Why are fraudsters blitzing us with scam phone calls?

29 Jul, 2021

Min read

Woman holding phone cyber security courses

Chair of Cybersecurity at MTU, Dr. Donna O'Shea, contributed to this article in the Irish Times

This week I have received a half dozen mobile calls from a number purporting to be very similar to my own. The caller ID shows an 087 number – like my own – and the subsequent four digits were also identical to mine, while the last three varied each time. In the jargon, this is known as “neighbour spoofing”, when a false caller ID is sent, seeming to come from the same area you live in, or a familiar looking number, to make it more likely that you will answer. When I did answer a not very convincing automated recording from “the department of social protection department” said fraud had been associated with my Personal Public Service Number (PPSN).

Many of you will have received similar calls, trying to get you to “press a key” and talk to someone who tries to get you to divulge your PPSN, name, and in some cases, bank details. A recent scam text pretending to be from an Irish bank tells users that access to their account has been restricted due to a hacking attempt and invites them to input details to unlock it. These are all part of the seemingly endless cycle of scams which seem to have exploded over the past couple of years – and got increasingly sophisticated.

But why is this happening? Let’s look, as we would with any business, at the economics of the phone frauds.

1. Falling barriers to entry

One of the first things with any business is to look at the barriers to getting involved. Whether for a criminal or legal enterprise, the cost of establishment is vital and can have a key bearing on activity levels and competition.

Up to recent years, undertaking phone scams that involved hiding numbers and making thousands of calls required a significant level of technical knowledge. Now, according to Dr Donna O’Shea, head of the computer science department of Cork Institute of Technology (CIT), the requisite “exploit” kits are downloadable, can leverage VOIP (voice over internet protocol) technology to call from PCs and display fake numbers on the user’s phone. “You don’t have to be a technical person to do it any more,” she said.

It is still hard to account for the massive volumes of calls now happening, according to O’Shea, but there appears to be a sharp rise in call numbers as well as increased sophistication. Relatively easily spotted calls from far-away countries are now replaced by more sophisticated “spoofing” – using numbers displaying themselves as “ordinary” Irish numbers. Showing a number close to your one is just one variant of this.

It has also led to people “returning” calls to these numbers, which in some cases are valid numbers with real – and puzzled – owners. “You rang me”. . . “No I didn’t . . .”

At the moment incoming calls cannot be easily verified as coming from valid numbers. As the industry deregulated, numbers became portable – an 087 number can operate as part of the 086 network and so on – making checking incoming numbers to see if they are valid difficult – though here and internationally this issue is being examined. Some US operators have introduced controls, but it is a constant battle to stay ahead of the scammers.

Not only it is relatively easy, but generating tens of thousands of phone calls is cheap, with operators taking on a tiny – or zero – cost per call. And so the “success” rate required to make money is tiny. Business Insider calculated in the US that some 2.5 million calls could be bought from a provider for just $875 by illegal telemarketers or scammers. Even if one in every 10,000 yielded revenue averaging $7 on average, the initial investment would be doubled.

And of course, phone calls are just one variant of the scammers’ art, which also includes text messages and emails, all in many ways increasingly sophisticated, particularly texts allegedly from financial institutions which click through to plausible fake sites inviting you to enter your details.

2. Market opportunity

Businesses – and fraudsters – always respond to opportunity. And while the US trends tell us that robocalls were on the rise before Covid-19, the pandemic seems to have been a factor. First, according to Paul Delahunty, information security officer with Stryve, many people are working alone at home, without the support of an office environment and may thus be more vulnerable to fake emails, texts or calls. There is no one to turn to and check with. Mobile internet is a key working tool, and while busy it is all too easy to answer a wrong number or fall victim to a scam text.

O’Shea of CIT also points out that our changed habits during the pandemic have also offered new opportunities. People are spending more time online – not only working but shopping, for entertainment, interacting with friends and so on. And this creates new opportunities for fraudsters. A clever scam common around peak shopping time at Christmas was a fake text from a delivery firm saying you had to pay a charge to get an item released and inviting you to input details. At a time when Brexit had changed the rules in this area, this was particularly ingenious. Buying online opens up other scams in ticket purchases and the like.

Of course there are more sophisticated and targeted scams too – for example, those targeted at individuals with pension pots or investment funds to attract them into dodgy investments. These are different in nature, involving a lot of effort into a small number of targets. The robocalls are different, typically targeting some personal information which can be sold on to other criminals, or bank details which can be used to access funds in an account, or trying to get people to sign up to make small payments to get a “prize”.

3. Money to be made

It is impossible to know how much scammers make – but experts agree that the effort going in to the recent spate of calls suggests clearly that they are getting some result. The gardaí and financial institutions would normally hear about the more personalised scams, where bank accounts are emptied, or people pay large amounts for goods which never appear.

But a lot of fraud is on a smaller scale from the robocalls and much goes unreported.

An EU survey of consumers confirmed that, in general, fraud is big business. Looking at a range of consumer fraud – "buying scams", where people get fake invoices or don't get the goods they think they paid for; "identify theft", where scammers seek personal details (remember the phone calls saying your computer is broken); and "monetary fraud", when scammers seek to get access to cash or payments, or ask for a small "fee" to access a prize. Around half of EU consumers experienced one of these scams, or attempted scams, with around one-third experiencing two or more scams. Ireland was among the most affected, with more than two-thirds saying they had experience of a scam in 2018 or 2019. The survey guesstimates a €24 billion loss to consumers over the two years. For those who did lose money, the average loss was put at a bit over €80, though a minority suffered significantly bigger losses.

A rough calculation might suggest the annual cost to Irish consumers might be over €100 million per annum on this data. It would be a mistake to take these figures too literally, but fair to suggest that big money is at play. And with low costs on the other side, that is why scam calls are big business.

4. What to do

The advice is clear – don’t ring back, don’t answer calls from numbers you don’t know, don’t click through a text link, don’t ring back an odd number and, in particular, don’t give your personal information. With the spoof numbers increasingly popular, it is easy to answer the call, of course, but hang up when you hear the automated message and don’t engage in any way. If you just answer the call, there won’t be much harm done, bar a confirmation that your number is a “real” one, thus probably increasing the likelihood of getting future calls. And as Delahunty says, it is vital that if you do fall victim to a scam that you report it immediately to the gardaí and, if relevant, your bank, despite being embarrassed at being caught out.

Related Posts

donna and Ivan cyberskills and sandhill

Quick answers to Quick Questions: Ivan Houlihan, SVP & Head of West Coast U.S for IDA Ireland

Quick answers to Quick Questions: Ivan Houlihan, SVP & Head of West Coast U.S for IDA Ireland

Read more
Cyber Range Features Checklist

The Small Idea With a Big Impact on the Cybersecurity Talent Gap

The Small Idea With a Big Impact on the Cybersecurity Talent Gap

Read more
professor and student in robes and young son in MTU cyber security courses

Cybersecurity MSc (by research) Graduation Mr Simone Rodigari

Mr Simone Rodigari, whose supervisors included Dr Sean McSweeney, Dr Donna O’Shea and Dr Pat McCarthy, graduated with a Master’s of Science (by Research) at MTU annual conferring’s. The title of his thesis was Performance Analysis of Zero Trust inCloud Native Systems.

Read more