One of the most unedifying aspects of the campaign to reduce nuisance robocalls is the extent to which governments, regulators and big businesses would like to implement automated monitoring of every phone call but can only justify their proposals using vague back-of-an-envelope estimates of the number of illegal calls they would ultimately block. Knowing how many calls will be blocked is important because it contrasts with the number of legal calls they also intend to gather data about, and what they intend to do with all of that data. Calculating the number of bad calls does not require advanced mathematics; it just needs a bank of machines connected to a range of phone lines, gathering data about unsolicited calls in the knowledge that we can safely extrapolate if we obtain a decently-sized sample. Whilst many a lawyer was lawyering, and many a salesman was bullshitting about anti-robocall products and services, a small team from North Carolina State University (NCSU), aided by Bandwidth, took responsibility for collecting the objective data that US authorities should use to inform their anti-robocall strategy. (Other countries should just copy the work done by NCSU.)
Commsrisk has previously covered the prize-winning results the NCSU team obtained using a robocall honeypot, including the oft-neglected fact that some scammers intentionally target minority language speakers. But you can only learn so much by analyzing prosaic data like the A-number presented and the duration of a recorded message. To really understand if a call is legal or illegal, somebody needs to listen to its content. Or rather, something needs to listen, because it would be prohibitively expensive to employ people to gather this data, and members of the public will never provide objectively reliable measures of calls that are illegal, as opposed to the many US calls which are annoying but legal. Thankfully, the same NCSU team has stepped up again, devising a new method that automatically listens and categorizes unsolicited robocalls.
In a paper entitled “Diving into Robocall Content with SnorCall”, the NCSU team of Sathvik Prasad, Trevor Dunlap, Alexander Ross, and Bradley Reaves presents their ‘SnorCall’ technology and the results it generated when applied to a sample of 232,723 robocalls collected over a 23-month period. As they explain in the preface to their paper:
Among many other findings, SnorCall enables us to obtain first estimates on how prevalent different scam and legitimate robocall topics are, determine which organizations are referenced in these calls, estimate the average amounts solicited in scam calls, identify shared infrastructure between campaigns, and monitor the rise and fall of election-related political calls. As a result, we demonstrate how regulators, carriers, anti-robocall product vendors, and researchers can use SnorCall to obtain powerful and accurate analyses of robocall content and trends that can lead to better defenses.
‘SnorCall’ is a play on the name of Snorkel, the semi-supervised machine learning model that provided the technological foundation for NCSU’s work. Snorkel was used to construct a system that can listen to calls and sort them into categories like ‘social security scam’, ‘tech support scam’, or ‘political robocall’ with an accuracy of greater than 90 percent. Here are just five of the important conclusions reached by applying SnorCall to a large sample of real calls.
Automated Analysis Delivers a More Nuanced Breakdown of Every Type of Scam
SnorCall uncovered a new variant of Social Security scam calls where the callers were impersonating Social Security disability advisors. These calls seem well-intended and non-intimidating. The caller establishes a sense of prior commitment to persuade the target to respond using a false sense of authority.
A more precise breakdown of scam types would help with protecting vulnerable groups. Instead of gassing about everybody being at risk, the authorities should reach out to specific groups who are being targeted and who are most at risk.
SnorCall Can Tell Which Organizations Are Most Often Impersonated
We find that the volume of Amazon tech support scam calls are multiple orders of magnitude greater than well-known Windows tech support scams.
Interestingly, there were also numerous calls impersonating wireless cellular carriers — AT&T (38 campaigns, 301 calls), T-Mobile (2 campaigns, 6 calls), and Verizon (6 campaigns, 14 calls).
It makes sense to identify which organizations are being impersonated. These organization can then advise customers and users about the ways in which they identify themselves when making a call. They can also be guided to eliminate any weaknesses in their existing methods to help the public distinguish between calls from fake and real organizations.
A Lot of US Robocalls Are Made by US Politicians
We identified 1,226 (4.86%) political robocall campaigns consisting of 11,727 (5.18%) calls during our study period.
When American politicians launch into a tirade against robocalls it is worth remembering they are upset because they face competition for the public’s attention. If people stop picking up calls from unknown numbers, it means the politicians cannot get through either. So whilst US politicians insist that a lot of money must be spent on reducing the menace of robocalls, their primary objective is to free up time and space so they can more successfully hound the public. And it is legal for them to make these calls because they passed laws that exempt them from rules that apply to everyone else.
Over 70 Percent of US Robocalls Include a Specific Call-to-Action
We found that 81.52% (20,549) of all campaigns had at least one task. Each task is represented as a tuple of verb phrase and an object, eg. “(press, one), (visit, us)”… However, some of these tuples… are not necessarily a valid call-to-action or instruction to the call recipient in the context of a robocall, eg. (‘forget’, ‘everything’)… During manual analysis, we… identified 131 unique verbs that indicate a call-to-action within a robocall. 72.79% (18,348) campaigns used one of the 131 verbs as a call-to-action.
Scams accomplish nothing unless they fool the victim into doing something. An automated analysis of what a scammer is trying to get the victim to do allows resources to be efficiently focused on crime prevention.
We Could Reduce Crime by Rapidly Reacting to the Phone Numbers Scammers Tell Victims to Call
The most common call-to-action asks victims to make a telephone call to a number which has been read to them. So if we know the number the scammers want victims to call, why are we not blocking those numbers immediately? The simple answer is that we are finding out about these numbers too late to make any difference.
Callback numbers tend to be short-lived, with a median lifespan of 8 days.
Some readers may now wonder why it is necessary to record the phone number spoken during a robocall when we could just focus on the spoofed CLI. It is wrong to assume the CLI presented to the recipient will be a match for the number that fraudsters want their victims to call.
Among the calls with a callback number, only 4.23% of them matched the respective asserted caller ID. While legitimate reasons may exist for using different caller ID and callback numbers, it can be cause for concern. 59% of callback numbers were toll-free, allowing the recipient to call with no charge. The owners of toll-free numbers incur the cost for such calls. We speculate that legitimate campaigns are willing to take the cost burden away from the caller, while potentially malicious robocallers are willing to incur the cost of owning toll-free numbers to pose as legitimate entities.
Imagine an ongoing program of work where a large honeypot is used to identify the callback numbers being used by fraudsters. If that number is known, rapid action can be taken to verify what happens when a victim calls it, to determine who has control of that number and where they got it from, and to block all calls to that number. It can be done. It would not even be that costly compared to the insane amounts that the USA has spent on STIR/SHAKEN. But such a scheme cannot be realized in the USA at present, because it breaks all the current preconceptions about how consumer protection should work and who should be effecting it in practice.
I expect the USA will never make proper use of the brilliant work done by these NCSU researchers. But if you are employed by a regulator in another country, I recommend you get in touch with the NCSU team and speak to them about implementing SnorCall. Stopping every bad call would require a herculean effort, and represents a threat to privacy because of the extent to which centralized authorities want to monitor and analyze how everybody uses their phone. Blocking the numbers that fraudsters want their victims to call could be accomplished far more readily, and would not affect anyone’s privacy if a honeypot is used to gather the data.
“Diving into Robocall Content with SnorCall” was accepted by this year’s USENIX Security Symposium and can be found here.



