New Callback Scam Is Based on Misleading Voicemails

Spam blocking business Hiya claims they have identified a new type of scam call that telcos will find difficult to detect unless they update their controls. The fundamental goal of the scam is the same as that of wangiri, with the fraudsters making automated calls to large numbers of victims in the hope of luring some to dial them back. Wangiri is often mistakenly associated with only a narrow profile of calls that ring on the target’s phone for an incredibly short duration, meaning the recipient receives notification of a missed call although there was no possibility of that call actually being picked up. In practice, it is clear fraudsters have adopted a much wider range of ploys to trick victims into placing calls without realizing who they are dialing, such as calling busy contact centers and requesting a callback instead of waiting until the call has been connected to a human customer services representative. The scam identified by Hiya involves fraudsters deliberately choosing to leave a voicemail message that sounds like employees of a business are being overheard as they discuss the need to contact the victim urgently. Panicked listeners of the voicemail may return the call in the belief they heard a genuine conversation that was specifically about them although every victim hears the same recording.

The psychology behind this trick is well-known and is referred to as the Barnum effect, after showman P.T. Barnum, or the Forer effect, after psychologist Bertram Forer. The effect is most commonly demonstrated by asking individuals to rate the accuracy of descriptions of their personality that were supposedly tailored specifically to them, but which were actually generic. Test subjects usually give a high accuracy rating to the description even though it was written to be so vague that it could apply to anyone. The effect helps to explain why individuals are often impressed by the claims made by fortune tellers or astrologers. Barnum famously said “there’s a sucker born every minute” and the effect shows how even intelligent people can be gullible. Once a victim of a generalized technique like this identifies themselves as being suggestible to the fraudster they then will be subjected to further manipulation. A similar process is used by stage hypnotists to determine who will be invited on stage to assist them with their act.

Forer was the first psychologist to conclusively demonstrate the effect in practice by performing an experiment on his students. In 1948, Forer gave each of his students a piece of paper on which he had supposedly written a personality profile of that student, and he asked each student to rate the profile’s accuracy. The average accuracy score given by students was 4.26 out of 5, although every piece of paper had the following wording, which Forer assembled by copying phrases from horoscopes.

You have a need for other people to like and admire you, and yet you tend to be critical of yourself. While you have some personality weaknesses you are generally able to compensate for them. You have considerable unused capacity that you have not turned to your advantage. Disciplined and self-controlled on the outside, you tend to be worrisome and insecure on the inside. At times you have serious doubts as to whether you have made the right decision or done the right thing. You prefer a certain amount of change and variety and become dissatisfied when hemmed in by restrictions and limitations. You also pride yourself as an independent thinker; and do not accept others’ statements without satisfactory proof. But you have found it unwise to be too frank in revealing yourself to others. At times you are extroverted, affable, and sociable, while at other times you are introverted, wary, and reserved. Some of your aspirations tend to be rather unrealistic.

Forer’s demonstration has since become a common element of the university education of psychology students, but remains little appreciated in wider society, perhaps because people do not want to learn about common cognitive failings that they also share. It is easy to see how fraudsters with a basic understanding of psychology could translate a Forer-style script into a dialogue that individuals will treat as a conversation that specifically relates to them, even though it would fit the circumstances of most people. The victim would hence be less wary of calling back and more likely to trust the ensuing conversation with the fraudster they chose to dial.

Identifying the scam and protecting customers will be problematic for those know-it-alls who want to believe every fraud follows a predictable pattern. It cannot be identified by looking for calls that have a short duration. The fraudsters’ robocall is designed to leave a voicemail, so it will not hang up immediately after making a connection. Some people wrongly believe that all robocalls can be identified by that short duration because human recipients typically hang up quickly, but that principle does not apply if the call is forwarded to voicemail. Perhaps the best duration-based identification technique would involve looking for voicemails of a similar duration, though a canny fraudster should be able to vary the length of the calls they make, perhaps by rotating the recordings they use or adding a random pause before hanging up. The outbound call made by the victim is a genuine call, which many telcos will want to charge for even though a fraud has been perpetrated. A scenario like this breaks many of the assumptions made by naïve fraud managers (and the even more naïve pseudo-experts who want to influence them and regulators) who claim it is easy to block fraudulent calls by looking for simple but anomalous patterns in traffic.

Hiya’s claims about this new scam also illustrate serious weaknesses with the US strategy for reducing robocalls. They stated that more than half of the scam calls they identified which followed this pattern had received a B-grade or C-grade STIR/SHAKEN attestation. In other words, the originators of these scam calls have successfully infiltrated the US call validation system and are using it to make their calls appear genuine even though these are the kinds of calls that most need to be blocked.

The press release from Hiya suggested that very many scam calls made in the USA during 2022 have exploited this new voicemail-callback technique.

According to data from Hiya’s honeypot – a collection of unallocated phone numbers owned by Hiya in order to observe and trap scammers – the scam accounted for more than 30% of all calls at its peak.

We should be wary of trusting everything said by Hiya. They seek to advertise themselves at every opportunity, issuing so many press releases that not all of them are listed on their own website. This particular press release is one of those sent out to garner media attention but not deemed worthy for inclusion on Hiya’s own site. Furthermore, they have a history of making exorbitant claims about the scale of spam. They also chose a misleading label for this particular fraud, referring to it as the ‘eavesdropping scam’. This is a poor choice of name because nobody is overhearing anything, and phone users are inordinately sensitive to the perceived risk that somebody is listening in to their private conversations. Hiya probably chose the name because they realize it will grab the attention of people worried about privacy. Nevertheless, the threat of this scam should be taken seriously, not least because it exploits well-known weaknesses in how people interpret information, and also exploits the complacency of many self-described experts in telecoms fraud.

Click on the following link to read Hiya’s press release.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.