other line who's willing to engage and that could lead to additional robocalls."
Copyright 2020 NPR. To see more, visit https://www.npr.org.