Voice Spam Will Soon Be as Bad as Email Spam

When I was in my 20’s, I ditched my landline and went mobile-only. When I was in my 40’s, I ditched my television aerial and went internet-only. Before I reach my 60’s, I intend to ditch my voice service and switch to data-only. However many fraudulent and spammy voice calls you receive today, I predict the abuse of voice communications associated with traditional phone numbers will grow much worse in the next two decades. These are the reasons why.

  • Abuse of a service grows exponentially as the cost of that service nears zero.
  • The permanent increase in home working will mean greater reliance on telecommunications whilst further blurring the distinction between work and personal numbers.
  • Improved and cheaper technology will make it easy for spammers to construct personalized messages using synthetic voices. This will be followed by mass market products offering the voice equivalent of interactive chatbots.
  • The technological trend in electronic crime is always from big simple indiscriminate repetitive scams to targeted attacks on individuals that exploit personal data obtained from breaches.
  • The mitigations for voice spam currently being developed and deployed will not deter criminals from continuing to invest in the development of their own methods.
  • I was right about ditching my landline and my television aerial so I do not need to wait to see how the majority behaves to determine the significance of a trend.

There are only two forces that might prevent me switching to exclusively using over-the-top voice.

  • Services provided by government and businesses are becoming over-reliant on telephone numbers for personal identification due to inadequate investment in better alternatives.
  • Communications providers may make it unnecessarily expensive to acquire a data-only service that I can use wherever I am.

There may be some countries, such as China, where centralized authoritarian control of networks could greatly impede the proliferation of voice spam by effectively monitoring the behavior of both sides of every domestic voice call. The Chinese approach involves harsh penalties for anyone who fails to provide their real identity whilst using a voice or internet service. However, all nations struggle with calls that begin outside their borders because they are reliant on other authorities to stem the origination or transit of unwanted calls. All the short-term thinking about the ultra-expensive STIR/SHAKEN anti-spoofing technology deployed in the USA cannot disguise it is fundamentally unsuited to handling international calls unless the program is extended by creating cross-border centralized authorities that are trusted to monitor calls from the originating country to the destination country. In other words, the USA will flounder by relying on an approach that requires centralized oversight whilst trying to maintain the appearance of respecting the privacy of phone users. Few Americans have yet grasped the risks of creating another mechanism that could be used to track who calls whom, but foreign governments are unlikely to be blasé about the implications.

Whilst centralized monitoring struggles to make progress because of disagreements about who gets to do the central monitoring, too much focus will remain on the crude techniques used to identify crude crimes, such as associating very short unanswered calls with wangiri, or noticing unusually high spikes in traffic. Governments, regulators and some members of the public may be fooled into associating a rise in the number of blocked calls with success in tackling spam whilst ignoring the more pertinent statistics on the number of unwanted calls that continue to be connected. Even more importantly, it will be easy to ignore the extent to which there will be a change in the quality of crime aimed at a smaller number of people who are targeted because of their wealth or importance. Consider the distinction between phishing ruses that become the subject of warnings circulated by law enforcement and news media and the spearphishing attacks which are aimed at specific business executives, government functionaries, administrators in political parties, wealthy individuals and staff with privileged access to secure systems.

What should be striking industry leaders is the similarities between the methods being contemplated to curb voice spam and those which have already been explored in relation to email spam and the abuse of the internet more generally. The current discussion amongst voice carriers is moribund, bogged down by platitudes which circle a few important but vaguely elaborated concepts: collaboration, standardization, enforcement, the extent to which control is centrally coordinated and effected, the degree of reliance on intelligent filtering which is implemented in isolation by each business and individual that receives communications, the question of whether it is pragmatic for regulators to focus on big businesses that handle the most traffic, and so on. People may say there is a need for the comms industry to work together at a global level, but their next sentence will be dedicated to repeating a statement issued by lawyers working for a regulator, even though it is clear that those lawyers are desperate for technical and business-oriented professionals to fill the gaps in the regulatory plan. Instead of learning from history, the comms industry is mostly repeating it.

Perhaps some employees of telcos work for such big businesses that they have lost sight of how bad email spam really is. As somebody who runs a small nonprofit organization that has to deal with many different kinds of business, I remain acutely aware of how many spam messages defeat all of the controls put in their path, and how many genuine messages are incorrectly blocked by filters. Error rates remain significant even though computers are much better at parsing and interpreting text than listening to voices. Some parties appear to be willfully overconfident about the use of machine learning to mitigate voice spam, but the most excellent machine learning cannot overcome the limitations created by having very little data to analyze in the first place. This will only get worse when fraudsters start using artificial intelligence to better mimic human behaviors.

Here is an excellent example of real email spam:

Hi [name redacted],

Last week I emailed about ‘how to retain and generate revenue’ using email marketing. This week our handout discusses email content and how to engage with your audience.

I’m David Hazzard – Co-founder of ZoomMail Email Marketing. ZoomMail is a UK company with over 20 years experience in email marketing. We have UK telephone and video chat to help you get the most out of email marketing.

This week, my team has created a factsheet on an “Email Marketing Content Strategy” and how email marketing can generate leads from existing and prospect lists. Included in the factsheet are

Analysis of our most successful customers
Audience list engagement and retention
Examples and analysis of 7 different emails

To download the free factsheet click here.

We’d love to catch up and find out what you are doing with your email marketing. If you fancy a chat with one of the ZoomMail team reply to this email or schedule a call, by clicking the calendar link here.

The most telling aspect of this spam message is that it was sent to an email account that does not exist. David Hazzard (if that is his real name) and countless others have obtained a list of addresses compiled by somebody who took the name of one important person and assumed they must have an email address at the domain used by my nonprofit, the Risk & Assurance Group. I can still see these messages by virtue of a ‘catch all’ logic for any incorrectly addressed email sent to RAG’s domain. Somebody somewhere looked at the RAG website, identified the name of somebody who is likely to have control of a big budget, and jumped to the conclusion that they must have an email address at RAG because their name is on the website. As a consequence, that non-existent email address is routinely targeted by a large number of businesses who should be ashamed of how they market risk services to telcos, plus many other chancers like David Hazzard.

You might be amazed at how the services of many legitimate businesses are sold by scumbag intermediaries that send spam like this. Want to place an advert on the website of the Guardian newspaper? RAG has been spammed with offers sent to non-existent employees. Fancy purchasing a VIP box at a major sporting event? RAG is inundated with offers, also received at addresses that nobody has ever used to send a single message. If something can be resold, or somebody can earn a commission by making a sale, then it is safe to assume spam will be used to sell it. A lot of that spam will be sent to email addresses that were invented by the people who sell lists of emails to other salesmen.

If this is what happens to email addresses that do not exist, imagine what is about to happen to the telephone numbers of individuals like the person who was the intended target of David Hazzard’s email. That is why I prefer to have an email signature that only shows my phone number as an image file instead of text. However, our brain dead industry is currently responding to demands from a US regulator that requires thousands of telcos to provide a contact name and a telephone number for staff that deal with spam, only for those names and phone numbers to be copied to a database that the regulator offered as a downloadable file from their web page. They later realized their foolishness and started limiting how the database could be queried but if the phone numbers that were made available for download are routinely spammed by robocallers then it would be the punishment the entire telecoms industry deserves for being so complacent.

You might ask yourself why anyone should listen to the opinions of a grumbling old man who is nearer the end of his career than its beginning. No telco will lose a lot of money by losing me as a customer, and no regulator loses sleep over what I think. But when I cut the cord on my landline, I was just slightly ahead of many others who later did the same thing. When I dispensed with my aerial, I was just slightly ahead of many who are now switching to online streaming as their only source of television. It will not be long before a large section of the population decide they would rather not have a telephone number. The slow rate of progress with mitigating spam calls will be overtaken by the rapid decline of dialed voice services. So instead of debating how to mitigate robocalls, maybe you should already be planning for the greater strategic risk posed by the imminent death of telephone numbers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.