Someone out there really, really wants to help me avoid expensive car problems.
Their recorded voice tells me that they’ve been trying to reach me about an extended warranty my car doesn’t have, yet which is somehow about to expire. I just have to press 1 to learn more. They’re persistent: I get multiple calls a day from multiple phone numbers across the country.
If you own a phone, you’ve probably had a similar experience. Maybe the call was about something else, like the IRS warning you that your arrest is imminent unless you buy a bunch of gift cards right now, or Amazon asking you about a large purchase you never made, or Marriott offering you a free vacation. (In case it wasn’t clear: These calls did not come from the IRS, or Amazon, or Marriott.) Or maybe it wasn’t a call at all, but a text message about a hold on an account with a bank you don’t even have an account with or a prize for a contest you didn’t enter. Just click on a link or call a phone number to learn more. Maybe you’ve noticed that you’re getting a lot more of those texts than you used to.
By “you,” I mean pretty much everyone in the US who has a phone. Americans are barraged with tens of billions of unwanted robocalls and robotexts every year. As a result, many of us have stopped picking up the phone at all when it rings. According to a recent robocall report from Transaction Network Services (TNS), which offers robocall identification and mitigation services, people accept calls from unknown numbers only 10 percent of the time. Like a hiker in Colorado, who was missing for 24 hours last October because he wouldn’t answer calls from an unknown number (in this case, that number happened to be the Search and Rescue Team).
The Colorado hiker is an extreme, if relatable, example. But unwanted robocalls and texts are more than just a pervasive annoyance or a reason a man was lost for longer than he might have been. They cost me a little bit of time and patience, but they cost the millions of people who fall for robocall- and text-related scams money — a lot of it. Truecaller, a call blocking app, estimates Americans lost nearly $30 billion to phone scams in 2021 (it’s difficult to know the real number, as most people don’t report being scammed).
How can this possibly be a problem, still, in this modern world of technological wonders? Our phones have become tiny computers that are more powerful than what NASA used to land people on the moon. Why can’t they stop an unsolicited phone call? How hard can it possibly be?
Pretty hard, it turns out. Those technological advances apply to phones, too. Robocalls and texts are one of the unintended consequences.
What made the robocall invasion possible
Calling and texting anyone anywhere in the world has become relatively cheap and easy. There was a time when you had to go through a switchboard to be connected to another person. Up until a few decades ago, there were only a few phone companies in the country, and they owned all the phone lines. And long-distance calls cost a lot. This made it difficult and prohibitively expensive to embark on mass-calling operations at the scale we see today.
Then the Telecommunications Act of 1996 came along.
“Congress passed a law that broke up all the monopolies,” Jim Dalton, CEO of the robocall prevention software company TransNexus, told me.
“The good news is it allowed all these different companies to come in and create all kinds of innovation, which drove down the price to basically nothing,” Dalton said.
Innovations like Voice over Internet Protocol (VoIP) services, which transmit calls over the internet rather than over wires. The bad news is, VoIP makes spoofing phone numbers — telling your phone’s caller ID that the call comes from a different number than it actually does — very simple, while autodialers that can call many people at the same time cost very little. It’s also a lot harder to track down and go after the people who do it, as is often the case with internet-based bad behavior. There are thousands of VoIP providers in this country alone, and some of them don’t care if their services are used by scammers.
That means there are lots of scammers using lots of services and technologies to make lots of calls and texts to run lots of scams on lots of us. Trying to stop them is a constant game of whack-a-mole; when one avenue of reaching us is shut down, another pops up. And when regulators tried to crack down on spoofed calls, scammers shifted to other means of reaching us. That’s why you’re getting more scam texts than you used to.
Or, as Dalton put it: “There is no integrity in the telephone network. It’s a free-for-all. You can do whatever the heck you want.”
To put that free-for-all in numbers: TNS says Americans got almost 80 billion in 2021; YouMail, a robocall blocking app, puts it at about 50 billion. Some truly unfortunate people get hundreds of calls a day. And if you think the number of scam calls you get on your mobile phone is bad, it’s even worse for landlines. TNS says that nearly half of all calls to landlines are unsolicited, compared to a fifth to wireless numbers. And then there are the texts. Robokiller, which makes a robocall blocking app, estimates that Americans got 86 billion spam texts last year — 55 percent more than the year before.
It’s not like we haven’t tried to do something about it. Over the years, new laws have made unsolicited robocalls illegal, created a Do Not Call registry, and forbidden spoofing phone numbers for malicious purposes. Scammers and companies that facilitate scammers have been hit with restraining orders, fined, sued, arrested, and sent to prison. The Federal Communications Commission (FCC), Federal Trade Commission (FTC), Department of Justice, and attorneys general from every state have made efforts to stop robocalls.
Nevertheless, the robocalls persisted.
Help is on the way, maybe
So we’re trying again. The latest effort is 2019’s Telephone Robocall Abuse Criminal Enforcement and Deterrence, or TRACED, Act. Despite these times of deep political divides, the TRACED Act passed with overwhelming support in the House and Senate: Only four members of Congress between both houses and both parties voted against it. Presumably, three of them are the only people in the country who don’t get robocalls. The fourth is Sen. Rand Paul (R-KY).
TRACED gives the FCC the power to do several things, including mandating that service providers implement measures to authenticate their callers, better police their customers, and put their robocall mitigation efforts in the FCC’s new Robocall Mitigation Database. If they don’t enter their information in the database, they could be fined. Perhaps worse, other providers can block all of their calls — unsolicited or wanted, from spoofed numbers or legitimate. That’s a big problem for a provider because you don’t have much of a business if your customers’ calls don’t go through to anyone else’s networks.
So how are these providers supposed to authenticate those callers? The FCC is requiring them to use STIR/SHAKEN, which stands for Secure Telephone Identity Revisited and Signature-based Handling of Asserted information using toKENs (yeah, it’s a bit of a stretch to get to SHAKEN from there, but they really wanted to make this James Bond-inspired acronym work). STIR is the set of standards to add digital signatures to calls, verifying that they’re coming from the number on the caller ID, while SHAKEN is the framework to implement those standards, telling voice providers how to handle that certificate as it travels across networks from the origin to the endpoint (you).
This isn’t meant to stop robocalls or spoofed numbers. For one thing, not all of them are illegal or unsolicited. A pharmacy might use robocalls to tell you that a prescription is ready, or a food delivery person might use a spoofed number to let you know your food is here without having to reveal their personal mobile number. Rather, it just tells you and your provider if the phone numbers the calls are coming from are spoofed in the first place. That makes it easier to screen or block them, and it makes it easier for law enforcement and regulators to trace them back to their origin.
Dalton called STIR/SHAKEN “a whole different level of accountability and liability,” but only if it’s implemented by every provider. Right now, it isn’t. The FCC’s deadline to implement STIR/SHAKEN was June 30, 2021, but only for large providers, like Verizon and AT&T. Companies with fewer than 100,000 subscribers have until June 30, 2023. STIR/SHAKEN also doesn’t yet work on calls that come from or pass through older networks (a.k.a. wires). Dalton described this as not a “loophole” but a “loopchasm,” perhaps even a “loopcanyon.”
And there’s still the problem of gateway providers, or the middlemen that scammers based in other countries route their calls through to get to the US. The FCC is working to make STIR/SHAKEN and other rules apply to US-based gateway providers, who may be looking the other way when scammers abuse their services or don’t have the resources to correctly police their own services.
“Until there is SHAKEN everywhere, it’s a joke,” Dalton said. “It’s a joke until the federal government gets serious and makes everybody implement SHAKEN.”
After Dalton and I spoke, the government did, in fact, “get serious.” The FCC decided to move the STIR/SHAKEN deadline up to June 30, 2022, for the types of providers that were found to be a major source of illegal robocalls. An FCC official told Recode that the agency expects we’ll see a significant decrease in bad calls after that.
Or the scammers will find new ways to get through to our phones. Like this: Jim Tyrrell, senior director of product marketing at TNS, says his company has found that scammers are increasingly buying up blocks of real phone numbers and making calls from them. Those aren’t spoofed, and they’re less likely to be flagged by your provider.
“They’ll make very few calls across hundreds of thousands of telephone numbers to try to avoid detection,” Tyrrell said. “It’s a constant battle. If I didn’t know better, I would think they have their own data science team trying to figure out what works and what doesn’t work.”
Guess what else STIR/SHAKEN doesn’t apply to? Texts. So scammers are turning to them, and the FCC is working on ways to stop them. Chair Jessica Rosenworcel said the agency is looking for ways that mobile carriers could identify and block texts before they reach consumers’ phones. In the meantime, be very careful about clicking on links in texts. Some of them can be pretty convincing.
I have taken matters into my own hands
Don’t give up on your phone just yet. Experts are optimistic about STIR/SHAKEN, and regulators and lawmakers are still working on the problem. In the meantime, there are things you can do to reduce the number of calls and texts you get.
Sens. John Thune and Ed Markey, who sponsored TRACED, recently introduced another robocall bill: the Robocall Traceback Enhancement Act. This bill would make it easier for members of the private industry group that TRACED set up to trace back scam calls, to share information about calls and callers. It would also let the group and the FCC publish a list of providers that don’t cooperate with anti-robocall efforts.
Thune told Recode that he thinks the new bill is “another important step toward holding these bad actors accountable,” and that he hopes his colleagues pass it “without delay.” Thune and Markey recently urged the FCC to get more data on which providers are recurring subjects of traceback orders.
One good thing about the rise of robotexts is that they might be easier to stop than calls, Alex Quilici, CEO of YouMail, told Recode. Because texts are, well, text, they’re easier for providers to identify and filter out than audio phone calls. That’s what email providers do with spam. You probably don’t get fewer spam emails than you did 20 years ago (some estimates say more spam emails are sent every day than Americans get robocalls per year), but you don’t see the vast majority of them because email providers have gotten better at identifying and filtering them out. If you don’t believe me, check your spam folder.
But Quilici expects the number of robotexts to increase for a while, as it takes time for mitigation measures to be put in place.
“During that time, the bad guys scale, “ he said, “and they learn what to do to get through — making it harder to shut them off.”
There are things you can do, too. Most mobile carriers now offer spam call identification services for free, which are activated by default. (That’s why I get so many calls from “Scam Likely,” who is not, in fact, a real person but T-Mobile’s label for calls it believes to be from scammers.) They also offer free spam-blocking apps that have paid “premium” tiers. I will note that these services aren’t foolproof, as scammers continuously evolve to counter them. I still get plenty of scam calls with no Scam Likely label, while a call I received from a source for this very story was falsely labeled Scam Likely.
Many landlines and VoIP providers also offer spam blockers or filters, and there are third-party services you can use. Again, some are free and some aren’t. Your Apple or Android device may also have onboard features that help you screen out scam calls. The FCC has a helpful list of services, as does the FTC. Both agencies also have ways to report scam calls, so you can add your voice to the millions of robocall complaints they get every year. You can also forward spam texts to 7726 (SPAM).
One thing the FTC, FCC, and pretty much everyone else says you shouldn’t do is respond to scam texts or answer robocalls, no matter how tempting it is to yell at them. That only tells them that your number is valid, and you’ll get a bunch more calls and texts.
This is worth repeating: Do not answer robocalls or respond to scam texts. In the interests of journalism, I decided to disregard this good advice to see what would happen if I pressed 1 on a car warranty call. Eventually, I was put through to a “specialist,” who gave me the name of the company she said she worked for. But I asked one too many questions and she hung up on me.
Turns out that the company she named does exist, and it does claim on its website to sell “aftermarket protection products” for cars. (Not all extended warranties are scams, but some very much are. Either way, it’s illegal for them to call me at all.) The website had a phone number, so I called it. A woman actually answered, but said the man I needed to talk to wasn’t there. When I tried again the next day, he was in a meeting. I felt bad; it’s so annoying when people disturb you with unexpected phone calls at inconvenient times.
I left my name and number for him to call back. As I hung up the phone, I realized that, for the first time ever, I wanted to get a call about my car’s extended warranty.