Robocalls and “spoof” calls are much more than just annoyances. They’re also a lucrative underworld business that poses significant security and privacy threats to businesses and consumers. Between March 2017 and March 2018, nearly 25 million Americans lost almost $9 billion to scam phone calls.
If any doubt remains how insidious the business is, just enter “spoof calls” into a search engine and marvel at all the slick websites offering to “fake your caller ID.” Businesses that offer these services can serve as many as 5,000 simultaneous robocalls every second.
Although 2009’s Truth in Caller ID Act criminalized spoofing with intent to defraud or harm, the number of robocalls around the world grew by more than 325% last year. First Orion expects that nearly 50% of all U.S. mobile calls this year will be scam calls.
Nobody is immune from spoof attempts
Even AT&T’s CEO couldn’t avoid getting robocalled as he was interviewed on C-SPAN in March. Randall Stephenson was obviously trying to make a point when the call came in, but the fact remains: Most mobile phone users are so wary of these calls that they answer barely more than half of them.
The good news is that relief is coming. The bad news? In any battle of cybercriminals vs. cybersecurity professionals, it will probably always be a cat-and-mouse game, with the rodents continually figuring out new ways to foil the felines.
The scourge of robocalling is comparable to the nefarious ubiquity of fakery in email, text messaging, and social media accounts. Dozens of thoughtful, consumer-focused articles offer advice and instruction on how to block or reduce the number of robocalls and text messages, but most of the solutions treat the symptoms and not the disease. The root problem is that these platforms lack robust identity models that can verify that a message (or a call) comes from who appears to come from.
Public policy matters – and works
There is an answer to the robocalling problem: an aggressive, viable, standards-based solution. And it has arrived on the scene with public policy support: The Alliance for Telecommunications Industry Solutions’ STIR/SHAKEN (Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using toKENs) was recently endorsed by the Federal Communications Commission (FCC).
STIR/SHAKEN is a technology that uses authorized, trusted digital certificates to verify that the number on an incoming telephone has not been spoofed. The FCC’s endorsement quickly led to its adoption by the nation’s leading phone-service providers, including AT&T, Century/Link, Charter, Comcast, Cox, Google, Sprint, TDS, T-Mobile, US Cellular, Verizon and Vonage.
In many ways, this development mirrors the DHS’s October 2017 Binding Operational Directive (BOD) 18-01, which mandated that U.S. federal agencies adopt email authentication standards. It also emphasizes a key point: policy matters, and policy works.
DMARC: The STIR/SHAKEN of email
The DHS edict required all executive branch agencies to deploy the Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication standard and set it to a policy that rejects fake emails – effectively preventing bad actors from spoofing government officials’ email addresses.
Within one year, 57% of all agencies had were protected by a DMARC record with a strict “enforcement” policy, and today over 70% of agencies are protected. In fact, federal agencies demonstrated the highest rates of DMARC implementation and enforcement of any group of organizations, public or private, in America or abroad.
Sad but true: It’s a never-ending battle
The FCC’s adoption of STIR/SHAKEN represents a major, positive step forward in the fight against robocalling. But it’s a never-ending battle, as these stories illustrate:
- Even after the FCC fined one notorious robocaller $120 million for making almost 100 million robocalls with spoofed caller IDs in just one three-month period last year, one respected publication explained why it was far from enough to halt the “insane” growth of spoof calls.
- In the aftermath of the FCC’s endorsement of STIR/SHAKEN, Wired’s website shouted, “THE ROBOCALL CRISIS WILL NEVER BE TOTALLY FIXED.”
- While the Federal Trade Commission (FTC) jumped into the fray by forcing four robocall companies out of business, there are many more that will take advantage of loopholes, find new ways to produce millions of unsolicited robocalls and hide under the radar.
- As The New York Times editorial board wrote in late April, “Telecommunications companies are adopting new technology to kill phone spam — but the spammers may stay a step ahead.”
While there is no panacea to completely eliminate spoofing — whether in phone calls, email or on social media sites — it’s evident that authentication standards such as DMARC and STIR/SHAKEN can stamp out a huge portion of these impersonators — particularly if public policy helps drive widespread adoption.
Organizations that deploy authentication standards will continue to be in a better position to halt the spread of unwanted messages from sinister sources. But it will only be through commitment and vigilance that the epidemic can continue to be addressed and contained.
Committed public policy that requires the implementation of authentication standards, supported by all organizations that send and receive communications, will always stand as the foundation to fight spoofing.
