The Threat of Robocall Fraud

October 2021

Telecoms & Connectivity

Sam Barker

VP of Telecoms Market Research

The art of robocalling has become far more sophisticated and prevalent in the last 30 years, as technological advances and device ownership have grown at an alarming rate. Indeed, there are several ways in which fraud is accomplished via robocalling.

Caller ID spoofing involves the falsifying of the information displayed on a device, in effect leading the recipient to believe the caller is one of their contacts or a trusted organisation. In instances where the caller identification is unknown to the end user, the area code might be the same as their own, in theory lending credibility to the call. The onus is then thrust upon the fraudster to back up this initial plausibility with being able to convince the end user that the call is genuine, but receiving a call from a trusted-looking number is a very compelling reason for recipients to ‘go along’ with the nature of the call.

SIM swapping is a process where a fraudster convinces a mobile network operator to transfer an individual telephone number to a SIM card in their possession. This is achieved through a process of digging personal details from social media sites and robocalling to build up a picture of the victim, aiming to extract the relevant data needed to authenticate their identity by the mobile provider. In this example, robocalling is not an end in itself, but is used as part of the process to gain the trust of the network operator and ultimately, have access to one-time security codes allied to a two-step verification which potentially opens up complete access to an individual’s life.

In a similar vein, unauthorised number reassignment or mobile phone number porting involves fake number porting requests to mobile providers once the criminal has built up a comprehensive picture of their victim, including sufficient layers of data with which to approach the network operator with confidence. Once this hurdle has been overcome, it becomes easy to intercept one-time passwords sent via SMS as part of a two-step verification process.

Unauthorised call forwarding is from the same methodology as SIM swapping and unauthorised number reassignment so that when calls that include one-time passwords are not received or triggered by the intended recipient, they are likely being intercepted and used by a fraudster. 

Any form of robocalling is only as good as its lead lists, and the lengths to which a criminal will go to source them. Tranches of data, often sizeable in the amount of mobile numbers contained within it, can be legally obtained by telemarketers who may use robocalling as a legitimate, if somewhat annoying, form of cold calling. It is unclear as to whether these otherwise lawfully procured lead lists make their way into the hands of those with less honourable intentions, but many end users will be unaware of the option to opt out of their data being mined by third parties.

Offering a range of solutions to the scourge of robocalling and associated fraudulent practices, third-party platforms are now an integral part of the landscape. Platforms are focused on designing systems to disrupt unsolicited and potentially criminal calls, third-party organisations can in theory do the legwork for network operators. Issues of whether one-size-fits-all developments are sufficient to be effective across the spectrum need to be addressed, and whether for example a single network operator working unilaterally with a third-party platform could compromise desired or mandatory industry-wide standards.