E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.		 LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


VISHING: DO YOU REALLY KNOW WHO'S CALLING?

Source: SFGate.com

Posted on May 20, 2009

      For the past 18 months, Bob Sills has tried everything to make the unwanted phone solicitations stop, but the calls just keep coming - sometimes twice a day to his Castro Valley home and more recently even to his cell phone.

      He's filed complaints with the Federal Trade Commission's Do Not Call Web site. He's followed the callers' recorded instructions, pushing "2" to be removed from their lists and - when that didn't work - pressing "1" to talk to an operator to demand that the calls be halted.

      He stopped answering the calls for months at a time, hoping the people responsible for them would give up. But they continued, urging him to buy an auto warranty he didn't need or to seek a lower interest rate on credit card debt he doesn't carry.

      Millions of Americans have experienced a similar surge in unwanted calls recently. The calls act like relentless robots that ignore Do Not Call lists and defy tracking. They have roused ordinary citizens to act as vigilantes who urge others online to swamp the phone systems of companies they hold responsible. They have incurred the wrath of state attorneys general, major corporations and members of Congress, who have filed lawsuits, launched investigations and proposed legislative solutions.

      And they have baffled ordinary people such as Sills, who wonder how such a widespread and obvious scam persists.

      "You would think that if they had any sense they would say, 'This guy doesn't have any money, let's take him off our list,' " the 58-year-old retiree said. "I really wish the government would go after them in one way or another."

      Last week, the government did just that: The Federal Trade Commission asked a federal court to shut down two Florida companies, one a seller of allegedly phony auto warranties, the other a telemarketing company that allegedly has called more than 1 billion phone numbers since 2007. The judge granted the FTC's request for a temporary restraining order Friday, and FTC officials predicted a "dramatic decrease" in unsolicited "robocalls."

      "This is one of the most aggressive telemarketing schemes the FTC has ever encountered," said FTC Chairman Jon Leibowitz in a statement released Wednesday. "We intend to shut them down."

Tough to shut down

      Even if the government succeeds, security consultants and consumer advocates say illicit telemarketing is unlikely to vanish completely.

      In part, that's because of the increasing ease of caller ID "spoofing," which allows callers to hide their caller ID from those being called or to change it, giving the appearance of being trustworthy or familiar, such as pretending to be the victim's local bank or a government office. Spoofing caller ID information not only can fool the unwary, security experts and consumer advocates say, it also makes it much more difficult to track and report abusive callers.

      "As technology evolves, there are always going to be players in the marketplace that want to take advantage of the changing technology to try to gain an advantage against consumers," said Chris Thetford, spokesman for the Better Business Bureau in St. Louis, home to another car-warranty company under investigation.

      "It's just like e-mail. The minute e-mail came out, it was great, and then all of a sudden people figured out they could use e-mail to try and get people's money," he said. "The same thing with caller ID."

      Scams designed to trick people into handing over their bank account number, credit card information, Social Security number or other valuable data using malicious e-mails or Web sites pretending to belong to banks or online auction sites are called "phishing," and years of educational efforts by financial institutions and Internet companies have trained many people to be cautious of such efforts online.

Phishing and vishing

      The telephone equivalent, "vishing," is less familiar to many people, in part because they have a longer experience of trusting the familiar telephone and in part because caller ID has established itself, for many people, as a trusted ally.

      Phishing and vishing are essentially the same thing. Scam artists use modern communications technology to cast a wide net in search of a vulnerable few respondents who can then be lured by seemingly great offers or frightened by urgent warnings into buying goods or handing over valuable personal information.

      And thanks to the recent exponential growth in low-cost systems for making voice calls over the Internet using systems such as Skype or Vonage - technically called voice over Internet protocol, or VoIP - phishers and vishers can send bait messages to huge numbers of potential victims without costing them much at all.

      Business VoIP companies offer the ability to make a thousand calls at once - or more - for a fraction of a penny each. "The fundamental economics of a computer-based attack is that attacks that have a marginal rate of success become profitable," said security guru Bruce Schneier. "All you need is one" victim.

Trusted source

      But while most people have learned to be skeptical about the identities of people they encounter online or through e-mail, security experts say, they still trust that the digits showing up in their caller ID box are accurate.

      "The customer at home has no clue about what caller ID spoofing is," said Lance James, co-founder of Secure Science Corp. "Most people I talk to don't even know it exists."

      In fact, masking caller ID is as easy and as well understood as the ability to change the name appearing in the "from" field of an e-mail - in fact, to a computer, the two are practically the same thing.

      VoIP makes such spoofing particularly easy, James said, in part because the virtual phone network requires users to identify their own caller ID number - conventional phones are assigned a caller ID automatically at network switches.

      That's fine if the user is scrupulous, but an unscrupulous user can abuse VoIP by hiding while trolling staggering numbers of victims simultaneously - the telemarketer targeted last week by the FTC allegedly bragged to a prospective client that he could call the entire United States in just a few hours.

      "We knock the caller ID, they don't know where it's coming from," the telemarketer allegedly boasted, according to the FTC complaint. "Yeah, we've never been in trouble, and we never will get in trouble."

Complicated hunt

      Spoofed IDs not only can lure the unwary, but they frustrate the wary. Once, tracking down and reporting a malefactor required a mere reverse directory search. But finding the face behind a spoofed number demands special technology, a series of subpoenas, or a willingness to buy the product or at least talk to the scammer.

      Despite the difficulty, there have been some success stories. A week before the FTC took action, Verizon Wireless wrested a $50,000 settlement over an alleged car-warranty telemarketing scam, and Missouri sued a warranty company there that had generated thousands of complaints to the St. Louis Better Business Bureau.

      Members of Congress have called for tougher enforcement, and a bill that would outlaw transmitting misleading or inaccurate caller ID information has been wending its way through Congress since 2006.

      But some security consultants and companies say legal solutions to spoofing fail to account for legitimate uses of the technique - both the technical necessity in VoIP networks and certain social uses.

      Meir Cohen, president of TelTech Systems - a company that offers users tools to spoof their caller IDs and to protect themselves from unwanted calls - said there are legitimate reasons for spoofing. It might permit doctors, for instance, to return patients' emergency calls from their cell phones without giving away their personal numbers or allow salespeople who work remotely to have return calls go to their company's main line.

Like e-mail, ergo phone

      "The majority of our customers are legitimate, law-abiding citizens who use our services to protect their privacy," Cohen said.

      In time, there may be technological solutions - perhaps similar to spam filters - or new regulations on VoIP companies to help deter vishing. But the ultimate solution, several security consultants said, is for people to begin approaching phone calls with the same skepticism that they bring to e-mail.

      "People tend to believe the phone network is trustworthy. And they tend to believe the Internet isn't trustworthy. That definitely plays into this," said Schneier, the security expert.

      "If you're called by your credit card company and they ask you for your credit card number, you say, 'Well, don't you have that? ... Just like when you get an e-mail that says, 'Hi, I'm your bank, click here,' you know not to do that," he said. "The problem is not the spoofing. The problem is people believe one thing, and the other is true."

Avoiding vishing

      While technology experts and politicians seek solutions to the problem of malicious caller ID spoofing, security experts say everyday phone users should take steps to protect themselves.

Register your number

      Register your phone number with the National Do Not Call registry at www.donotcall.gov. Unscrupulous telemarketers may ignore the list, but registration provides some protection and the Web site provides a process for complaints.

Consider a black list

      Some companies offer blocking services that can automatically turn away unwanted calls. The system has limits, however, since they only block calls on the list and many vishers change their spoofed caller ID numbers frequently.

Be wary of "robocalls"

      Be extremely wary about purchasing anything from a company that is involved in illegal robocalling. If the company is involved in illegal telemarketing practices, it is more likely that it also would engage in deceptive practices in selling products and services.

Protect your identity

      If you are called by your bank or credit card company, don't provide your account number if asked. Call the company back using the number on your statement. Never give out private financial information to an unfamiliar company that has robocalled you or that will not properly identify itself. You can review a report on any company for free at www.bbb.org.

Help track down abusers

      Report vishing calls at www.ftc.gov or call (888) 382-1222. The FTC wants the number and any name that appeared on your caller ID, the date and time of the call, the content of the recorded message, and the content of any live telemarketing pitch you received, including any company name. If you paid money as a result of the robocall, the FTC would like to know how much you paid and to whom.



CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.