They’re going phishin’ — and your money is the prize.

Fishing NetsHave you noticed an increase in the number of suspicious phone calls in the last year? Yes, me too. A few years ago, the only wrong numbers that came to my home phone were for the local cleaners or credit union, which have phone numbers very similar to mine. But in the past few years, it seems that about 75% of the calls to my home phone are either trying to sell me an alarm system, telling me my credit card payment is past due, or that I can be easily approved for Social Security Disability payments — even if I’m not disabled!

What’s going on?

The huge increase in scamming and phishing phone calls — attempts to fraudulently get access to your personal and financial information — is possible because of calling software using an automated technique called “war dialing.”

What is war dialing?

Telephone scammers use computer programs connected to automatic dialers to cycle through every single number possible in a particular phone exchange. For instance, they will begin dialing xxx-324-0000, xxx-324-0001, xxx-324-0002, and so on to xxx-324-9999. (“xxx” stands for the area code.) Then they start on xxx-325-0000.

The calls are made in blocks of about 10 at a time. The software knows that only about 2 or 3 of the 10 calls will be answered, and the call center is set up so that those 2 or 3 can be handled by available employees (or sometimes, by recordings). The other 7 or 8 phone numbers may not be active, may be busy, or may just go unanswered.

Assuming that 10 numbers are called and allowed to ring 10 times in a row, the entire block of xxx-324 numbers can be called in about 17 minutes. This means that one computer in one call center can call almost 85,000 numbers per day.

And the call centers have multiple computers running at the same time.

Number spoofing

Another feature of the war dialing software is the ability to spoof the number for your Caller ID. That’s why Caller ID can say the call is from Bank of America or Progressive Life Insurance when in fact it’s originating from a phishing factory somewhere halfway around the world.

Some of the software is even programmed to spoof a number in your own local area. You might be more likely to pick up the phone to answer an unrecognized local number instead of one from Bank of America, if you don’t bank there.

What happens when you answer the call?

If you’ve received any of these calls, you might have picked up the phone, said “Hello,” and found that no one was on the other end of the line. Maybe you waited a couple of seconds for a recording to kick in, heard nothing, and hung up.

This can mean one of two things. Either you answered the phone and no call center employee was available at that moment, or it was a sniffing search — the software was simply recording which numbers are live, so as to eliminate inactive numbers for the second round of calling.

Why the “Do Not Call” Registry doesn’t work

At some point, you probably registered your phone number with the National Do Not Call Registry and expected that to take care of unwanted solicitation calls. But you’re still getting calls for medical alert devices, home alarm systems, and more. Why doesn’t the government do something about it?

Basically, the Do Not Call registry applies to US companies and entities. These phishing and scam phone calls often originate outside the US — and outside the laws of the US. The call centers also change phone numbers and tracing data frequently, so that they are constantly ahead of law enforcement.

It’s a plague that doesn’t look like stopping any time soon.

How to Protect Yourself

1. If you don’t recognize the number, don’t answer the phone. This is especially true for numbers that show up on Caller ID without a name (maybe it just says “Houston, TX” on the Caller ID), or from a company that you know you don’t do business with (“Chase Bank” when your accounts are all with Regions).

If you don’t answer the phone, the war-dialing software sorts your number into a “call at another time” category. If the first call came during the business day, those numbers will be called again in the evening, at a time when you are expected to be at home.

If you don’t answer the phone the second time, your number will be sorted into “try once more, but not a likely number” bucket. And if you keep not-answering, eventually your number will be marked as “not an active number.”

2. If you have a VOIP phone (through your internet connection or cell phone service), you probably have an online control panel. You can log into your account, find the number, and tell the system to “always answer this number with a busy signal” or even “answer this number with a disconnected notice.” You can also blacklist the number on many systems.

You may have the ability to block numbers on your phone itself, or through your account. It’s certainly not going to hurt if you block it, but remember that the scammers can spoof a new, unblocked number very easily. Watch for that.

3. If you do answer and find it’s a scammer, say nothing. Just hang up. Don’t ask to have your number removed; don’t press 2 to remove your number from their list (or whatever the recorded instructions say). You’ve just identified your number as being live, and more calls will result as the scammers sell your number to other scammers.

4. You might answer the call but find that you aren’t sure if it’s legitimate. For instance, if your information was stolen in one of the recent credit card breaches, you may get a call supposedly from your bank asking whether you’ve received your new card, and if so, can you verify that you received it. (To verify the card, of course, you have to give them the full number, expiration date, and the 3-digit code on the back. Which gives them all they need to clone your new card and sell it.)

If you receive such a call, tell the person that you will call back using the phone number on the card itself. They may ask you to call back on a particular 800 number. (Any guesses where that 800 number actually goes to?) Hang up. Call the number on your card and ask whether the bank has tried to contact you.

5. In general, never give out any information
unless you make the call to a number you know is the real number for the business you are trying to reach.

6. You can also check the number with a quick online search. Several websites such as compile reports filed by the suspicious phone number. If you check the number and find that several people have reported that the calls were from scam and phishing companies, you’ll know to block that one and to watch out for similar numbers in the near future.

Should you report them?

In my opinion, it won’t hurt to report them, but it probably won’t do much good either. Since the numbers change so quickly and most of the call centers are outside the US, they are essentially immune to fines and prosecution.

Bottom line

There really isn’t any way to stop fraudulent phone calls other than not having a phone. Since that’s not a reasonable answer for most people, we have to be vigilant about which calls we receive and what information we give out.

  • Don’t answer calls from numbers you don’t recognize.
  • Block the number or tell your system to answer “disconnected” if you can.
  • If you do answer and find it’s a scammer/phisher, hang up without saying anything.
  • If you aren’t sure, check the number with an online search. Or look up the number for the company that said it was calling and call them back to confirm.

In the immortal words of Sgt. Phil Esterhaus: “Let’s be careful out there.”