Revealed: The 5 Tactics Used by Robocall Fraudsters

April 2023

Telecoms & Connectivity

Rosie O'Connor

Research Analyst

In its latest robocalling mitigation research, Juniper Research defined robocalls as "automated telephone calls that deliver pre-recorded messages to a large number of recipients."

Whilst this is a beneficial service for many sectors such as healthcare and the government to contact customers, robocalls are increasingly vulnerable to fraud. In many instances, these calls are unwelcome by the receiver; some robocalls are even unwarranted and illegal, which places the legitimacy of the service at risk.

The pandemic provided scammers with more opportunity to plan and place their attacks, as more people were reliant on maintaining communication with others via calling. As technology has developed, scammers have become smart in the tactics they use to deceive end users, often posing as trusted organisations to obtain personal information of consumers.
 

SIM Swapping

 
SIM swapping fraud occurs when a bad actor (fraudulent caller) contacts a telecom operator pretending to be a customer and convinces the operator to transfer the victim’s phone number across to a new SIM, whereby the bad actor can control the SIM to make and receive phone calls.
 
These SIM swapping attacks can have a detrimental impact on the user, through manipulating their information to retrieve money and reducing the user’s confidence in service providers and operators. Once the fraudster has control over a phone number, they can reach the victim’s personal contacts to determine more information on them, which will aid in their fraudulent attacks.
 
Some methods to protect consumers and operators against such deception include stricter verification from operators, to ensure the person calling is legitimate.
 
Prior to reassigning a number, the telecom operator must notify the customer of such changes to further verify the legitimacy of the actions. Failure of operators to implement these protective strategies means operators will be banned and fined by the FCC.
 

Vishing

 
Vishing (Voice Phishing) is a type of cyberattack over the phone, whereby the fraudster attempts to retrieve personal information from victims about their data, such as bank details and passwords through calling an organisation or the individual.

The methods fraudsters use to trick customers and operators include fake, realistic caller ID displays, which deceive customers in thinking the call is from a trusted business, individual or enterprise.
 
Typical vishing attacks take the form of social engineering, as fraudulent callers manipulate the receiver into giving up personal information through suggesting problems with the victim’s accounts, such as banking or insurance. The scammer attempts to steal someone’s identity to compromise the victim’s assets.
 

Caller ID Spoofing

 
Fraudulent callers have established they can alter the display on their caller ID to hide their true identity and present a particular message or brand to a consumer, portraying themselves as an individual or enterprise which they are not.
 
Such calls can change the caller ID number to present a familiar, trusted number and utilise VoIP (Voice over Internet Protocol) technology to make calls across the Internet, to access more phone owners. VoIP whilst a cost-effective, reliable alternative to traditional phone services, is more susceptible to spoofing, due to being able to create an account with a VoIP provider or use already available VoIP tools to substitute the scammers’ original number for a chosen one, leading to neighbour spoofing.
 

Unauthorised Number Reassignments

 
Unauthorised number reassignments lead to consumers receiving unwanted calls or spam intended for the person or enterprise who previously owned the number. The FCC offers RND (Reassigned Number Database), a database to track and identify reassigned numbers to verify the legitimacy of the caller and associated reassignments, to prevent the current owner receiving such calls.
 
This database enables callers to verify whether a phone number has been reassigned prior to making the call, in order to reduce their TCPA (Telephone Consumer Protection Act) liability. In turn, consumers will not receive unnecessary calls aimed at the previous phone number owner, restoring their trust in service providers. The TCPA was implemented in 1991, and is a law to restrict particular telemarketing calls and messages. Consumers can contact the FCC if this happens and report said phone calls. Further prosecution can occur if the consumer is unhappy.
 

Unauthorised Call Forwarding

 
A new way of manipulating customers into surrendering personal information is through unauthorised call forwarding, whereby fraudsters utilise call forwarding services to transfer and forward other people’s calls to a fraud mobile number.
 
Such calls take form as scammers impersonate businesses and enterprises such as banks, healthcare, customer care services, to try and deduce information and data from the individual. Once the call is diverted, the scammer can request for an OTP (One-time Password) to log into the customer’s account by choosing the ‘forget password’ option on their account. The fraud takes place once the OTP connects to the account, as the scammer can access it, finding out private information such as passwords and bank details.
 

Related Reading

 
Our complimentary whitepaper, How Brand Authentication Will Terminate Robocalling, assesses key losses to fraudulent robocalls, and outlines how platforms can leverage brand authentication methods and emerging frameworks to verify and validate their services for end users.
 
“Juniper Research’s latest Robocall Mitigation research provides a comprehensive assessment of the robocalling market and brand authentication solutions. It includes strategic recommendations for robocalling detection and mitigation service providers and end users, as well as comprehensive 5-year forecasts for robocalling traffic and operator loss to fraudulent robocalling activities, and authentication technologies. In addition, it features an evaluation of the key solutions protecting businesses from the effects of robocalling, including brand authentication API calls.”