Learning from YouTubers Who Hack Scam Call Centers

It says a lot about the quality of training given to telco fraud and security professionals that this article will recommend an educational video found on YouTube and created for the general public. Jim Browning is one of the originators of a YouTube genus now known as ‘scambaiting’ because these YouTubers record their attempts to investigate and disrupt the operations of scam call centers. However, Browning differs from a typical American scambaiter because he is a Brit that never allows his face to be filmed for fear UK laws could be used to punish him for hacking into the IT systems of the call centers he targets. Thankfully, this is not preventing Browning’s advice from reaching as large an audience as possible. Browning has recently shared his insights through a guest appearance on This Morning, a long-running and popular UK daytime magazine show, and via an interview for a spotlight report on Austalia’s 7NEWS. Browning has interrupted countless scams whilst they were in progress, giving him credibility that many other so-called experts lack.

Years ago, when I was still a telco employee, I was invited to speak at a conference for telecoms risk professionals so I took advantage of the opportunity to obtain free admission to the preceding one-day training seminar. No money was spent by me or my employer, but my attendance was still a waste. The content consisted of nothing more than a rehash of warnings created for public consumption and insights that could have been cobbled together by anyone with access to the web. However, the training was given by somebody with a reputation as a leader in the field of securing telcos. I left the session befuddled; why would anybody think it appropriate to train telco insiders in security risks by recycling material designed to raise the awareness of the general public? It took a while to realize the answer: because he did not have anything else to offer. Insiders can share information with insiders, but if they do not then most insiders will remain ignorant. And it is a lot easier to recycle intelligence than to gather it in the first place. Jim Browning is not a telecoms industry insider, but he is a genuine expert in the abuse of telecoms services by scammers because he gains intelligence first-hand, using methods that few within our industry would dare to emulate.

The popularity of scambaiting videos amongst the general public has reached the point where many telco professionals are now aware of the most popular YouTubers working in the field. But it is a bad sign that many others are not. They are plenty of fraud and security professionals who would learn from watching the best scambaiting videos, including those produced by Browning. It is especially heartening when Indian peers share their appreciation for these videos. They could be defensive because the majority of scam call centers targeted by the scambaiters are located in India. Instead, it is to the credit of many Indian professionals that they also appreciate the work of the scambaiters and seek to learn from them. Irrespective of whether telco insiders expect to be on the receiving end of scams, they should be thinking about the huge commercial opportunities for any tools that reduce and prevent scams. If the scambaiters can make a good living just from the revenues generated by their YouTube videos then the demand for solutions has already been established.

Browning recently produced a new video about a one-off collaboration with many other scambaiters, most of whom are based in the USA. For one week they created ‘the People’s Call Center’, using their own bank of phones and computers to collectively disrupt scammers. Browning always takes time to explain the methods and technology used by scammers during his videos. His video about the People’s Call Center is worth watching for the 10 minutes dedicated to describing the specific scam business they targeted. Browning gives a superb explanation of how the scammers generate robocalls and how these calls are routed from India to the prospective victims in other countries. The work done by the People’s Call Center identified bank accounts used to launder money and to collect the proceeds of crime. There are many telcos, and police forces, that do not invest enough in fraud prevention to perform this quality of investigation, which is why we should all be prepared to learn from a public resource like this. The video is embedded below.

A more general point can also be made about learning. Browning and his fellow scambaiters have amassed tremendous knowledge about scammers and how to stop them. They did this without the support of any big business. The People’s Call Center was a slight exception to this rule because it was backed by sponsorship from Nomorobo, vendors of a consumer app that identifies and blocks nuisance calls and text messages. Law enforcement agencies, telcos and other businesses talk about the immense cost of fraud to society but they do not typically fund intelligence-gathering exercises like these. Imagine if they did. Why spend billions on establishing the foundations of a multinational and multi-year strategy to trace illegal calls between countries like the USA and India when these scambaiters have shown how to gather valuable and actionable intelligence about scammers today? Why rely on the public to notify the authorities of scam calls when the scambaiters have demonstrated how to subvert the systems used by scammers so they can identify and stop scams as they occur? The scambaiters are digital vigilantes. Vigilantism becomes popular when the rest of society shows itself unwilling or incapable of maintaining order. Instead of relying on vigilantes, both law enforcement and the telecoms industry should learn from and co-opt the methods pioneered by the vigilantes.

One reason not to emulate the scambaiter’s approach is the same as the reason Browning covers his face: it may not be legal. But if that is the case then the law is at fault. We expect law enforcement agencies to bug phones and hack computers when necessary to fight serious crime. Police already have a penchant for gathering lots of telecoms data and are often willing to find workarounds for laws which are meant to protect individuals from unwarranted surveillance. Scammers abuse systems to commit crimes. We needlessly tie ourselves in knots if we insist we must create new systems to trace scam calls back to their origin but refuse to use other methods to gather evidence by infiltrating existing technology. If Nomorobo can finance an operation like the people’s call center for a week just to advertise their product then imagine what could be learned and accomplished if telecoms industry resources were pooled for the collective investigation of scam call centers all the year round.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.