From 'Spoofing' To 'Swatting,' Experts Say Results Of Thwarting Scam Calls Mixed

Mar 13, 2018

Last Tuesday, the Internal Revenue Service said people were being being bilked out of money by criminals pretending to be from the tax collection agency. Two days later, I received a phone call that my provider said was probably spam. They left a message saying they were from the IRS and I was in big trouble.


“(After 24 hours), you will be taken into custody by the local cops as there are four serious allegations pressed against your name at this moment,” said the automated voice in broken English.

Roughly 2.4 billion robocalls are made to U.S. consumers each month, according to the Federal Communications Commission. Many are fraudulent, made by people spoofing their number to disguise who they are, and sometimes impersonating others. Spoofing is when a caller uses an app or program to alter their identity on caller identification.

Credit Paul Flahive

“So you can appear to be calling from the White House, the IRS unfortunately, the FBI,” said Matthew Perry, special agent in charge of Cyber Crime at the Federal Bureau of Investigations in San Antonio. “Unfortunately, there’s not a lot that can be done about it right now.”

Financial gain is the main motivator, Perry said. When robocalls originate in the U.S., law enforcement have a better chance of tracking them down. Overwhelmingly, these calls come from overseas, Perry said.

Law enforcement have also been targeted. For years they’ve been dealing with “swatting,” which is when someone calls the police, often with a spoofed number, to report a violent crime at someone else’s house. Special Weapons And Tactics teams are often deployed.

In a video from 2015, a woman in her 20s, playing the popular multiplayer game “Black Ops 2,” complains about her bad luck to her online spectators, as her avatar is slain.

A loud knocking comes from the door.

A few moments later off camera, shouts are heard.

“Sheriff’s department, get on the ground,” yells a police officer off camera. Seconds later, rifles and torsos are seen, as police check the house.

A handful of times the prank has resulted in tragedy. On Dec. 29, a California man called into Wichita, Kansas, emergency services. He told the operator he had shot his father, who was dead, and he was holding his mother and brother hostage.

“They were arguing, and I shot him in the head and he’s not breathing anymore,” he said.

Andrew Finch, 28, the man that actually lived at the house was shot by authorities, who were expecting a hostage situation. Finch’s family has sued the Wichita police, and the man responsible for the prank was caught and will be extradited to Kansas.

Attempts to thwart spoofed calls have been mixed. The FCC proposed new rules in December to allow phone companies to block suspected calls. Several smartphone apps exist to help people identify scams, and crowd-sourcing of user data has led to warnings — like the one I got — warning users about suspect calls.

But the deluge continues.

“Because it’s computer operated, you can place a lot of different calls with the same spoofed number and have that occur in very large scale,” said Lee Sutterfield, CEO of Secure Logix, a data security firm specializing in phone technology.

The San Antonio company has worked in the field for years, receiving several government grants — most recently from the U.S. Department of Homeland Security — to research solutions like better call authentication.

The data to create reliable call authentication is spread across old and new phone networks in a labyrinth of places, Sutterfield said, and aggregating that data is key.

“How do you pull that together very rapidly, within milliseconds,” he said, “one or two seconds at most?”

His company provides color-coded reliability ratings — red, yellow and green — for customers, which are mostly bank call centers. The different ratings get routed to agents of different skill levels. Banks are constantly battling spoofed numbers, he said.

A results of last year’s Equifax data breach — which resulted in more than 140 million American’s data was exposed — were some banks, along with the IRS, have increased screening, but even Sutterfield’s bank uses a phone number as one form of multi-part authorization.

“The first words out of their mouths still is, ‘Mr. Sutterfield, I see you are calling from an authorized phone number. How can I help you?’ ” he said.

Paul Flahive can be reached at paul@tpr.org or on Twitter @paulflahive