I Keep Getting Spam Calls And Email

3.2 Why and How Does this Happen?

What is driving the deluge of spam calls and spam emails? Read/watch to find out!

 

Transcript

Davis: Hi, Dan! Welcome back. Let’s dive right into it: why am I getting so many spam phone calls lately? And for that matter, text messages? As you know, I changed my phone number some years ago to a New York-based area code, and the type of spam I get changed markedly. What’s behind this? Why did this happen?

Dan: Well, there’s been a trend over the past few years to use phone numbers in the same area code in the prefix to try to get people to think the call is coming from somewhere nearby. Remember when we were growing up and all the phone numbers in the neighborhood started with the same two or three digits? This is the same theory: “oh, if it’s close by it must be a real call.” Unfortunately, the numbers are often spoofed.

Davis: So how do people come across my personal info? For instance, when I do get calls that I can understand, the callers often lead with info that I’m surprised they have. So how do these spammers have access to such incisive information about me and my friends and my family? I’m thinking about mortgage info, auto warranties… I’m a New Yorker so those don’t apply to me, necessarily, but that sort of thing.

There’s so much information out there that it’s easy to gather and create things that seem real, which means we have to stay even more aware of everything we hear.

Dan: Well, there’s two pieces here that we should separate out. First, like phishing emails, the phone call scammers aren’t necessarily targeting you specifically. They’re calling every number they can. And unlike email, phone numbers are a limited set and not hard to guess what the next one in line is. And when they do call, they’re hoping that the thing they’re pretending to be resonates with you. If I were to a scammer and called pretending to be Bank of the City, and call numbers in the city that that bank serves, then a non-zero number of people that I call will have a chance to think that the call is real because they actually bank there.

Now, on the other side of the equation, there are more targeted calls. There’s a lot of information available in the public record, like mortgages, car registrations in some states, business registrations, and more. The would-be attackers take their time to gather information and make it more realistic in the hopes that if they get you on the line, you’re more inclined to think it’s real. For example, just a few minutes before we sat down, I got a spam call trying to sell me a warranty for a car I do actually own, and whose factory warranty was about to expire. And, get this, they called using a number that they spoofed to look like it came from an actual former employer of mine. There’s so much information out there that it’s easy to gather and create things that seem real, which means we have to stay even more aware of everything we hear.

Davis: Yeah, I have to say, that sounds truly frightening that they could gather so much information, and then know enough about you to create a phone number that looks like a previous employer. So I think this is a very critical question, is: how can I tell if a phone number is spam?

Dan: Well, it’s not always easy to do. So I mentioned earlier that numbers from your own area code and prefix, especially if they’re not from someone you know, are particularly suspect. Like you, I moved locations but I didn’t update my area code when I moved. So now if I get a call from the area code of my phone, I’m pretty sure it’s not real, as all my local friends and work numbers are in the area code I live, not the one my phone’s registered to.

You can take the more reliable approach, though, of only answering calls from those that are in your address book and letting others all go to voicemail. It requires putting your immediate curiosity and reflex of just answering the calls aside, but it is very accurate, since spoofed calls rarely come from numbers you actually know.

Davis: Yeah, you’re right. Come to think of it, when I had that Louisiana code, I definitely heard a lot about hurricanes, and not so much about local scams, so good tip. What about email, meanwhile? How can I tell spam email from typical real emails that come from actual human beings?

Only answer calls from those that are in your address book and let others all go to voicemail.

Dan: Well, it’s not easy, and there’s no shame if you can’t always do so, because the scammers are getting so good at making emails that look and seem legitimate. The best thing to do is to look at the sender’s email address and make sure it’s really from the domain you think it should be. Look for small changes that are easy to overlook, like the number one instead of an l, or additional domains after the part you expect. Like, instead of microsoft dot com, it becomes look-over-there-dot-not-a-spammer dot com, hoping that you stop reading after just the first part.

Also, hover over links in the email to see where they actually go before you click it. And, even better, if it claims to be from a company, just go directly in your web browser and type the domain yourself rather than clicking on the link.

Davis: It sounds like you’re advocating for slowing down when we use the internet, which, if you’re anything like me, is very difficult. So if I get a spam email or phone call or text message does it mean I’ve already been hacked? How much should I be panicking about this exactly?

Dan: No, just getting the email or call doesn’t mean your information is at risk. Generally, email applications and systems don’t let things happen right from the email itself. Where it starts to all happen is when you click on a link or open an attachment. Sometimes those will launch malware on your machine and do something nefarious, which is why it’s really important to have up-to-date anti-virus software on your workstation, a topic we’ll cover in another series. Most of the time, though, the emails will try to get you to divulge information, or make you do something that’s hard to undo, like give your login credentials, send money to someone’s account, or buy gift cards. If you just open the mail and take the call, as long as you don’t act on it, you should be fine.

Hover over links in the email to see where they actually go before you click it. And, even better, if it claims to be from a company, just go directly in your web browser and type the domain yourself rather than clicking on the link.

Davis: Okay, so if I understand you correctly, the key is not acting on it. But isn’t answering the phone an action, or responding to an email or a text? Does that in itself pose any danger to me or my information?

Dan: If you start to interact with the scammer either by phone or email, they’ll do all they can to get you to do the thing they want you to do but that you probably don’t actually want to be doing. Unless you give up your password or send money to them, you’re not in irreversible territory. We’ve seen that scammers, once they’ve initiated with a potential target and get discovered, will usually go away, but sometimes they are more persistent and will try to re-engage with you. But if you ignore, you are not at any new risk.

Davis: Gotcha, thank you. So we talk a lot about the onus of the individual in privacy matters, but I do wonder about the system itself. In the case of spam calls and text messages, are any phone companies working on preventing this? What if legitimate people who are trying to reach me are mislabeled as spam?

Dan: Most phone carriers have some level of spam blocking available to subscribers, but there may be a charge to use it. It takes the phone numbers of known scammers and either fully blocks them from arriving on your phone or marks them as scam, likely as part of the caller ID. There’s also some new innovations that went into effect in 2021 using two protocols called STIR and SHAKEN. These are two technical measures that the mobile phone carriers have put into place with the help and guidance from the FCC to curb spoofed robocalls. When a call comes in from a genuine phone number, it notes it with a tick mark or a message on your phone, which will let you know that it’s more likely to be a real person. If someone you know that is legitimate is not being marked verified, keep in mind that STIR and SHAKEN are not fully deployed yet, and calls that are not yet in scope for them won’t be marked as spam, but they also won’t be confirmed as verified. When it’s all said and done, you’ll likely have to notify your carrier if your calls are not being marked correctly, but we’re not quite to that point yet.

Davis: Thanks. Sounds like I’ll have to have a cocktail party when STIR and SHAKEN become real things. Thank you so much, Dan, for shedding light on this very annoying problem. I’m personally looking forward to learning how I can put a stop to these things, spam text messages in particular, in our next episode. So see you then.

Further Reading

Relevant Terms

  • Spoofing

    Spoofing is a type of scam in which a criminal disguises an email address, display name, phone number, text message, or website URL to convince a target that they are interacting with a known, trusted source.

  • Phishing

    The fraudulent practice of sending emails purporting to be from reputable companies in order to persuade individuals to reveal personal information like passwords and credit card numbers

  • Domain Name

    A domain name is a unique, easy-to-remember address used to access websites, such as ‘google.com’, and ‘nycdigitalsafety.org’

  • Malware

    Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system

Go to Glossary

Contributor Bios

  • Daniel Ayala is a leader in the fields of information security, risk, and data privacy. He is Chief Security and Trust Officer at Dotmatics, hosts The Great Security Debate Podcast, and founded Mentor Core, an organization that seeks to bring together mentors and protégés from across the risk and compliance profession. Learn more about Dan's work at https://danielayala.com/.
  • Davis Erin Anderson is Director of Programs and Partnerships at METRO Library Council.
  • This project is funded by the Mayor’s Office of the Chief Technology Officer, and produced in collaboration with Brooklyn Public Library, The New York Public Library, and Queens Public Library.