Ask Slashdot: Dealing With VoIP Fraud/Phishing Scams?

An anonymous reader writes I run the IT department for a medium-sized online retailer, and we own a set of marketing toll-free numbers that route to our VoIP system for sales. Yesterday we began receiving dozens and now hundreds of calls from non-customers claiming that we're calling out from our system and offering them $1 million in prizes and asking for their checking account details (a classic phishing scheme). After verifying that our own system wasn't compromised, we realized that someone was spoofing the Caller ID of our company on a local phone number, and then they were forwarding call-backs to their number to one of our 1-800 numbers. We contacted the registered provider of the scammer's phone number, Level3, but they haven't been able to resolve the issue yet and have left the number active (apparently one of their sub-carriers owns it). At this point, the malicious party is auto-dialing half of the phone book in the DC metro area and it's causing harm to our business reputation. Disabling our inbound 800 number isn't really possible due to the legitimate marketing traffic. Do you have any suggestions?

This is a legal matter.

[FireballX301]

Refer to L3's legal department, threaten to file suit against them if they won't give up the identity of the sub-carrier's customer. They will cough it up immediately, or you will get a nice payout for civil fraud.

Re:

[Anonymous Coward]

Refer to L3's legal department threaten to file suit against them if they won't give up the identity of the sub-carrier's customer.

And they will refer you to the Law, which prevents them from giving out that kind of information. You're going to need a court order to get that info.

They will cough it up immediately, or you will get a nice payout for civil fraud.

No. You might be able to file a suit against whoever did the scamming, or their direct provider if you can show negligence or a Rules violation. But you probably will just end up with a large Lawyer Bill.

Re:This is a legal matter.

[CaptainDork]

I work for a law firm and this will not work.

Threats are a dime-a-dozen and no one takes them seriously.

What works is to get an actual lawyer to compose an email that actually originates from the law firm and/or send snail mail, on law firm letterhead, explaining why the scammer is suspect and asking for clarification.

Re:This is a legal matter.

[Minupla]

Yep, a call to my corporate legal dept would be my first move in this situation. It's amazing how many situations got deescalated when we got the other party on the phone with my legal dept on the line.

Min

Re:

[FireballX301]

Well yes, if they don't respond, actually file the lawsuit. Nothing is more useless than an empty threat.

Re:

[jareth-0205]

I think his point is that you can shortcut the inevitable ignoring of a badly worded threat if you get a well-worded threat in the first place. Given the damage that's currently being done waiting the 7 days or whatever and actually starting a lawsuit you probably don't actually want to carry out... better to get a lawer immediately.

Re:

[tompaulco]

Actually, damage has already been done. File the lawsuit anyway. Sue for actual damages plus punitive damages equal to the net worth of their company plus the net worth of all corporate officers.

Re:

[CaptainDork]

You guys are too aggressive.

A polite, inquisitive, probe by a lawyer, asking for simple clarification, goes a LONG way when the recipient knows damn well they don't want to be embarking on a journey that the recipient can't justify.

Re:

[AK Marc]

He's already asked nicely. Paying a lawyer to ask nicely is extortion by the legal profession. If he has to pay a lawyer, he should pay them to sue.

Re:

[CaptainDork]

No.

He has an objective and it doesn't include smashing anyone's big toe with a hammer.

It's a lot cheaper to have a lawyer compose an inquiry than it is to actually file a lawsuit.

Re:

[AK Marc]

In my experience, anyone who fails to respond to a letter, won't respond to a letter signed by a lawyer. Unless the first letter was written in crayon on toilet paper.

Re:

[CaptainDork]

In my experience, anyone who fails to respond to a letter, won't respond to a letter signed by a lawyer.

I work in a law firm. Do you?

Re:

[AK Marc]

I have, but don't currently. Why?

Re:

[CaptainDork]

I was comparing our experiences.

Re:

[AK Marc]

"Work in a law firm" isn't very specific. And given that there wasn't a mention of in what capacity, I'm not sure your experience would be relevant. You didn't mention working as a lawyer or paralegal, which are the two positions that would be more relevant, though less so for a paralegal, who generally stick to the books, while the lawyers deal with the clients and outcomes. For all we know based on your comment, you are a janitor, or other office support with no legal training or experience. In which

Re:

[CaptainDork]

We were comparing experiences because of your comment:

In my experience, anyone who fails to respond to a letter, won't respond to a letter signed by a lawyer. Unless the first letter was written in crayon on toilet paper.

I am countering with my experience, which includes 18.5 years total immersion and counting, with yours which apparently is long distance in both perimeter and time.

I know what I'm talking about, and you are guessing.

I'm OK with that, but let's just be clear about it.

Re:

[AK Marc]

I note, even after my comments, you avoided saying what you did. You aren't a lawyer. You aren't a para-legal. You are "immersed" in a janitorial career.

Given that you refuse to answer a clear and simple question, I can only assume it's the worst possible option.

Re:

[CaptainDork]

Wow. My font selection reveals much.

Re:

[AK Marc]

So you are a typesetter for a law firm? Or do you just clean the toilets?

Re:

[CaptainDork]

At times, I'm a type of sitter for toilets that brings out the commenters like you.

Re:

[AK Marc]

Ah, so a lying sack of shit, trolling for those who would correct your wrong opinion presented as fact. Have fun cleaning the toilets for lawyers. Does theirs smell better?

Re:

[CaptainDork]

You have not expressed any opinion or fact.

You just insult janitors and crap.

Re:

[AK Marc]

No, I insulted you. I asked a simple question. That you refuse to answer indicates you are lying about your abilities. I have worked at a law office in a legal capacity. You have never worked at a law office in a legal capacity. That's all I can gather, other than you assert that 18.5 years of cleaning toilets in a law office makes one a legal expert.

Re:

[CaptainDork]

We will never get this resolved as long as we are still in high school.

Re:

[AK Marc]

Ah, so you've been scrubbing toilets since you were 6 months old. And are a 19 year old 9th grader, having been held back many times.

Nah, you are a hypocriical liar who refuses to answer simple questions about his asserted qualifications, while demanding the same of others.

Re:

[CaptainDork]

And you are a misogynistic, gender-confused, rude troll.

Re:

[AK Marc]

Troll? For asking a demanding and pretentious prick for his legal background, after said prick demanded the same of others?

Hilarious. I'm a troll for doing *exactly* what you did. Well, that and calling you a liar when your answer was a lie.

Re:

[CaptainDork]

You said I was a janitor and then you ask for my legal background and you call me a liar, anyway, so exactly what is your point?

Re:

[AK Marc]

No, you demanded my legal background. I answered, and returned the question. You've lied and dodged the question ever since. My point is you are a lying sack of shit who attacks others qualifications, but refuses to give his own. Making you a hypocritical lying sack of shit. You originally said you wanted to compare our experiences. But you were lying then, you were just fishing for something to attack me over. Then you did. You are just mad that I replied in kind.

I worked in a law firm in a legal

Re:

[CaptainDork]

I worked in a law firm in a legal capacity.

I applaud your decision to refrain from working in a law firm in an illegal capacity and it's fortunate that you also avoided document generation.

Re:

[AK Marc]

What job did you do for the 18.5 years of immersion?

Re:

[CaptainDork]

I certainly did not waste my time asking questions of a known liar.

Re:

[AK Marc]

Ah, so you admit you are a know liar, trying to waste the time of others. You could have saved time and posted that as your resume, rather than the lie about 18.5 years as a lawyer.

Re:

[david_thornley]

In my very limited experience, companies pay a lot more attention to something a customer's lawyer says than something a customer says.

Re:

[AK Marc]

There's a heirarchy of bluff. Letter. Letter threatening to involve a lawyer (often asking for contact information to the legal department). Letter from lawyer.

If they were serious, the first letter would have been from the lawyer. The second act is sue. Those that send an impotent letter of whine before the lawyer letter ensure ignoring, as they've demonstrated inability/unwillingness to follow through.

The *only* exception to that is when the letter (from you, or your lawyer) is sent certified mail

Re:

[AK Marc]

She wasn't an ex. Your guesses are all wrong. You are a presumptuous idiot. But thanks for trying.

Re:This is a legal matter.

[Richard_at_work]

Hehe, so in this case a Slashdotter thinks you should be able to get details without a court order, but when the RIAA or MPAA wants details its a completely different situation...

Not Copyright

[Etherwalk]

>Hehe, so in this case a Slashdotter thinks you should be able to get details without a court order, but when the RIAA or MPAA wants details its a completely different situation...

Yes. Most Slashdotters recognize that the penalties for noncommercial copyright violation are ridiculously disproportional to the crime and have limited economic impact, and might support something small (like a $50 ticket that doesn't leave anyone with a criminal record or entry in any system) but will generally side with pirates against content-creators when you are looking at $10,000 per title, criminal penalties, dealing with the legal system, or really anything more than a slap on the wrist.

On the other hand, when someone is responsible for crimes that are much more universally recognized as deserving of criminalization, and as an actual pain in the ass, they are much more willing to support substantial actions against that person--and more, to preserve the reputation and business of the people being significantly harmed.

Re:

[account_deleted]

Comment removed based on user account deletion

Sue Them or Give Up

[Schezar]

There is no technological solution. (The phone system as a whole is just so old).

There is no human solution. (The other company will not bother).

You have three options.

1. Wait until it stops and ignore it
2. Change your phone number
3. Sue Level 3 for damages (and file a police report)

In my professional (but not legal: I am not a lawyer) opinion, there is no way to resolve this sort of problem other than suing the closest legitimate business that links you to the perpetrators. Whoever is furthest downstream to the bad guys is your only target, and suing them is probably the only option. Maybe just to get a C&D, maybe punitively just in hopes of getting them to clean up their act. A police report on its own will have zero effect: the police just don't care about IT crimes on this scale.

Sue them, and as part of it file a police report. Don't even bother with any other options at this point: they are not likely to work.

(Again, not a lawyer, just an IT professional).

Re:Sue Them or Give Up

[sunderland56]

There is no human solution.

Of course there's a human solution. My cousin Tony, from over there in East Jersey, he'll fix your problem right up with one visit. Your business, hey, it just needs a little protection.

Re:Sue Them or Give Up? No. Kill them. Messily.

[Anonymous Coward]

Exactly. Spammers (and scammers) will continue to do what they do until they start dying for doing it.

Re:

[RockDoctor]

Well, I wouldn't go directly to murder.

Removal of fingers, ears, external genitalia, in approximately that order. Lots of unsubtle anal rape with a cattle prod. Come on guys - you've got professionals doing this stuff for your government. It's not rocket science (though you can use pyrotechnics, if you want to be showy). Just good old torture. And you need to communicate to the spammers to make sure that they know their children, siblings or parents are paying for their actions.

Re:

[swb]

My last boss was one of those people who end up an IT director because they run out of operations management roles to take and IT Director is somehow a step above facilities management in the operations hierarchy.

Anyway, he worked at our local newspaper and when a major strike was planned including most of the unionized employees (from reporters to truck drivers), he happened to be on the management strike committee.

They hired a private security company and one of the "products" on offer from the company we

Re:

[Anonymous Coward]

>> contractors with rolexes full of ex-special forces types

Rolodex, surely?

What's the plural of Rolodex anyway? (ROLling inDEX)
Rolodices?

Re:

[Animats]

There is no technological solution. (The phone system as a whole is just so old).

No, it's the new part of the system that's broken. The big hole on caller ID is where VoIP enters the switched telephone network without cryptographic source identification.

When caller ID was generated by physical wires strung through the holes of a Dimond ring translator [computerculture.org] (this was ROM, 1950s style), there was no way to spoof it from outside the central office.

Re:

[AK Marc]

There's still no way to spoof it outside the CO. The difference is that the CO no longer cares. The CO is fully capable of setting CLID (and does so on the residential lines). But they choose to accept money to bypass protections on business lines. The CO effectively sets the CLID to the "requested" CLID. It's still the CO's fault. In this case, Level 3 for setting the CLID for the numbers based on the requested CLID.

You no longer have to physically be in the CO, but you have to have the CO's permiss

Re:Sue Them or Give Up

[gstoddart]

There is no technological solution. (The phone system as a whole is just so old).

There is no human solution. (The other company will not bother).

And, as far as I can tell, there isn't really much of a legal solution either.

See, the large companies who need to do callouts who got themselves some exemptions in the laws? They need to be sure that the people who call on their behalf show with their caller ID.

So the "legitimate" companies need to be able to spoof their caller ID, and they don't want it to be illegal to spoof your caller ID.

They, unfortunately, use the same kind of overseas call centers as are used in these scams. In some cases, I suspect the exact same call centers.

So, the root cause issue here is that the big players pushed for exemptions in the law, to be sure they could have whatever call center they need call out as if it was from a given number. In effect, they legalized spoofing caller ID.

That the shady players take advantage of that, and usually call from overseas locations where you'll never get the law to do anything ... well, that's the problem. But, this was predictable.

I have my cordless phone set to drop any call which is Unknown or Private, I pretty much won't answer calls from 800 numbers, and I won't answer calls from numbers I don't recognize ... because they've made call display so useless as to be something you can't trust.

I believe if it was made illegal to spoof caller ID, this could be stopped. But, the big players don't want it illegal to spoof caller ID, and the paid a lot of money for lobbyists to give them an exemption.

Unfortunately, this same exemption now exists for the people running scams.

Surprise!!

Ever exemption in the Do Not Call list pretty much made the legislation toothless and useless. And this, is quite logically, the expected outcome.

Once again, the exceptionalism by businesses means the laws surrounding this are pretty much useless.

Re:

[Dareth]

So you are saying you are a lawyer, and this is valid legal advice. Gotcha!

Contact the FBI

[skaag]

I suggest you contact the FBI and work with them. Why? Obviously the criminals are asking for banking information, and I can't imagine this being used for anything other than nefarious purposes. The FBI can sting them and locate the relevant bank accounts and freeze the money (in other words, give the scammers a kick in the balls). If you both get lucky, the FBI will actually catch the criminals and jail them.

Re:

[ganjadude]

they could be terrorists trying to fund an operation (unlikely I know) in this fear induced country you would think the FBI would be all over that

Re:

[SeaFox]

Don't be silly. The comment was too short.

How can faking a call back number be remotelylegal

[RichMan]

Looking at the US today, how can providing an incorrect call back number not lead immediatly to an FBI investigation?

Sure the general police don't really care because they don't understand this, but this is "interfereing with the operation of computer network" (yes the phone system does count as a computer network) and the phone network is a vital civil infrastructure. We know from past things interfering with a computer network, even a small scale private one, can actually lead to very serious charges. The phone networks is much more important (than some universities database accesses).

Re:

[guruevi]

The same reason they don't go after people that fake the e-mail headers to be referring to legitimate domains, including the USPS and their own (fbi.gov) I get on a regular basis. There is no profit for them to investigate and it only affects small business and individuals.

Caller ID spoofing

[buckfeta2014]

In the same fashion that ISPs should be using Source Path Verification, TelCos shouldn't be allowing their its users to change (or cause) their Caller ID to something that's not their phone number. Petition the government to force ISPs and TelCos to clean up their act.

Re:Caller ID spoofing

[Todd Knarr]

The problem is that there's a lot of legitimate reasons to "forge" the caller ID information. Many companies use a group of lines for outbound calls, any outbound call simply grabs the next available outbound line and uses it for the call. You don't want people calling in to those numbers though, there's no way for anyone to pick up a call on them since they don't go to an actual phone, so you set the caller ID to the correct inbound number for people to call (eg. the company's main number, or the main sales number (that gets distributed to the next available sales agent) or whatever number matches the type of outbound call) so callbacks go to the right place. And no the obvious solution won't work since the correct inbound number may not be with the same provider as the outbound line so you can't check whether the caller ID number's owned by the same entity that owns the line in use.

Re:

[Strider-]

Sure, but you can verify that the ANI (originating number) belongs to a block that the customer is allowed to use. I have a PRI with two 100 blocks associated with it. I would expect that the telco would verify that the originating number I send to the switch is taken from those 200 valid numbers, if only in case someone calls 911 etc...

Re:

[Slashdot Parent]

Sure, but you can verify that the ANI (originating number) belongs to a block that the customer is allowed to use.

Not sure how far you want to go with that or where it should be enforced. But it probably would have prevented a use case that I used a few months ago. When I transferred my phone number from Verizon to a VoIP provider, Verizon was taking its sweet time authorizing the port. While Verizon sat on it, my VoIP provider spoofed my Verizon number on CID so that I could at least have my outgoing calls appear to come from my correct number, and I forwarded my Verizon calls to my temporary VoIP number.

If that made

Re:

[Ichijo]

And no the obvious solution won't work since the correct inbound number may not be with the same provider as the outbound line

To me, the obvious solution is to route the calls that originate from a different provider through the provider that has the outbound line, similar to the way VPNs work.

Re:

[account_deleted]

Comment removed based on user account deletion

Write your Congressman/Senator

[david.emery]

I contacted Senator Warner's office about this, and frankly was blown off. That being said, I think we need a -law- that requires the Telcos to work out how to make Caller ID unforgeable. I've been challenged to 'show the RFCs and related standards that would support this,' but since the industry has shown no interest in solving the technical problems, I reluctantly believe that it'll take legal action (either law, regulation or legal liability) to force the issue.

On a related note, I also asked about the impact of all those CallerID violations I've filed over the years, and got no response back from that. In both cases, I was forwarded a letter from the FCC that basically quoted from their website.

Re:

[Zarjazz]

I thought the majority of voice circuits in the US were restricted to the callerid they could display? Only certain VoIP services and carrier level interconnects would allow you to set anything you wanted?

VoIP is the whole problem

[King_TJ]

Traditional land lines have the caller ID information generated at the phone company's central office, based on who is paying the bill for the circuit.
Unless you're planning on hacking into their computers - it's not really changeable.

The problem lies with all the VoIP based phone systems out there. These days, there are probably more phone lines using VoIP than traditional copper lines.

The VoIP systems don't even have a way to tell emergency 911 operators what your correct address is. You're expected to pr

Re:

[Megane]

You can hang a caller ID box on your line and watch the kind of crap that comes in. Usually they try to make a "real" phone number, only it's in an area code you've never heard of. But some of them give shit like "123-4567" or just "1" or "---------------" for the phone number. Also fun are the ones that set the name to "NEW YORK" or "FLORDIA". I can just imagine Cletus from the Simpsons saying "Well gawwwawleee we've got us a call from NOO YARK!"

The insidious ones are like mentioned in TFS, where they use

Re:

[nblender]

Around here (Canada) there's a long-running scam perporting to be a local airline (WestJet)... I get a few of these calls a week on either my cellphone or the landline at work... They always spoof the caller ID with the first 6 digits of the phone number they're calling. ie: if they're calling 780-656-1234, the spoofed caller-id will be "780-656-xxxx" where "x" is random. If they're calling "250-684-1234", the spoofed caller-id will be "250-684-xxxx"... The automated recording is the same in all cases. S

Re:

[Jaime2]

I worked at a call center with an analog PBX and a whopping staff of fifty, with four T1's for connectivity. One day I was testing some telephony integration of the software I maintained and had the system call my cell phone. The caller ID came up with the four-digit extension of the caller. It turned out that we could set anything as the caller id number.

How did you "talk" to level 3?

[Lumpy]

It should have been a lawyer demanding the resolve it immediately or they are liable for fraud. They know it's illegitimate but until slapped with a lawsuit they don't give a rats ass.

Level3 is one of the shadiest ones, they do nothing until a lawsuit is threatened.

High dollar litigation with the FCC is effective

[almondo]

In the past I have had to deal with L3 on some similar nonsensical "our abusive users are not our problem" crap. As you have already observed, they have a well refined hearing problem. First, decide how much the per call impact is to your business in your opinion. Estimate the number of calls per day and multiply by the per call rate and then by the number of days to come up with a daily and sum "rate of damages". Then have a lawyer letter drafted and sent to their legal department and make sure the letter shows that you also sent a copy of the draft to the FCC Attn: Fraud & Abuse at 445 12th Street SW, Washington, DC 20554.

In about the time it takes you to go to lunch, the problem will subside. At L3, FCC copied abuse resolution rolls down hill, pretty fast.

Stupid PSTN

[Anonymous Coward]

You can't really do much of anything. The calling party number can be set to whatever the caller wants - the only technical controls to prevent this would be for ALL carriers to enforce some sort of whitelist, which they don't do.

VoIP makes this problem much worse as it is trivial to buy/steal a new "SIP trunk" account. Since the traffic is IP the source of the traffic can easily be obscured behind a VPN provider or compromised system. Even if you get Level3 to suspend the account they will likely have a ne

Turn it to your advantage

[roman_mir]

You are looking at it all wrong, those people that are calling you are all potential customers of your business. Offer to them something they are looking for: satisfaction. They are calling you to complain. Sell them something, like a way to kick ass of somebody, who you can present as the guy that placed that call they are complaining about. I am sure many would give you their money for some type of a moral satisfaction. Learn to sell, life gives you a lemon, make lemonade.

Re:

[stephanruby]

You are looking at it all wrong, those people that are calling you are all potential customers of your business. Offer to them something they are looking for: satisfaction. They are calling you to complain. Sell them something, like a way to kick ass of somebody, who you can present as the guy that placed that call they are complaining about. I am sure many would give you their money for some type of a moral satisfaction. Learn to sell, life gives you a lemon, make lemonade.

Scammers also sell anti-scam services. Personally, I would be even more suspicious of someone who wanted to help me and sell me something to get back at those scammers.

notifications are done

[ihtoit]

bring out the guns. Interim injunction with two options: Level3 disables the number and the forwarding or they're shut down, end of. Second barrel: Level3 discloses the identity of the subscriber. Third barrel: arrest warrant on the subscriber for wire fraud (in some jurisdictions this is an offence one step down from mail robbery).

Longstanding Flaw in CallerID

[SkiTee94]

Unfortunately it's fairly trivial to make the caller ID say just about whatever you want--especially if you are running your own system. There's no form of reverse lookup verification to check if a call is really coming from where it says it's coming from. There are some legit uses for this (eg our office setup always shows the main switchboard as he called ID even if people are calling from a specific line) but it's all to easy to abuse if someone is intent on doing so.

Don't fight it, use it.

[Anonymous Coward]

Contact the local police and/or the FBI, advise them that you have evidence of an identity theft ring, and provide them the information you have. They will open a case. Get the case number.

Instruct your call center that, when people call and complain, that there is a known fraudster who is spoofing caller ID records, and provide them the case number and the phone number to whoever is assigned the case.

The people who are calling you are understandably angry. Help them focus that anger on the right place b

subpoena

[BradMajors]

You can obtain the identity of this party with a subpoena. It is not difficult to obtain one.

Do you really have the scammer's number?

[laughingskeptic]

You do realize that the phone number that you think you have for the scammer is also likely spoofed? These guys are probably sitting in India or Kenya.

Follow the money

[thogard]

When someone calls your 1-800 number, you pay someone. That someone gives a cut of it to other parties. One of those parties may have picked your number for a reason. This can work in a way that is similar to the "False Answer Signalling" fraud that was so common years ago .

Update your website and move on

[Kittenman]

Put a comment on your website mentioning that someone out there is using your company's name and number for callbacks, and tell your customers to be aware of this issue.
You can't be liable for their gullibility, any more than you can for the actual actions of the Nigerian scammers (or whoever they are).

An Ancient Greek said "If people speak ill of thee, act so that no-one will believe them". I'd say that's still valid.

Sue immediately

[Anonymous Coward]

Ignore nickel and dime lawyers who talk to you about "writing letters". That will accomplish nothing (except making a few bucks for useless, couch potato lawyers).

You have already been damaged so you have a tort. You should be suing immediately. Note that you do not actually need a lawyer to sue, just the cooperation of the executive officer of your company. Get a paralegal (or anybody with a brain) to find a lawsuit template and file a John Doe lawsuit with the local county court (you can always file a fe

Talk to Fraud

[Anonymous Coward]

Level 3 is a large company and should have a dedcated fraud department that deals with this type of issue. Did you talk to them directly? If not I would contact them and place your complaint.

You're pretty much out of luck

[kilodelta]

Because with a BRI circuit - you can pump any CLID down the line that you want. Hell, that isn't even necessary. I know a few years ago a simple PERL script made the rounds and a MagicJack could be used for the nefarious spoofing.

How are these calls being redirected to you?

[dowens81625]

Tim,

You say these calls are being forwarded to your call center. Help me clarify how this behaving,

A) Company XYZ (Scammer)
Buys a trunk from Level 3 and sets the CID to your 1800?
Calls everyone in DC, and they call the number on their CID

B) Company XZY (Scammer)
Buys a trunk and from Level 3 and sets the CID to one of their own numbers
Calls everyone in DC, They receive a call and forwards the

Re:Level3?

[Anonymous Coward]

Time to file complaints with Regulatory Bodies.

It's the phone provider's responsibility to ensure that the caller ID presented by numbers in their "pool" send valid information. You've notified Level3, so that's about all you can do to actually solve the problem. But getting a complaint filed will make it more likely to "light a fire" under Level 3 to block the offending sub-provider until they get their act cleaned up.

Luckily for you this is an in-country operation... when it's an offshore provider doing it you're pretty much out of luck.

As for solutions, best you can really do is put up an automated recording apologizing and advising that you're not the scammers, and encourage them to file complaints with their own providers and LEA/regulatory agencies (PSC, FCC, etc.)

Re:

[hsmith]

Regulators don't give a fuck. No one does. I've been getting robodialers to my cell phone endlessly. They all come out of blocks of phone numbers provided by one datacenter (they own blocks around the country). They won't do anything. The regulatory bodies in states the numbers call from won't do anything. FCC won't do anything. FTC won't do anything. I've contacted my state AG. I've contacted my senators and congressmen.

No one gives a flying shit about this kind of thing. It is infuriating.

Re:Level3?

[penix1]

I've got a better solution for both of you...

Put an automated message that says the following...

"If you are calling about a recent scam involving our number, please call Level 3 at..." and give the phone number to Level 3's complaint office. If they don't have a complaint office then simply give the main number. Better yet if you can, forward the call to them via a menu system. Let them deal with the fallout. Maybe they will take the hint.

Re:

[DudeFromMars]

Clever in it's simplicity, yet fiendish in offloading the headache and punishing someone else. Hopefully, that someone is at least partly responsible.

Re:

[jafiwam]

I've got a better solution for both of you...

Put an automated message that says the following...

"If you are calling about a recent scam involving our number, please call Level 3 at..." and give the phone number to Level 3's complaint office. If they don't have a complaint office then simply give the main number. Better yet if you can, forward the call to them via a menu system. Let them deal with the fallout. Maybe they will take the hint.

I suggest the sales department phone number. Those seem to be able to accomplish things with screeching to management and IT.

Re:

[Chris Mattern]

And what a lovely greeting that will be for their customers who *meant* to call them...

Re:

[Livius]

Completely untrue.

You've just misunderstood whose interests the regulators are there to protect.

Re:

[Anonymous Coward]

How do you know where the number originated? Assigned numbers are meaningless. By buying a trunk line for your call center you can modify the CID for anything you like. This is often the case for providing a CID of your 800 DID line. Simply entering someone else's number is how this fraud originates. The fake number does not identify the caller. IF you take the call directly from a scammer, and the SIP call is completed, the SIP log can show the IP of both ends of the call if it is not routed through

Re:

[AK Marc]

How do you know where the number originated?

You can spoof CLID, but not ANI. If you could spoof ANI, then nobody would ever pay for calls, other than the one grandma everyone set their billing identity to.

This is settable by the CUSTOMER. which is how this fraud is created.

Which was by design. You can spoof the CLID all you want, but not the ANI. The idea is that anyone spoofing CLID for fraud would be caught. Instead, we get police much more interested in drug charges and other victimless crimes, and nobody investigating fraud, with identifiable victims.

But it's required so that when I get two trunks, one in-onl

Re:

[kilodelta]

You have to approach it from the right angle. Tell them it interferes with emergency communications and they'll be all over it like white on rice.

Re:

[AK Marc]

Not true. I had a problem with my phone line in the '90s. I sent a letter to the FCC and the phone company. The phone company, who had insisted the problem was "impossible" to fix had it fixed withing 48 hours of me putting the letter in the mailbox. They did so so that when the FCC contacted me, I could tell them that the problem had been fixed.

If they were as powerless and uninterested as you say, they wouldn't have reacted so fast.

Re:

[frisket]

What's a phone, Mommy?

Re:

[ArcadeMan]

It's a place where people used to go to borrow printed versions of websites, honey.

Re:

[almondo]

While the Rambo style vigilante response option sounds good on the surface (and don't get me wrong, my natural response would be along these lines if it were not for the legal implications) the problem is that when you do this, you are now violating the same regulations as they are and you are arguably by definition "retaliating" which stacks even more regulatory violations on your illegal response. They have a bus full of overpaid lawyers ready to swoop on you if you "attack" them. For this reason I stron

Re:Legitimate Marketing Traffic

[tysonedwards]

Yes, because making new marketing materials, distributing updated business cards and getting everyone involved to stop using the old number and separate the old number from the company is *such* an easy task and can happen overnight!

The phone number of a presumably reputable business that parties would likely recognize for their Caller ID number is a social engineering trick to get around one of the roadblocks and make people subconsciously overcome one of their answers to why this is a scam. Any act at this point is damaging the brand of the business, whether they capitulate and change their number, or whether the scamming entity continues to portray themselves as the company in question.

Let's change this a little bit and put a name to these calls... What if instead of "unnamed company", it was "Google" that had someone using their corporate phone number to do these calls? What about "Amazon", or "Microsoft", or "Apple", or "Cisco", or the "FBI"? Would your opinion about "just change your phone number" be the same?

Re:

[Anne Thwacks]

You missed the bit about "Nuke from high orbit, just to be sure!"

Re:

[sumdumass]

It might be wise to release a press statement warning of the scam in your points 1 and 2 and state that they are "cooperating" with regulators and authorities to catch the scammers.

I put cooperate in quotes because trechnically it is true as long as it is reported to them whether they act or not.

But it seems that one of the ways this works is the legitimate number being used to trick people. Well, if the news runs a story about it, that element goes away.

Re:

[j-beda]

It might be wise to release a press statement warning of the scam in your points 1 and 2 and state that they are "cooperating" with regulators and authorities to catch the scammers.

I put cooperate in quotes because trechnically it is true as long as it is reported to them whether they act or not.

But it seems that one of the ways this works is the legitimate number being used to trick people. Well, if the news runs a story about it, that element goes away.

This could actually work in your favour, as the resulting news coverage could increase your legitimate business, and put pressure on the enablers upstream to do something about it.