Avoiding Robocall and Phone Fraud
Every day, companies across the globe are targeted by fraudulent groups that seek to deceive unwitting people. And every day, a small percentage of these calls succeed in stealing either sensitive information, money or both from businesses that aren’t informed on the ways of the modern phone criminal. The caller will tell a persuasive story, pair it with aggressive sales tactics, and eventually a vulnerability on the receiving end is exposed. To reduce your business' exposure to tactics like these, take a close look at how telephone fraud and phone scams have been carried out in this informative article.
Telephone fraud and scams cost the American economy billions of dollars annually. The fraud is committed by illegally using a telephone system, cellular phone, or calling card to make long-distance calls, or through dishonest business practices. This report discusses what businesses can do to limit their losses from telephone fraud and scams.
Prior to the 1984 deregulation of the telecommunication industry, telecommunications equipment was owned by the telephone company. Telephone toll fraud consisted of bypassing the billing system of the telephone company to make illegal calls. As the owner of the equipment, the telephone company was liable for these unauthorized toll calls made through their equipment.
As a result of deregulation, most telecommunication equipment is user-owned and resides on the users' premises. Toll fraud involves stealing the codes/passwords of cellular phones or calling cards, or gaining access to a business' telecommunications system, usually a private branch exchange (PBX), to steal authorization codes and passwords. This information can then be used to make illegal long-distance calls or it can be sold to others.
Businesses that own their telecommunications equipment are responsible for all charges related to long-distance calls going through the equipment, whether authorized or not. The tariffs of the long-distance carriers provide that users are liable for such charges, and the courts and the Federal Communications Commission (FCC) have uniformly upheld this provision.
While long-distance carriers usually will absorb illegal toll charges for residential customers, businesses are generally charged for the calls. With losses estimated in the billions of dollars, businesses must take preventive measures to limit the opportunity for telephone toll fraud. This report discusses what businesses can do to limit their losses from telephone toll fraud.
Types of Telephone Fraud
Businesses and individuals lose billions of dollars each year from telephone fraud and scams. In general, these losses involve the use of PBX systems, cellular phones, and other scams but can be caused by dishonest business practices. Organized crime, computer hackers, and drug dealers are responsible for the many of these losses.
In 2009, the Federal Bureau of Investigation (FBI) announced the results of an international investigation ongoing since 2006 that relates to conduct ranging from October 2005 through December 2008. In the indictment, the FBI identified three individuals who allegedly hacked into the telephone systems of large corporations and entities in the United States and abroad and sold information about the compromised telephone systems to Pakistani nationals residing in Italy. In conjunction with the unsealing of the Indictment, Italian law enforcement conducted searches of approximately ten locations in four regions of Italy and arrested the financiers of the hacking activity. Those financiers allegedly used the information to transmit over 12 million minutes of telephone calls valued at more than $55 million over the hacked networks of victim corporations in the United States alone.
Through the use of computers, modems, and high-speed dialers, telecommunication thieves (hackers) are able to obtain a business' access codes and employee personal identification numbers (PINs). User-friendly features of modern telecommunications systems, such as voice mail, remote access, and automated attendants, allow the accessing and obtaining of a dial tone from off-premises. With the codes, the thieves can then make unauthorized long-distance telephone calls through the PBX.
Maintenance features of PBX systems can also provide access to telecommunication thieves. For example, remote maintenance ports allow technicians to perform repairs, upgrade software, and run tests from a remote location. While providing a useful function, these ports can also be used by thieves to illegally enter the system.
Cell phone fraud (cellular fraud) is defined as the unauthorized use, tampering, or manipulation of a cellular phone or service. At one time, cloning of cellular phones accounted for a large portion of cell fraud. As a result, the Wireless Telephone Protection Act of 1998 expanded prior law to criminalize the use, possession, manufacture, or sale of cloning hardware or software. Currently, the primary type of cell fraud is subscriber fraud. The cellular industry estimates that carriers lose more than $150 million per year due to subscriber fraud.
Subscriber fraud occurs when someone signs up for service with fraudulently-obtained customer information or false identification. Lawbreakers obtain the personal information and use it to set up a cell phone account in the person’s name. Resolving subscriber fraud can develop into a long and difficult process for victims. It may take time to discover that subscriber fraud has occurred and an even longer time to prove that the victim did not incur the debts.
Every cell phone is supposed to have a unique factory-set electronic serial number (ESN) and telephone number (MIN). A cloned cell phone is one that has been reprogrammed to transmit the ESN and MIN belonging to another (legitimate) cell phone. Unscrupulous people can obtain valid ESN/MIN combinations by illegally monitoring the radio wave transmissions from the cell phones of legitimate subscribers. After cloning, both the legitimate and the fraudulent cell phones have the same ESN/MIN combination and cellular systems cannot distinguish the cloned cell phone from the legitimate one. The legitimate phone user then gets billed for the cloned phone’s calls.
Cramming is the illegal act of placing unauthorized charges on wireline, wireless, or bundled services telephone bills. The FCC estimates that cramming has harmed tens of millions of American households. Entities that engage in cramming appear to rely heavily on confusion over telephone bills to mislead businesses into paying for services that were not authorized or received.
Smartphones are sophisticated handheld devices that enable consumers to shop online from wherever they are or charge app purchases to their phone bills. The more a mobile phone bill begins to resemble a credit card bill, the more difficult it may become to spot unauthorized charges.
Since January 2014, the FCC took seven enforcement actions against carriers for alleged cramming and slamming violations. Slamming is the illegal practice of changing your local or long distance telephone service without your permission. Here is how cramming charges can occur: Local telephone companies generally bill their customers for services provided by other companies. Cramming charges can be included with the bill when a service provider sends inaccurate billing data, whether through oversight or intentionally, to the local provider. A local provider may also engage in cramming if it bills a customer for a service provided by the local company that was not authorized by the customer.
Cramming also occurs when a vendor imposes a charge for services authorized by a consumer, but does not clearly or accurately describe all of the applicable charges to the consumer when marketing the service.
Pay-per-call scams involve charges on a phone bill for information or entertainment services provided through calls to 900 numbers, 800 or other toll-free numbers, or international phone numbers, for which there was no agreement to buy the services or there was no authorization for the charges. Pay-per-call service, offered using a 900 number, is any service:
- Providing audio information or entertainment;
- Providing access to simultaneous voice conversation;
- Including the provision of a product, where charges are assessed on the basis of completion of the call; or
- For which the caller pays a per-call or per-time charge greater than the charge for the transmission of the call.
Other information services that may be offered through numbers other than 900 numbers (for example, through an 800 or other toll-free number) include certain directory services, or services for which users are assessed charges only after entering a prior payment or subscription arrangement. It is important to note that, given these definitions, not all “toll-free” numbers are actually toll-free calls.
No written agreement is required for calls to 800 numbers that charge for using devices to provide telecommunications services to persons with hearing or speech disabilities. Similarly, no written agreement is required for directory services provided by a telephone company or for the purchase of goods or services that do not qualify as information services.
In another twist to phone fraud, consumers who downloaded a program from a website on the Internet to view pictures later received huge phone bills for international calls they never made. They did not know that the viewer program was designed to disconnect their computers from their regular Internet service providers and reconnect them to the Internet through a phone number in Moldova, formerly part of the Soviet Union.
Robocalls are unsolicited prerecorded telemarketing calls to landline home telephones, and all autodialed or prerecorded calls or text messages to wireless numbers, emergency numbers, and patient rooms at health care facilities. Under the Telephone Consumer Protection Act (TCPA), FCC rules limit many types of robocalls, though some calls are permissible if prior consent is given. Rules differ between landline and wireless phones.
FCC rules require a business to obtain a consumer’s written consent – on paper or through electronic means, including website forms, a telephone key press – or a recording of oral consent, before it may make a prerecorded telemarketing call to a residential phone number or make an autodialed or prerecorded telemarketing call or text to a wireless number. Informational messages, such as school closings or flight information, are permissible without prior written consent.
Liability for Toll Fraud
The liability for long-distance toll charges is determined by the published rates, or tariffs, filed by long-distance carriers. These tariffs typically provide that customers are responsible for all calls that originate from the customer's number. Even in those cases where the call is made from a remote location through a PBX's remote access feature, the courts and the FCC have held that the call originated from the customer's number under the tariff.
Although the tariffs can discharge a customer's liability in the event of willful misconduct by the carrier, the courts and the FCC generally have agreed that the carriers do not have a duty to warn customers of the possibility of toll fraud. This reason is the tariffs do not expressly provide for such duty.
The FCC has concluded that "tariff liability provisions that fail to recognize an obligation by the carrier to warn customers of the risks of using carrier services are unreasonable." The FCC has established guidelines designed to equitably apportion liability among carriers, equipment vendors, and customers based primarily on whom among them took the most reasonable steps to prevent, detect, and minimize the fraud.
For cellular phones, the liability for illegal calls is borne by the carriers. However, this liability is passed on to customers in the form of higher rates for calls.
Losses from telephone toll fraud, however, cannot be measured in just dollars alone. Companies may suffer losses when prospective customers get busy signals, due to illegal usage, and instead call a competitor to place an order. Frustration in trying to get outside lines that are being used by unauthorized callers also may affect employee productivity.
Telephone Fraud and Scams Prevention
Telecommunication equipment manufacturers, the long-distance carriers, and the cellular industry address the problem of fraud. Their efforts have included developing protection systems, warning users of the potential for toll fraud, and educating them on how to detect illegal activity.
Carriers are also working together through trade groups to fight toll fraud. On October 25, 1994, HR 4922, Communications Assistance for Law Enforcement Act was signed into law. Amendments to Section 1029 now include the fraudulent alteration of telecommunications instruments and equipment. Punishment includes fines and imprisonment.
Additionally, the Wireless Telephone Protection Act (Public Law 105-172) was signed into law on April 24, 1998, expanding the prior law to criminalize the use, possession, manufacture, or sale of cloning hardware or software. Under the law, the creation and use of a cloned phone is a felony carrying fines and imprisonment.
The following are measures that can be used to prevent telephone toll fraud:
Long-distance carriers have developed various hardware and software devices to assist users in reducing the risk of loss from toll fraud. These include PC-based call-accounting systems to monitor incoming and outgoing traffic, artificial intelligence techniques to differentiate authorized and unauthorized attempts at usage, and hardware and software devices to protect remote ports and voice mail systems.
In the final analysis, however, it is customers who are ultimately responsible for protecting their systems. Businesses must train employees on what toll fraud is and what they can do to prevent it. Employees are the first line of defense against toll fraud.
- Take precautions to secure authorization codes, passwords, or calling card numbers. Theft of this information is one of the leading causes of toll fraud. Train employees to carefully protect these numbers - do not write them down or program them into automatic dialers. Warn them to exercise great care when using authorization codes or when making credit card calls in public. Instruct employees to select hard-to-break passwords and/or codes and to use the maximum number of characters allowed. Change passwords and authorization on a regular basis - at least four times a year.
- Instruct employees to report suspicious activities. Employees should be told to report unusual incoming calling patterns, and excessive hang-ups or wrong numbers. Callers asking what number they have reached, or sudden increases in requests from outside callers asking to be transferred within your system may be ruses to get access to an outside line.
- Secure communication equipment. Lock switch rooms and wiring closets. Change vendor-installed codes to unique codes of your choosing. Change passwords on a regular basis. Ask your carrier about protection systems for your PBX. Evaluate whether remote access is really necessary for your organization; if it is, use authorization codes or passwords to control access. Disconnect extensions no longer in use.
- Limit long-distance calling. Block international calls to countries that you do not do business with and limit international calling to only those employees who need it. Limit long-distance calling ranges after normal business hours. Be especially vigilant during non-business hours, in the middle of the night, and on weekends and holidays when most toll fraud is perpetrated.
- Control voice mail. Regularly remove unassigned and unused mailboxes on voice mail systems, and program the software to terminate access to such systems after a third invalid PIN attempt.
- Check telephone bills carefully. Know how and when your organization's phones are used. Once a pattern has been established, discrepancies are more obvious.
Cell phone toll fraud is a problem inherent in the way cell phones operate. Some cellular companies have imposed security PIN codes that are transmitted on a separate frequency from the ESN/MIN pair. Users are required to punch in the PIN code before dialing a call; however, some customers consider having to punch in these extra digits burdensome. Additionally, PIN codes work only within a carrier's network, allowing thieves to use cloned phones on other networks.
Carriers use software to monitor customer-calling patterns. If phone use deviates from normal use, an alert is sounded and the carrier can immediately investigate by contacting the customer. Other software forces callers to wait for their ESM/MIN codes to be validated before the calls go through rather than the carrier making the assumption that the customer has moved out of their normal cellular area.
The battle against fraud is also being helped by digital technology. Analog phones use transmission technology that is expensive to encrypt, while digital encryption is easier and cheaper. Digital systems allow for digital "fingerprinting" of phones, encrypted call-and-respond authentication systems, profiling, and voice recognition, all of which are effective in fighting fraud.
The following are some tips to consider in preventing cell phone toll fraud:
- Employees should turn off cell phones when they are not in use.
- Cell phones should be serviced only at dealerships licensed by the cellular service provider.
Take these steps to protect against cramming charges:
Carefully review the telephone bill every month. Treat telephone service just like any other major purchase. Monthly telephone bills should be reviewed as closely as monthly credit card and bank statements.
The following questions should be asked as telephone bills are reviewed:
- Do I recognize the names of all of the carriers/companies listed on my bill?
- What services were provided by the listed carriers/companies?
- Are there charges for calls that were not placed or services that were not authorized?
- Are the rates charged by each carrier/company consistent with the rates quoted?
Take the following action if your telephone bill lists unknown or suspicious charges:
- Call the telephone company responsible for your bill, explain your concerns about the charges, and ask to have incorrect charges removed. You can also call the company that charged you, ask them to explain the charges, and request an adjustment to your bill for any incorrect charges.
If neither the telephone company sending you the bill nor the company that provided the service in question will remove charges you consider to be incorrect, you can file a complaint with:
- The FCC about any charges on your telephone bill, whether they relate specifically to telephone service or to other products or services that appear on your bill.
- Your state public service commission for telephone services within your state (https://www.naruc.org/commissions.cfm).
- The Federal Trade Commission (https://www.ftccomplaintassistant.gov) about charges for non-telephone services on your telephone bill.
In most areas, you can ask your local telephone company to block 900 number dialing from the phone and the company must do so at no charge. You must ask within 60 days of beginning new telephone service. The company can charge a reasonable one-time fee if you ask for blocking outside the 60-day period. If you decide to remove the 900 number dialing block, your request to your local telephone company must be in writing. To protect against pay-per-call scams:
- Deal only with reputable companies. Some companies or organizations sponsor 900 number services for opinion surveys, information, entertainment, or other services. Before you call a 900 number, be sure you understand the cost of the call and the nature of the information or service you will receive.
- Think twice before calling a 900 number for a "free" gift. Television ads, postcards, and telemarketers may urge you to call a 900 number to get a "free" prize. But you pay for the so-called free gift by making the 900 number call. The provider of the service usually makes money on a per-minute basis, so there's an incentive to keep you on the line.
To protect against computer-generated phone charges, do not download programs from websites unless you know that you are dealing with a reputable site. Placing your home or personal wireless number on the national Do-Not-Call list prohibits telemarketers from calling - even when they do not use autodialers or prerecorded messages - unless you have given them your prior express written permission to call, or they are exempt from the rule. To register a number, go to https://www.donotcall.gov/.
Telephone fraud and scams continue to be a serious problem affecting American businesses. With losses now measured in the billions, and increasing, businesses must take proactive measures to reduce the risk.
Fraud.org provides tips about telemarketing and internet scams to help determine whether something might be fraudulent. It is probably a scam if someone:
- Makes an offer that sounds too good to be true;
- Promises that you can win money, make money, or borrow money easily;
- Asks for money to enter a contest, win a sweepstakes or lottery, or claim a prize;
- Refuses to send you written information before you agree to buy or donate;
- Refuses to give you a physical address;
- Refuses to give you the details of the offer before you make any payment;
- Requests your bank account or credit card number when you are not making a purchase with that account;
- Uses scare tactics or pressure to act immediately;
- Insists that you wire money or have a courier pick up your payment;
- Refuses to stop calling after you’ve asked not to be called again;
- Contacts you to ask for personal information the company already has.
- Gives you a check or money order and asks you to send some of the money somewhere.
If your company is the victim of any of the scams described above or if it is experiencing charges that require additional explanation, contact the provider to obtain additional information. If you believe your system has been hacked, call your phone company and report the incident to the police.
Consumers who become victims of a scam can file a complaint with the FCC. There is no charge for filing a complaint. Have employees talk with their children. Make sure the children understand they should not call 900 numbers without permission and should not use business phones.
You can file your complaint using an online complaint form at http://www.fcc.gov/complaints.
Training yourself and your employees on how to best navigate phone-related scams and fraud can be a lot to manage. So, keep on the lookout for new, unsolicited inbound offers and business opportunities that seem too good to be true. Now is also a good time to pay a little more attention to your commercial umbrella insurance policy, and make adjustments that cover all you’ve worked so hard to create. Your business will be better protected — and you’re going to feel great — with the knowledge that you’re prepared for whatever may come your way.