FCC Logo on background of blue wave forms
#623 minutes

Spoofing, scamming, and the FCC's crackdown on unwanted calls

It's not just you—everyone is getting robocalled. By one estimate, 50% of all calls will be spam by the end of 2019. To be sure, robocalls have been a problem for decades, but it seems like recently we've gotten to a boiling point, particularly when it comes to our cell phones. How did we get here, and what's being done about it? Evan is joined by Mark Stone, Deputy Bureau Chief of the FCC's Consumer & Governmental Affairs Bureau. They discuss the history of robocalls, the laws that combat them, and the actions the FCC is taking to stamp them out. Is there such a thing as a "good" robocall? And what is "neighborhood spoofing?" What can consumers and companies do to avoid scams? For more information, see the FCC's guide on unwanted calls and texts. (Disclaimer)

Transcript: 

MR. SWARZTRAUBER: Welcome to More than 7 Dirty Words, the official FCC podcast. I'm Evan Swarztrauber.

On today's show, we'll be discussing the scourge of modern civilization. That's right, robocalls. It's not just you. They've been happening more and more frequently, whether it's your landline or your cell phone. And I'm sure FCC employees heading home for Thanksgiving will probably get an ear full from their relatives, what is going on and what can be done to stop it.

According to new data from First Orion, a call protection company, 50 percent of all calls will be spam by the end of 2019. How did we get to this point and what's being done about it, including action by this agency, the FCC?

Joining me to discuss this is Mark Stone, Deputy Bureau Chief of the FCC's Consumer and Governmental Affairs Bureau. Mark, thanks for joining.

MR. STONE: I'm happy to be here.

MR. SWARZTRAUBER: So to start off, how did you end up being the RoboCop at the FCC?

MR. STONE: Well, I started here in the mid-90s as an auditor and then later as an attorney working on a lot of different consumer protection issues. So I've been working on robocalls maybe the last decade or so. And it's an interesting area to work on. It's definitely one that has lots of consumer interest.

MR. SWARZTRAUBER: Yes, I would say it's probably the number one thing that people are interested in our line of work at this point for sure.

So robocalls have been a problem for decades, but it seems like recently, or in recent years and even weeks and months, we've gotten to a whole new level with these robocalls. I mean, certainly back in the landline days, I'm sure people got them. But how did we get to this inflection point where people are tearing their hair out?

MR. STONE: Yes, robocalls have been a problem for decades as you've mentioned. In fact, the key law we administer, the Telephone Consumer Protection Act, was passed in 1991. But robocalls were different then. It was more the kind of dinner hour telemarketer bothering you and your family. Back then, it was a little bit more expensive to make robocalls, and so they weren't quite what they are today.

Over time, the technology has evolved such that folks can make robocalls a lot more quickly, a lot more cheaply using IP networks, using software. So the cost is very low. And so we see a proliferation of the calls. And it's easier also to what we call spoof the caller ID, meaning fake the caller ID that pops up on the consumer's screen. It's more likely to lure the consumer into picking the phone call up.

So those things have sort of conspired together to mean we get a lot more robocalls and we get a lot more robocalls that aren't just annoying that may defraud consumers.

MR. SWARZTRAUBER: Yes, the old trick where you would just not pick up the phone if it said unknown or that doesn't work if you're seeing an actual number. Now, like you said, these are not your typical robocalls anymore. It's not just telemarketing. It's not just advertising. What are people -- theoretically, the people placing these illegal and unwanted calls -- what are they hoping to accomplish? What's the goal of all these calls?

MR. STONE: Well, to be clear, there are still some telemarketing, right? I mean, that still goes on. That hasn't gone away. But yes, what's new here is people who are calling and maybe trying to get a consumer to give over personal information, maybe their credit card information, that sort of thing.

And very often, that's facilitated by the caller posing as someone they're not. For example, a person from the IRS and they're so sophisticated sometimes that actually the caller ID will pop up and the caller's phone will look like it's an IRS number.

So we're seeing these sort of callers again move into the areas of getting key information from consumers, maybe getting their credit card number. So it's more than an annoyance now.

MR. SWARZTRAUBER: Yes, and then there's also the fraud element. And we've heard stories of people running into CVS and buying 500-dollar prepaid debit cards because they're trying to pay off some scammer that scared them with some crazy story.

So as you mentioned, the TCPA, Telephone Consumer Protection Act, was passed in 1991. This was before the ubiquity of cell phones. That was back when cell phones were thousands of dollars, the size of a brick. And the problem that Congress was looking to address was more on the landline side.

But robocalls these days is kind of a catchall term that people use to refer to any call that they're getting that they don't want. But there is a legal definition that's important in terms of enforcement and the law. So what is the definition of robocall from the FCC's perspective?

MR. STONE: Yes, we take our definition from the Telephone Consumer Protection Act. You're right. Robocalls has become kind of a general term that people use for any kind of annoying call. But yes, we have a specific definition, and it depends on whether the call is actually to a wireless phone or a landline phone.

It's a little bit broader term when the call comes to a wireless phone. So for a landline, if the call leaves a prerecorded or artificial voice message on the landline phone, that's a robocall as long as it's telemarketing. If it's not telemarketing, even if it is a prerecorded or artificial voice message, it's not considered a robocall for our purposes.

By contrast, on wireless phones, calls to wireless phones, it's a robocall if it leaves those types of messages, prerecorded or artificial voice message, or if the call is made with what we call an autodialer which is simply equipment that can make a call really quickly to multiple numbers.

And then on the wireless side as well. It doesn't matter if it's telemarketing or not. If it's a robocall made using those mechanisms I mentioned, it doesn't matter if it's telemarketing or if it's purely informational.

MR. SWARZTRAUBER: And for people that are not committing illegal robocalls, which I assume is most of my audience, what kind of equipment is being used? Is this hardware? Are people hooking up their phones to these machines that are then churning out numbers? Or is it purely software? Is it an app that they're using?

I mean, you're not exactly going into the Apple Store or Google Play and saying, I want to download a robocall app. So people might not be familiar with this equipment that's making it so cheap and easy.

MR. STONE: Right, yes. So I think back in 1991 times, which seems like a long, long time ago. Technology-wise, it probably was more like you'd imagine, hardware, you've got a large box. But it's very much moved to software. And in fact, there are cloud services that offer that.

So as you mentioned before, that's why we see more robocalls. It's a lot easier. Anyone doing a google search at this point can probably find different auto dialers that they can use.

MR. SWARZTRAUBER: And given how frustrated people are, they might be wondering, why is any automated call legal at all, right? Is there such a thing as a, quote-unquote, "good or acceptable robocall". But there is in terms of the law. So before we start dunking on all the bad calls, what are the examples of calls that are acceptable under the law, the types of things that are not going to trigger enforcement action?

MR. STONE: Yes, that's a good question. Well, number one, even if it is a robocall under our definition, it could still be legal as long as you get --

MR. SWARZTRAUBER: Right.

MR. STONE: -- consumer's prior express consent or it's an emergency call. But yes, for other calls that don't even require a prior express -- or excuse me, there are good uses of the robocall technology as you mentioned. The kind of things that come to mind are the robocall from your kid's school reminding you about a school activity or maybe a reminder from your pharmacy that a prescription is ready to be picked up.

So those are robocalls, again, with your prior express consent. They can make those, and those are good robocalls. Those are the ones we want, the ones that we expect, and ones that allow those businesses or schools to actually get communications out quickly and efficiently and at a lower cost.

MR. SWARZTRAUBER: And as long as they're purely informational, then that's okay, right? There's a difference if it's informational versus if they're selling something?

MR. STONE: So again, well, it goes back to whether the call is made to a landline or not.

MR. SWARZTRAUBER: Right.

MR. STONE: Even those good calls that are purely information, if they're to the parent's wireless phone in the case of schools, you still need to have the consent. But if it's to landline phones, you don't need consent because they're purely informational.

MR. SWARZTRAUBER: Got you. And one of the phenomenon -- phenomena rather -- that has kind of come up over the past few years, it's probably been around longer than that but it's really accelerated is this spoofing issue. As you brought up earlier, these days when you get a call that looks like it's from your neighborhood or it has the same area code or it has the same first three digits after the area code, that's a practice called neighborhood spoofing. How did that start happening and what's the purpose there?

MR. STONE: Yes, that's another great question. Well, the purpose is, as I mentioned before, the worst types of robocalls are those that are designed to defraud someone or confuse them into picking the phone up and potentially being lured into a scam. Those are most likely to succeed if the consumer sees a number that they're going to trust.

So I mentioned earlier the example of an IRS call. Another example would be a neighbor call. So you're more likely to pick up the phone, consumers are, if they feel like it's a local number, someone maybe in their neighborhood that's trying to reach them.

So unfortunately, spoofing caller ID is a pretty easy thing to do as well, just like making the underlying robocall is an easy thing to do. So that's why we see the bad guys, the scammers quickly moving into schemes on the spoofing side. They're designed to get consumers to trust that call and pick it up.

MR. SWARZTRAUBER: It's amazing how quickly consumer practices can change. Back in the day, if you saw a number that looked like it was from your neighborhood, you were probably very likely to pick it up because you assume it's someone that either it's from your hometown or it's from the same block as you.

And now, it's almost like that's flipped. I'm talking to people all the time who say, if I see a number that has my area code in my neighborhood, I'm not picking it up. I assume that it's fraud. And it's a rapid change over the past few years.

What about robotexting? Obviously, the way that we communicate changes over time. People are increasingly relying on texting, emails, instant messages, things like that, less so on phone calls. Are scammers taking advantage of texting as well and is that something that the FCC is focused on?

MR. STONE: It is something we're focused on. Under that law, I mentioned before the Telephone Consumer Protection Act, the original focus was calls. But as you said, when it was passed in 1991, there wasn't a lot of cell phones and not a lot of texting happening. That's changed over time. So what the Commission has done is applied its protections to calls to text messaging as well. So yes, we do hear about some scams over texting. But primarily, it's over the calls.

MR. SWARZTRAUBER: And of course, the FCC has to interpret what these laws mean --

MR. STONE: Right.

MR. SWARZTRAUBER: -- as technology develops and new innovations come about. So obviously, this is a challenging problem. It's not like regulators aren't aware of it and members of Congress are involved. But it's not easy. And what are some of these challenges?

I mean, we've heard that calls are being made from overseas. I mean, how is a U.S. enforcement agency, what are they supposed to do about it if you're aware of an operation overseas but you don't have jurisdiction? Spoofing obviously is a problem. I mean, what are some of these challenges that you're running into as you and your team here are trying to tackle this problem?

MR. STONE: Yes, we have a great enforcement group that has done a lot of terrific work lately on this. But yes, that's in the face of a number of challenges. Not all illegal robocalls originate in the U.S. but a lot of them do. And so as you say, part of the issue is sort of tracing the call back from the consumer audit upstream to where it originated. And often, that is overseas.

So that involves some time to try to trace it back. It involves working with foreign authorities to investigate. And part of the problem, as you mentioned, is spoofing. So very often, the illegal calls will not display the actual caller ID. And so that's another challenge is trying to get underneath that fake caller ID and working with the phone carriers that handled the call and trying to get back to that source.

Very often as well these can be fly-by-night robocall operations so that if you catch the bad guys who made one set calls, they may well have moved on, changed identities, changed names, and indeed a different location.

MR. SWARZTRAUBER: Yes, it's been described as a whack-a-mole problem. From the perspective of statute, I understand that under the TCPA, your first violation is not necessarily something that can be fined. But there's a different law that was also passed to try to get at this spoofing issue which was the Truth in Caller ID Act. That was passed in 2009. So obviously, long after the 1991 law. But that law, you can fine someone on the first go. You don't have to put them on notice, so to speak.

MR. STONE: Yes, you're exactly right. So the TCPA requires a citation in most cases in the first instance which is a warning and a finding of a violation of law. That often gives, unfortunately, the bad guys a heads up that we're onto them. So they move on and change identities.

Fortunately we have the other law you mentioned which bans caller ID spoofing when it's intended to defraud or harass. That law doesn't require us to do a citation first. And so often our enforcement actions will find violations of both laws. I know the Truth in Caller ID Act very often proposes a fine.

MR. SWARZTRAUBER: So in terms of your day-to-day and what you and your team are doing to crack this nut, I mean, for the international calls, are you coordinating with the FCCs of the world, telecom agencies in other countries, or law enforcement agencies in other countries? And what does that look like?

MR. STONE: Yes, so that's our enforcement group. I work in our policy group. But absolutely they do. They have developed good connections with foreign agencies as best we can to try to help investigate. We often work in partnership with our own law enforcement agencies here in the United States to work with our counterparts as well overseas. But obviously, different countries have different situations when it comes to doing these sort of investigations. So it's not always easy.

MR. SWARZTRAUBER: Yes, it's not always a priority of course if maybe we're the ones being called. Their own citizens are not being called. That's just the location of the operation. Then in terms of domestic coordination, law enforcement agencies, Federal Trade Commission, the consumer protection authorities, is there a lot of interagency cooperation going on as well?

MR. STONE: Yes, definitely. So we very much work closely with the Federal Trade Commission which has a different statute that it works with. But they also target robocalls. They focus more on telemarketing calls. So we jointly developed and they administer the Do Not Call Registry.

I think as a lot of folks know, the Do Not Call Registry was a big success initially. I think there's been because of the evolution of robocalls, it's not a perfect solution at the moment. So we try to work closely with them to kind of make sure we're enforcing in concert.

MR. SWARZTRAUBER: Yes, that might be something that people get frustrated with of recent developments where they say, but I put my number on the Do Not Call Registry. Why am I -- but part of that is technological evolution. It might've been a good solution at one point for one particular type of call. But now, we have to address new problems as they arise.

MR. STONE: Yes, that's right. I mean, the Do Not Call Registry is very good for responsible robocallers who do want to obey the law. And there's lots of them because there's lots of good robocalls and good robocallers. The problem is the folks that are overseas are not going to really obey the Do Not Call Registry.

MR. SWARZTRAUBER: So in terms of rulemakings, concrete action that the FCC has taken, what are the big things that listeners should know about in terms of new rules, enforcement actions that this agency has put out to address the issue?

MR. STONE: Sure. I mean, starting with enforcement, our enforcement bureau has been very active over the last couple years. Just had a 120-million-dollar fine in a case called Abramovich that involved lots of neighbor spoofing caller trying to sell vacation packages under the name of legitimate companies.

MR. SWARZTRAUBER: Yes, so he was impersonating companies like Marriott --

MR. STONE: Right.

MR. SWARZTRAUBER: -- TripAdvisor. He was not working for these companies. He had nothing to do with these companies. But because he was using their names and their IDs, people were more likely to trust them and think that they were dealing with a legitimate actor.

MR. STONE: Exactly right. So that was a major enforcement case. We've had several others.

On the rulemaking side and policy side, what we have been trying to do and indeed doing is work with the voice carriers, the providers to stop these calls before they ever reach consumers. So if we've got to get to enforcement, that means the consumer has already gotten these calls and they've already potentially been defrauded or annoyed.

So last November, the Commission took a new step and said voice providers can block certain calls before they ever reach consumers. So these are calls, like I mentioned before, where the IRS number may pop up on the caller ID and we know from the IRS they don't make calls from that number. So what we've told voice providers they can do is block that before it ever reaches consumers.

Similarly, calls that appear to be from numbers that can exist under our numbering plan or numbers that could exist but haven't been allocated to any consumer. So these are calls that everyone is very confident are going to be illegal and highly likely to try to defraud or annoy consumers.

MR. SWARZTRAUBER: Yes, I think we can safely say on this podcast that if someone claims to be calling from the IRS and that you owe them thousands of dollars and they're coming to your house in ten minutes if you don't pay them, that's a fraudulent call.

MR. STONE: Indeed.

MR. SWARZTRAUBER: And there are reasons maybe that we, at one point in our history, didn't want voice providers to be able to block calls for maybe not reasons not involving robocalls, more for anti-competitive reasons or some executive at a telephone company has an ax to grind with someone from a different company and decides to block all their traffic.

I mean, it might not be intuitive now because of the problem with robocalls. But there's a reason why people might not want their phone provider to have carte blanche to block any call that they want which requires that the FCC confer this power on them. But the FCC has identified certain calls that I think we're safe to say that it's okay that it never reaches the consumer.

One is the IRS. Also, numbers that shouldn't exist. When we were chatting before the show, there's a do not originate list or numbers that literally can't exist because we never assigned them.

MR. STONE: Right.

MR. SWARZTRAUBER: And so the telephone provider, are they able to essentially tell what numbers they are that the FCC's database doesn't have them so clearly they're fake?

MR. STONE: Yes, that's right. I mean, so the do not originate list is something that the FCC said the industry could develop and they've been doing that. IRS is one example. There are other examples as well with trusted agencies or numbers. And you're also right, that voice providers know which numbers can exist and which can't under a numbering plan and which that are allocated or not allocated.

So I think you also mentioned a really good point which is the FCC has not historically been okay with blocking for obvious reasons. I think we all want to feel comfortable that whatever calls are intended to get to us will get to us. But yes, this recognition that robocalls are a significant problem and that we need to think in different ways about how to solve them has caused us to change our thinking a little bit.

MR. SWARZTRAUBER: And then there are other efforts underway, especially with this spoofing problem where numbers can just be churned out so easily and they're fraudulent and they're coming in at a rapid pace. There's a concept of like a digital fingerprint for phone calls. Tell us more about that.

MR. STONE: Yes, that's right. So as we've been saying all along, a key part of illegal robocalls is the caller ID spoofing that goes along with it. And so the FCC has been working with industry. Industry has taken some significant steps towards what we call caller ID authentication. And what that means is basically a digital fingerprint for the caller ID so that it can't be spoofed.

And so it's an exciting prospect. It's the kind of thing that would give you trust back that when a number pops up on your screen, it is in fact the number of the caller. If it were an illegal robocall, it would make that tracing it back to the origin to the caller a lot easier.

And so what we're seeing are voice providers testing this concept with our encouragement. And we're hoping to make that -- that that's made a reality fairly quickly.

MR. SWARZTRAUBER: And I've seen there's also been some developments on the hardware side. Phone manufacturers are releasing new versions of their smartphones that have some span detection capabilities. Sometimes I'll get phone calls and it says, likely spam. So this is not an entity that can block the call. But they'll tell me, hey, we think this is spam.

So there's efforts underway on many fronts. And since we dunked on spoofing so much, it's important to point out there are apparently instances where spoofing is okay. So in the interest of making sure that we distinguish between illegal and legal use of robocalls, let's also do the same for spoofing. So when is it okay to spoof?

MR. STONE: Yes, that's a good point. So the law says spoofing is illegal when it's designed to defraud or harass, that type of thing. So that's a recognition that not all spoofing is bad.

So there's several examples, one of which might be a legitimate telemarketer, maybe a third party that works on behalf of a larger company. That third party could be a mom and pop telemarketer that's making legitimate telemarketing calls wants the name of the party that they're telemarketing on behalf of to pop up on your screen.

MR. SWARZTRAUBER: Right.

MR. STONE: That way you know, oh, it's this company or that company. You don't think it's Mark Stone, third party's mom and pop telemarketer.

MR. SWARZTRAUBER: Right.

MR. STONE: So that makes sense. That's helpful. And so we want to be careful that we're targeting the spoofing that's bad.

MR. SWARZTRAUBER: And that's actually kind of a fun example where spoofing would increase trust. Because if you get the caller ID of some third-party entity that you're not familiar with and they claim to be representing a company that you are familiar with, you're not going to believe them because you saw this other caller ID. So the spoofing could actually be helpful.

MR. STONE: Yes.

MR. SWARZTRAUBER: Now, obviously this is a consumer issue. So I think we'd be remiss if we didn't give you a chance to offer some best practices. In addition to not believing the IRS, I mean, what else do you have to say to folks as we're working on this issue to keep themselves safe, to protect their identity, to protect their life savings? Anything you want to say to the listeners?

MR. STONE: Yes, yes. I mean, one good tip is always be careful obviously when you pick up the phone from a number you don't recognize. If you pick it up and someone claims to be someone that you're not sure that they are, don't give away any important information. You can hang up, google that person's identity or that business' identity to find the legitimate number, and then call them back if you want to.

So just exercise in caution. There's lots of third-party tools and apps that are available out there that we encourage folks to take a look at. You can always contact your voice carrier if you want blocking done, the kind of blocking that we discussed here.

And then the FCC has got a terrific set of outreach materials on our website that are helpful. And, of course, any consumer that feels like they've gotten an illegal robocall can file a complaint with us. That really helps us on the enforcement and policy side.

MR. SWARZTRAUBER: Well, we'll certainly link to those resources in the show notes for today's episode and point you in the right direction if you've got more questions. But I think that's it. My guest has been Mark Stone, Deputy Bureau Chief of the FCC's Consumer and Governmental Affairs Bureau.

Mark, thanks so much for joining the show.

MR. STONE: My pleasure.

MR. SWARZTRAUBER: I hope your family doesn't give you too much grief over the holidays if they're still getting robocalls. But just know that we're on the case and there are other agencies working on it as well.

Find this podcast in the iTunes Store, Apple Podcast, Google Play, wherever you get your podcast. Please leave us a review because it will help others find the show. Thanks for listening.