23.1k unique visitors in the last 3 days

Dramatic Fall in Complaints about Spam and Scam Calls on Both Sides of the Atlantic

By Eric Priezkalns
Weekly Update
But there remain big differences in the number of complaints lodged by Americans and Brits. In other news, the IoT Security Foundation reports on the international adoption of vulnerability disclosure policies.

In this week’s bulletin:

 

Americans Are Seven Times More Likely to Complain about Nuisance Calls Than Brits

Comparative analysis should be the backbone of policy formation. For example, comparing one nation to another teaches us the following.

  • Life expectancy in the USA is 77.4 years compared to 82.1 years in the UK, despite the UK’s per capita spending on healthcare being only 44 percent of the per capita spending on healthcare in the USA.
  • The murder rate in the USA is seven times higher than in the UK, which explains some of the difference in life expectancy.
  • The World Bank calculates that the nominal GDP per capita of the USA is USD81,695, which is 40 percent more than the GDP per capita of the UK.

None of these figures has much to do with the communications industry, but the point should be clear. Differing policies can have a huge influence on wealth, on crime, and on life. This remains true even for peoples with some common ancestry who possess a broadly similar legal, ethical and cultural outlook. There are no ‘silver bullets’ in economics, healthcare or policing, but that does not mean bad policy decisions will deliver similar outcomes to good policy decisions. Sadly, it can be difficult to distinguish between bad and good. One way to objectively evaluate the effectiveness of a policy involves measuring the results delivered by different policies pursued by different countries.

Regular Commsrisk readers know where this argument is headed. It is bizarre that an industry as global as communications, where there is often talk about the need for cross-border cooperation to tackle crime, formulates its anti-crime policies whilst conducting little comparative analysis of the methods used by different nations. Telecoms generates annual global revenues exceeding USD1.2tn, and there are estimates which say the total cost of international scams exceeds USD1tn, but Commsrisk is one of the few resources that objectively compares the anti-scam policies adopted by comms providers and their regulators in different countries.

So let us use some data that has been freely available to everyone for many years, but which almost nobody uses in the way it should be used. The US Federal Trade Commission (FTC) and the British Information Commissioner’s Office (ICO) have almost identical definitions for how they categorize complaints received from the public about unsolicited calls. I always advise caution when drawing inferences from trends in complaints, but some people love to jump to conclusions, as demonstrated by the FTC last month.

Reports of Unwanted Telemarketing Calls Down More Than 50 Percent Since 2021

…“Illegal calls remain a scourge, but the FTC’s strategy to pursue upstream players and equip the agency to confront emerging threats is showing clear signs of success,” said Sam Levine, Director of the FTC’s Bureau of Consumer Protection. “In the years to come, it will be critical we continue this progress by confronting not only telemarketers but those firms who knowingly profit from scam calls.”

If two countries categorize complaints from the public in the same way, and if the number of complaints is a measure of success or failure, then the relative success of each country’s policies should be measurable by comparing the relative number of complaints. Let us take a look at the absolute number of complaints received by the FTC and ICO between August 2020 and September 2024, adjusted for the size of each population. The following graph shows the total complaints about unwanted calls for each country. It also shows the breakdown of complaints about ‘live’ calls that involve a human being on the other end of the line from the recipient, versus complaints about robocalls that play an automated message.

Oops. This graph shows the FTC is right about a fall in Americans complaining about spam and scam calls. However, this can only be considered a success if there is also an admission that the American public has always made very many more complaints about unwanted calls than their peers in the UK. Americans are currently seven times more likely to complain about receiving a spam or scam call than the average Brit.

If we only looked at this graph, the main takeaway would be that the USA should copy British policies in order to reduce the number of spam and scam calls that the American public receives. This stands in stark contrast to the messages pushed by a metaphorical invasion of US experts who have been aggressively lobbying for Britain to emulate American strategies since the beginning of the decade. Brits have less reason to complain about spam and scams, but it is Americans who jump on flights to lecture other nations about how to protect consumers.

For example, Josh Bercu, a former Federal Communications Commission lawyer who now oversees US traceback efforts, made the transatlantic journey just a few weeks ago. He presented a few cherrypicked statistics about the nominal success of the American strategy at an NICC meeting in London. The comparative complaints data from both countries was not given any attention, despite ICO being invited to the same meeting.

The graph above can be fairly criticized because the absolute number of complaints is not a good measure of the number of bad calls. The propensity for the public to complain will be heavily influenced by other factors, such as their awareness of who they can complain to, or the ease with which a complaint is lodged. We can control for these factors by only examining the relative change in the number of complaints from a baseline. The following graph presents the same data indexed relative to the number of complaints recorded during August 2020.

Wow. Graphs like this demonstrate how powerful a comparative analysis can be. The UK and USA have markedly different strategies for reducing spam and scam calls, but the complaints trends are stunningly similar. The UK does not have STIR/SHAKEN, does not have a Robocall Mitigation Database, and does not have the traceback mechanism that Josh Bercu was advocating for at the NICC meeting. On the other side of the scale, British telcos differed from their American counterparts by voluntarily blocking inbound international calls that spoof a domestic number, and the introduction of this block coincides with the extremely rapid fall in the number of Brits complaining about automated calls during the middle of 2021. The UK also endured a sharper relative rise in complaints about scam and spam calls during the COVID lockdown period that preceded the new blocks on spoofed international calls. The volatility in the British figures is somewhat due to the absolute numbers being so small, so a much smaller absolute change will generate a much larger proportionate swing. Even with this additional volatility in the UK statistics, the trends on both sides of the Atlantic are remarkably aligned to each other.

The similarity in the trends on both sides of the Atlantic is especially persuasive because it can also be seen when looking at the subsets of complaints concerning live calls and automated calls. Live calls were a much smaller portion of the overall problem in August 2020. They provoked 22 percent of US complaints and 47 percent of UK complaints at that time. Their contribution to the mix is now much larger, at 43 percent in the US, and 68 percent in the UK. So when regulators like the FTC argue there has been success at reducing the number of scam and spam calls, it should be caveated that most of this success relates to reducing the number of automated calls. In other words, they have found it easier to stop stupid and repetitive robocalling techniques that produce anomalous traffic patterns which are simpler to identify.

That telcos are using simple but effective methods to block low-grade repetitive spam and scam calls also explains why reports of the amounts of money lost to scammers have not fallen in line with the reduced number of complaints. Fraudsters score their biggest paydays when engaging victims in a long con that requires prolonged interaction. From the perspective of the scammer, the quantity of scam communications is not a measure of the quality of the scams they enact. Thousands of automated scam calls may be connected for less cost than having a human scammer speak to a victim for several hours, but criminals will treat a much higher cost as worthwhile if the expected payout is also much higher. Obsessing about the number of bad calls will result in sub-optimal policy decisions if the goal is to reduce the harm caused to the public by sophisticated scam syndicates.

The disparity in methods but similarity of trends in the UK and USA supports the hypothesis that there is a widespread overestimation of the significance of controls implemented near the receiving end of a call, and an underestimation of factors influencing the number of calls originated by scammers and illegal telemarketing outfits. When analyzing the effectiveness of a national policy there will be an inevitable bias in assuming improvements are due to conscious changes to national policy, and an underappreciation of factors that are outside of the country’s control. For example, nobody in the USA or UK is deciding whether a rebel Myanmar army will invade and shut down a town of scam compounds. If the US wants to receive fewer calls from scam compounds in countries like Cambodia, India and the United Arab Emirates then they should focus their lobbying on those countries, and not on the Five Eyes security allies which have been subjected to more American lobbying than is healthy or productive.

That is why I disagree with the myopic worldview of an individual like Josh Bercu. His fundamental argument is that tracing bad calls to bad actors in the USA has been a tremendous success, and this feeds into an argument that a transnational traceback structure will deliver even greater success. This argument is utterly superficial. The amount to which you can reduce fraud depends on how much fraud already occurs, and the places you can reduce fraud depends on where the frauds occur. If little fraudulent traffic originates in the UK then no amount of assistance with tracing calls to the UK will yield a significant reduction in fraud for Brits or Americans. If fraudulent traffic is supposedly originating in the UK at the same or higher levels than in the USA, then some evidence needs to be shown to help explain why UK-based fraudsters are not driving up the levels of complaints from the British public. Vague supposition that any policy decision must be a step in the right direction is tantamount to abandoning any rational discrimination between good policies and bad policies.

Bercu’s argument is especially confused because it relies on a false premise, although he repeated it several times during his presentation at NICC. He claims that his traceback consortium is powering a surge of prosecutions that is behind the success of the US strategy. Commsrisk has often drawn attention to the dirty secret undermining the US strategy: the US legal and regulatory system lacks both the appetite and the competence to punish fraudsters with the frequency and severity required to turn the tide on crime. That is not just my opinion. Professor Eric Burger is a former White House advisor and CTO at the Federal Communications Commission, and in these roles he greatly shaped the current US strategy for tackling scams. Just before Bercu’s arrival in London, Burger made the following observation during an exchange we openly shared online.

We see not a failure of STIR/SHAKEN but the failure to prosecute what should be slam-dunk cases.

On one side there is a former FCC lawyer arguing that the US policy is succeeding because it has enabled more prosecutions, and on the other side there is a former FCC CTO arguing that clear violations of law are not being prosecuted. You may disagree with me about who to believe. However, it is difficult to conclude that other countries must emulate US policy when some of its leading architects are so obviously divided about how to evaluate its effectiveness so far.

The breakdown between ICO and FTC complaints about live and automated calls also shows the folly of assuming the policies adopted by one country will yield similar results if copied by a different country. Live calls now provoke two-thirds of the complaints in the UK, although they continue to prompt fewer than half of the complaints by Americans. Implementing methods to stop robocalls is not going to be as important if there is no automated element to the majority of spam and scam calls that the population receives.

Per ICO’s data, Britain has always had a much bigger relative problem with live calls than robocalls. But neither the UK nor the USA has been as effective at reducing complaints about live calls than with automated calls. In the US, the relative drop in complaints about automated calls between August 2020 and September 2024 has been 73 percent, whilst the drop for live calls has been just 27 percent. The equivalent UK figures for automated calls and live calls are 71 percent and 27 percent respectively. The fact that the mix of complaints has always leaned more heavily towards live calls in the UK means that identifying harmful automated traffic will deliver inferior results in the UK even though it remains a more important priority in the USA.

I distrust American lobbying of the anti-scam policies adopted by other countries. When looking for examples to emulate, I first turn to Singapore, Australia and Ireland for inspiration. Work done in Thailand and the Philippines has also been grabbing my attention lately. The Brazilian approach to controlling telemarketing is intriguing, and I continue to admire the ways in which Kenyans have been tackling SIM swap frauds. I also pay attention to how the Chinese enforce their laws, which has resulted in the arrest and extradition of tens of thousands of scammers that were based in other countries. Chinese vigor at finding and imprisoning scammers wherever they are located offers a sharp contrast to the paltry prosecutorial efforts of the USA.

But my reason for distrusting American lobbying is not only prompted by observing the superiority of anti-fraud policies pursued by other countries. It also comes from looking at raw data without waiting for somebody to interpret it for me. I tire of the fallacy that every statistic cited by an American must represent some profound insight for the rest of the world. On the contrary, the data leads me to believe that some American professionals are not prioritizing the good of their countryfolk, and they certainly do not care about the wellbeing of foreigners. The US strategy for handling spam and scam calls has been overly dictated by commercial and political interests, and it is those interests that finance all the lobbying of comms providers and authorities in other countries. There is a lot of money to be made by getting a USD1.2tn industry to address a USD1tn problem, but seemingly not enough to impartially assess data about the effectiveness of methods that have been tried elsewhere.

 

IoT Security Foundation Reviews Worldwide Adoption of Vulnerability Disclosure Policies

I take no credit for the second installment of this week’s policywatch, which was authored by Mark Neve and David Rogers of Copper Horse on behalf of the Internet of Things Security Foundation (IoTSF). As in previous years, they have reviewed the extent to which vulnerability disclosure policies for networked devices have been adopted worldwide. Their seventh annual review of this topic highlights some overall progress, but most manufacturers still do not offer a channel for independent security researchers to communicate the vulnerabilities they have identified. Now you may be worried that your networked toothbrush, your networked refrigerator and your networked lightbulbs have all been hacked and used to spy upon you.

But before we examine their findings it is worth highlighting one key aspect of their work that makes it immediately superior to the vast majority of assertions made about networked fraud. All of the data used to compile their report is available for researchers to scrutinize per a Creative Commons 4.0 license. This has two important advantages:

  • The conclusions for policy are separated from the data that is supposed to justify those conclusions. Multiple independent reviewers can draw their own conclusions from the same data, reducing the danger that biased or otherwise flawed reasoning will affect decisions about the policies that are ultimately adopted.
  • Making the data public gives researchers more motivation to avoid mistakes and justify their reasoning.

So the good news is that you can check the data yourself if you disagree with the following findings from the report.

  • British retailers lead the way by mostly stocking IoT products by suppliers that have responsible vulnerability disclosure policies. For example, 90 percent of IoT products stocked by leading British retailer John Lewis are made by businesses that meet the IoTSF’s expectations. The British lead in this arena is hardly surprising. British legislators have acted upon the advice of experts in order to promote IoT security, including the demand that independent security researchers can communicate the vulnerabilities they discover. Several businesses now talk openly about how they comply with the UK’s Product Security and Telecommunications Infrastructure Act.
  • US retailers have slightly improved since last year, but continue to lag behind the UK. The relevant statistics are dragged down by Walmart, the US retail giant. Just 27.6 percent of the IoT products stocked by Walmart are made by businesses that offer independent researchers a way to communicate the security failings they have identified. That the US is behind with protecting consumers is also unsurprising. The US policy for improving IoT security concentrates much more on purchasing decisions made by government and its agencies instead of setting expectations to protect ordinary people.
  • IoT manufacturers worldwide are getting better at publishing vulnerability disclosure policies, but progress remains slow. Of the 458 companies that were reviewed, slightly over one-third have a policy.
  • Different categories of IoT product exhibit a big disparity in the respect that manufacturers show for security. As with previous years, networked products for lighting, health and fitness are amongst the worst. More shockingly, there are low levels of respect for vulnerability disclosure from manufacturers of security products and smart home products. Keep that in mind when contemplating whether you will be safer by adding a networked doorbell to your home.

Credit goes to Californian cybersecurity firm HackerOne for sponsoring the report without trying to influence its contents. Sometimes it is possible to support good impartial research without insisting on a predetermined conclusion. This reflects the more mature expectations that shape tech security research compared to the lackadaisical attitudes found in the domain of fraud management.

The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2024 is freely available, without the need to register, from here.

 

The Final Countdown

Rockers of a certain age will remember “The Final Countdown”, a hit song by Swedish band Europe. The lyrics come to mind as I give notice that Commsrisk will cease publication at the end of this year.

We’re leaving together, but still, it’s farewell
And maybe we’ll come back to Earth, who can tell?
I guess there is no one to blame
We’re leaving ground
Will things ever be the same again?

It was not my intention, but I have now accumulated some useful experience of announcing my own retirement which I will draw upon again. The fear is that multiple retirements by the same individual will prompt a degree of cynicism from the audience. That is why I have taken a different approach to announcing it this time. Keeping it low-key, and sneaking it underneath some fact-heavy posts about policy, are my ways of mocking all those insincere people who claim to want to make the world a better place, but who mostly make bad decisions based on the self-serving nonsense they hear themselves repeating. Facts and data should drive decision-making, but no words will change the mind of somebody who chooses not to listen. If anybody expresses surprise at the disappearance of Commsrisk in January, I will know they were not such avid readers of this publication.

However, I will keep Commsrisk going for a few more articles. One reason to continue for a little while is that I had lined up plenty of valuable new analysis before MEF told me they no longer want to pay for Commsrisk any more. Another reason is that I have made a habit of thanking my unsung heroes at the end of every December, and there are still some people I want to praise for their contribution, in the knowledge that they are unlikely to receive all the thanks they deserve. In the meantime, I may also fire a few passing potshots at some of the grubby nitwits that have used the glorious inventions that should connect the entire human race to construct a sewer that ceaselessly pipes marketing bilge and despicable lies into our eyes and ears. I would much rather spend my time listening to some vintage soft rock from a simpler era. If you watch the video closely, you will see a few lighters raised aloft, but no mobile phones…

 

Other News

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

PreviousNext

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email

Articles copyright © the author, all else copyright © Revenue Protect Limited