A few weeks ago my colleague Stephen Cobb (knowing my interest in research related to fraud and scams, including phone scams) drew my attention to a section in the *Consumer Sentinel Network Data Book for January-December 2014 that pointed to a rise in the percentage of fraud complaints about phone scam calls over the period 2012 to 2014.
The data concerning ‘Fraud Complaints by Company's Method of Contacting Consumers' indicate that the percentage of phone scam complaints rose from 34% in 2012 to 54% in 2014, whereas the percentage of complaints about scam emails dropped from 37% in 2012 to 23% in 2014.
Interestingly, complaints about scams initiated via ‘Internet – Web Sites\Others' rose from 12% to 15% in 2013 and dropped again to 11% in 2014. Maybe three years isn't long enough to draw too many conclusions, and in any case the percentage of people who actually report the initial method of contact has dropped over the same period from 55% to 46%. However, one possibility is that the decline in email-related complaints represent at least two factors: • A continuing rise in awareness that email is an unsafe channel of communication with a high percentage of maliciously intended traffic. • A reflection of the gradual long-term shift from direct malicious content in email to content linked and redirected from a variety of sources (email and other messaging services, social media, DNS hijacking, legitimate but compromised sites, and so on).
The spike and subsequent drop in web-related fraud reports is harder to explain, so I won't even try. But it does seem that phone fraud is getting more attention, and if the higher volume of reports really does reflect a rise in activity – and I have no reason to believe that it doesn't – maybe that's because it's often harder to ascertain the legitimacy of a caller's phone number (if available at all) than it is the legitimacy of an email. Admittedly, interpreting email headers isn't always easy, but at least they're there. Tracing the real source of a phone scam call is something most potential victims are not resourced for, however. And even tech support scams, part-based on trying to get remote access to the victims' PC, don't always offer easy attribution to the scammer's point of origin.
Still, in view of these figures, it doesn't come as a surprise that a report by Pindrop Security – *The State of Phone Fraud 2014-2015: a Global, Cross-Industry Threat – indicates that ‘more than 86.2 million calls per month in the US are phone scams'.
The focus of the report is actually far wider than the direct attacks on individual consumers that the Consumer Sentinel Network data are drawn from, stating that ‘Across financial and retail institutions, 1 in every 2,200 calls is fraud, an increase of more than 30 percent since 2013' and considering attacks on banks, brokerages, card issuers and retailers.
In fact, there isn't such a clear line between consumer attacks and attackers on these organisations, since stolen credit cards and credit card numbers are very common accessories to an attack on a provider.
However – to take an example cited by Pindrop – chargeback fraud takes place when a scammer places an order with a stolen credit card. While the card owner should normally receive a refund from the card issuer if the loss of the card has been reported and the fraudulent charge disputed, the retailer or e-retailer may already have despatched goods for which it will receive no payment.
However, consumer scams are by no means ignored. Pindrop reckons that the top 25 consumer-oriented scams between them account for more than 36 million scams per month in the US, out of a total of 86.2 million. Frequent readers of this blog will probably not be surprised to hear that eight million of these calls are estimated to be tech support scams, while payday loans are close behind at nearly seven million.
Among the other top-listed scams are IRS scams, auto insurance scams, home security system scams, and student loan scams. While IRS scam calls are well behind tech support scams at around a million a month, that figure does represent a significant increase in highly profitable scam calls over the last two years, including a particularly effective scam where the callers impersonate IRS agents over the phone and threaten arrest for tax evasion if payment isn't made immediately.
Pindrop observes that ‘phone fraud rates are essentially the same in all major economically developed countries, especially the U.S. and U.K.' I won't try to summarise the whole paper, but it does make some interesting points about the impact of technology in terms of spoofing and VoIP, and the growing use of cell phones.
However, it's worth noting that there isn't necessarily an exact correlation between types of scam reported in the US and in the UK. For instance, various types of UK-targeted Payment Protection Insurance (PPI) scam like these and these may share some characteristics with scams seen in the US, but don't – as far as I know – have a precise equivalent.
Similarly, some UK student loan scams may be significantly different to those commonly reported in the US. And though I still get the occasional tech support scam call here in the UK, the volume of such calls seems to have declined dramatically in recent years.
*Interesting though these reports are, there are some caveats to bear in mind as regards the accuracy of the data: • The Consumer Sentinel data are drawn directly from a database of complaints made to the FTC, various law enforcement agencies, other governmental and non-governmental departments, the Council of Better Business Bureaus (on behalf of all North American BBBs), and so on. As the Consumer Sentinel report states: ‘The 2014 Consumer Sentinel Network Data Book is based on unverified complaints reported by consumers. The data is not based on a consumer survey.' This doesn't make the report less interesting or useful, but it does mean that the information is reliant on the individual complainant's good intentions and ability to interpret correctly what actually happened in the course of a telephone exchange and after. If the data were drawn from a survey the survey team would have attempted to select a range of respondents as representative as possible of the total population at risk and weight and verify the data accordingly. Hopefully. • The Pindrop data are collected by a proprietary ‘online complaint collection tool' for the aggregation of data regarding ‘suspicious' phone numbers as reported in ‘hundreds of complaint sites, online communities, and Web forums'. While there's a great deal of interesting and useful information to be gathered this way, similar caveats apply as in the case of the Consumer Sentinel Network report. There is the additional complication that online forums are known to be vulnerable to infestation by groups paid to promote services and causes or to denigrate rivals. But that's a topic I'll probably return to in a separate article.
By David “Call me anytime” Harley, ESET senior research fellow