Why Phone Fraud Starts With A Silent Call

Aug 24, 2015
Originally published on August 27, 2015 2:17 pm

Here's an experience some of us have had. The phone rings. You pick it up and say "Hello. Hello. Helloooo." But nobody answers.

It turns out there could be someone on the other end of the line: an automated computer system that's calling your number — and tens of thousands of others — to build a list of humans to target for theft.

Build A List

Vijay Balasubramaniyan, CEO of Pindrop Security, a company in Atlanta that detects phone fraud, says that in any number of ways, the criminal ring gets your 10 digits and loads them into an automated system.

Maybe you gave your number to Target or some other big retailer that got hacked. Maybe you entered an online raffle to win a free iPhone.

According to the Federal Trade Commission, these robocalls are on the rise because Internet-powered phones make it cheap and easy for scammers to make illegal calls from anywhere in the world.

That initial call you get, with silence on the other end, "[is] essentially the first of the reconnaissance calls that these fraudsters do," Balasubramaniyan says. "They're trying to see: Are they getting a human on the other end? You even cough and it knows you're there."

Gather Account Information

The next step is gathering information about your bank or credit card account. You get a call with a prerecorded voice that tells you, for example, "[we're] calling with an important message about your debit card. If you are the cardholder please stay on the line and press 1. Otherwise please have the cardholder call us at 1-877..."

If you're thinking about ignoring it, the message tries to scare you into paying attention with a warning: "A temporary hold may have been placed on your account and will be removed upon verification of activity."

That number leads to another automated system that prompts you to share personal details like your date of birth, your card number and secure PIN, the expiration date, your Social Security number.

It can be tricky because many real banks have a similar system. And, Balasubramaniyan says, fear does kick in. He recalls a big scam in 2014 in which criminals pretended to be the IRS calling to collect back taxes. (The agency says the scam is still going on.) If you wanted to call back or have time to talk to your spouse before paying over the phone, the fraudster wouldn't let you go.

Balasubramaniyan recalls, "They're like 'OK, if you want a moment to process this, we're going to send the law enforcement in front of your doorstep.' "

Pindrop keeps a "honeypot" — about a quarter-million phone numbers that aren't being used by real people, which the company uses for research. Workers enter the numbers into sweepstakes and online databases, to see what kind of fraud hits.

Company researchers estimate 1 in every 2,200 calls is a fraud attempt. And they've observed an interesting detail about the fraudulent 1-877 numbers. If you call back from your phone — which the criminals dialed — you get the prompt to enter personal data. If you call back from somewhere else, you get "this number has been deactivated." So a regulator or police officer that's trying to crack down will think, incorrectly, it's out of commission.

Hijack Account

Once the criminal ring scrapes enough information on you, it has humans call your financial institution. Banks and credit card companies hire Pindrop to help them detect fraud.

In a real-life example, provided by one call center, the operator has a hard time hearing the caller and apologizes.

The caller, who is pretending to be the account holder, wants to know his available credit — to make sure the account is worth pursuing.

"Got it," the operator says, eager to provide good customer service. "Your available credit is $34,999."

That's good money. The caller says, "OK, can you help me update my address today?" and he proceeds to take over the account.

Solutions?

Now, there are clues that the guy calling isn't legit. There are long breaks in his voice when he says, "I'd like to know the available credit in my account."

Internet-based phone services divide your voice into little packets, wrap them up and ship them across the network. If a packet gets lost, you get a break in the audio. The size of the break varies, by country and by network conditions. The specific device you use (Samsung Galaxy, MacBook Air, for example) and the voice itself give additional clues.

Pindrop has a tool that puts about 147 clues together and rates how trustworthy the caller is in real time. So an operator can tell, Balasubramaniyan says, "this call is supposed to come from a landline in Atlanta, but the audio is telling us it's a Skype call from West Africa."

There's no similar tool available for the average person. Balasubramaniyan says your best bet is to make sure the number you're calling matches the number on the back of your credit or debit card, or the bank's website.

Pindrop declined to name its clients, because of nondisclosure agreements, but it says three of the four biggest banks use its services. The startup has gathered millions of samples from call centers and, based on analysis of unique callers and devices, Balasubramaniyan believes his team has identified a specific criminal group in Nigeria.

The ring, nicknamed "West Africa One," has a dozen members according to Pindrop. And they have varying skill levels. If a bank account has a larger credit line, it goes to one particular fraudster who's particularly adept at manipulating call center operators.

"The fraudster who's attacking the $100,000-and-more account has so much information at his disposal, he's done so much research on the account, that he's flawless on his call," Balasubramaniyan says. "When the call center agent asks him a particular question, the way he answers, the pauses that he takes, all of that is a work of art as compared to someone going after the smaller-sized accounts."

Balasubramaniyan says while Pindrop has shared this information with its clients, he does not know if they are pursuing criminal investigations.

'Just Hang Up'

The FTC is trying to combat the rising number of illegal automated phone calls.

"It is the No. 1 consumer complaint that we receive," says Patty Hsue, an attorney who leads the FTC's effort against robocalls. The agency receives an average of 170,000 complaints per month about robocalls, she tells NPR's Audie Cornish.

The FTC recommends that consumers "just hang up" on the robocalls.

"We don't want consumers to engage in any way with robocallers," Hsue says. "A lot of times when you get a robocall you have the option of pressing 1 for more information or pressing 2 to ask to be removed from the list. And in either case, pressing 1 or 2 basically lets the robocaller know that it's a live person on the other line who's willing to engage and that could lead to additional robocalls."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ARI SHAPIRO, HOST:

Time now for All Tech Considered.

(SOUNDBITE OF MUSIC)

SHAPIRO: Maybe you've had this experience recently - the phone rings - hello? Hello? Hello? Nobody is there. Well, there may have actually been somebody there - or at least a computer calling your number and tens of thousands of others to build a list of people to target for theft. Today on All Tech, we're talking about the growing problem of automated phone scams. According to one firm's analysis, they are up 30 percent in the past year. Here's NPR's Aarti Shahani to tell us how they work.

AARTI SHAHANI, BYLINE: Maybe you gave your number to Target or another big retailer that got hacked. Maybe you entered an online raffle to win a free iPhone. In any number of ways, the criminal ring gets your 10 digits, loads them into an automated system and that initial call you get with silence on the other end...

VIJAY BALASUBRAMANIYAN: That's essentially the first of the reconnaissance calls that these fraudsters do. They're trying to see are they getting a human on the other end?

SHAHANI: Vijay Balasubramaniyan is CEO of Pindrop Security, a company in Atlanta that detects phone fraud.

BALASUBRAMANIYAN: You even cough and it knows you're there.

SHAHANI: The next step is gathering information about your bank or credit card account. You get this call.

(SOUNDBITE OF ARCHIVED RECORDING)

COMPUTER-GENERATED VOICE: Calling with an important message regarding your debit card. If you are a cardholder, please stay on the line and press one. Otherwise, please have the cardholder call us 1-877...

SHAHANI: If you're thinking about ignoring it, the message tries to scare you into paying attention.

(SOUNDBITE OF ARCHIVED RECORDING)

COMPUTER-GENERATED VOICE: A temporary hold may have been placed on your account and will be removed upon verification of activity. Again, that number is 1-877...

SHAHANI: That number leads to another automated system that prompts you to share personal details, like your date of birth, your card number and secure pin, the expiration date, your Social Security number. It can be tricky because many real banks have a similar system, and Balasubramaniyan says fear does kick in. He recalls one big scam.

BALASUBRAMANIYAN: We last year had this IRS call where they were saying you owe back taxes.

SHAHANI: If you wanted to call back or have time to talk to your spouse before paying over the phone, the fraudster wouldn't let you go.

BALASUBRAMANIYAN: They're like OK, if you want a moment to process this, we're going to send the law enforcement in front of your doorstep.

SHAHANI: There's also a very interesting detail about this 1-877 number. If you call back from your phone, which the criminal dialed, you get the prompt. If you call back from somewhere else, you get...

BALASUBRAMANIYAN: This number has been deactivated.

SHAHANI: So a regulator or police officer that's trying to crack down will think incorrectly it's out of commission. Once the criminal ring scrapes enough information on you, they have humans call your financial institution. Banks and credit card companies hire Pindrop to help them detect fraud. Here's a real-life example provided by one call center. It starts with the operator.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #1: I apologize. I'm having a little bit of a hard time hearing you. Are you on a, like, a...

UNIDENTIFIED MAN #2: I'd like you to - I'd like to know the available credit on my account.

UNIDENTIFIED MAN #1: Got it.

SHAHANI: The caller, who is pretending to be the account holder, wants to know his available credit to make sure the account is worth pursuing.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #1: Your available credit $34,999.

UNIDENTIFIED MAN #2: Thirty-four thousand nine hundred ninety-nine dollars.

UNIDENTIFIED MAN #1: Yeah, $34,999.

SHAHANI: That's good money.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #2: OK, can you help me update my main address today?

UNIDENTIFIED MAN #1: Update your address?

SHAHANI: The caller proceeds to take over the account. Now, there are clues that the guy calling isn't legit. Listen again to the quality of his voice.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN #2: I'd like you to - I'd like to know the available credit on my account.

SHAHANI: Internet-based phone services divide your voice into little packets, wrap them up and ship them across the network. If a packet gets lost, you get a break in the audio. The size of the break varies by country, by network conditions, the specific device you use - Samsung Galaxy, MacBook Air - and the voice itself. These all give additional clues. Pindrop has a tool that puts about 147 clues together and rates how trustworthy the caller is in real time, so an operator can tell...

BALASUBRAMANIYAN: This call is supposed to come from a landline in Atlanta, but the audio is telling us it's a Skype phone calling from West Africa.

SHAHANI: There's no similar tool available for the average person. Balasubramaniyan says your best bet is to make sure the number you're calling matches the number on the back of your credit card or debit card or the company's website. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.