It’s a scene from a modern-day horror movie: The call is coming from inside the house.
But it’s not just any call. It’s from you.
This played out one recent Wednesday evening when my iPhone’s caller ID flashed my own phone number, along with a picture of my face. It was a robocall using spoofing technology to pretend it was calling from my own number.
I picked up and tried to sound menacing: “Can I help you?”
It was an automated pre-recorded message from “Microsoft” claiming my computer license was expiring. Knowing the drill, I wasn’t surprised to hear I had 24 hours to respond before going to jail.
I get more scam calls than actual calls — after all, nearly 30% of all calls made each day are robocalls — but a call from my own number was a new one for me.
Yet some experts warn this is just a mild taste of bigger dangers to come: a world where you receive robocalls calls from numbers you recognize and the person on the other end sounds like someone you know.
Spoofing, a form of robo-calling, is increasingly common. It’s when someone makes a call from a voice-over-IP service, such as Skype, and are able to enter a host number. While a carrier must provide a number when a call is made from a cell phone or landline, any number sequence can be entered via a VoIP service, whether it’s a made up number, a number in your address book, or one from the White House. It’s so easy, anyone could do it.
Because a scammer knows you’re more likely to pick up if you recognize the caller, they might enter a number they think is in your address book. They could even one day use voice manipulation technology to impersonate that person. (Think deepfakes for robocalls).
Tarun Wadhwa, founder of tech advisory firm Day One Insights, argues that it’s easy for strangers to find out who is close to you and what their personal details are from social media or other websites. Years of large-scale data breaches have exposed millions of people’s phone numbers, addresses, passwords and credit card information online, making it easier for them to be pulled into a scheme.
“It’s going to be like Photoshop — something so easy, widespread, and well known that we stop tracking how it’s being used against people personally and don’t find it surprising,” said Wadhwa, who’s spent years studying issues related to identity, forgery technologies and cybersecurity.
Wadhwa worries this type of forgery technologies could also ruin relationships and reputations.
“I can easily imagine situations in which these sorts of voice-mimicry technologies are used to sow confusion, extort people and make fraud and scams far more precise,” he said.
Last year, Google showed off its AI-powered Duplex assistant that showed how a person could make dinner reservations over the phone without knowing the receptionist wasn’t a person. The technology, which sounded alarmingly realistic and could keep the conversation going with the caller, caused a stir. Critics are concerned it’ll be hard for the average person to differentiate who’s real and not on the phone, blurring the line between automated and authentic conversations.
But Alex Quilici, CEO of robocall-prevention app YouMail, said it will take substantial work on the scammer’s end to make this happen.
“Building a fake computer voice right now is a decent amount of work,” Quilici said. “If I wanted to build one that sounded like you, for example, I’d need to get a ton of samples of you saying specific phonemes, and train a computer model on that.”
He argues easier, yet still sophisticated, spoofing might entail getting a call from a friend’s number saying they’re in jail and you need to bail them out. Or it could mean a call from your child’s number from someone pretending to be a doctor, asking you to come to the hospital — only to be burglarized when you’re out.
These concerns come at a time when robocalls are more rampant than ever and fewer people are picking up calls from unknown numbers. Americans received 26.3 billion robocalls last year — a 46% surge from 2017 — and this March alone set a new monthly record with 5.23 billion robocalls, according to data from YouMail. Meanwhile, the Federal Communications Commission says unwanted calls are the biggest consumer complaint made to the agency each year. (It received 7.1 million complaints about robocalls in 2017).
I typically don’t answer calls from unknown numbers, but the one from myself was hard to resist. According to Quilici, even just picking up the phone may be a mistake. Answering a robocall lets scammers know my number is active and that I am willing to pick up.
“Spoofing is becoming more and more common as scammers try to call with numbers that are less likely to be blocked,” he said. “You’re not blocking your own number, and you are more likely to answer numbers that look local.”
The FCC’s efforts to crack down on robocalls have been slow moving. In November 2018, FCC Chairman Ajit Pai sent letters to carriers, including Verizon, AT&T and T-Mobile, to encourage them to embrace a caller authentication framework.
“Combating illegal robocalls is our top consumer priority at the FCC,” Pai said in a statement. “That’s why we need call authentication to become a reality — it’s the best way to ensure that consumers can answer their phones with confidence. By this time next year, I expect that consumers will begin to see this on their phones.”
The telecom industry is working on a tool called Stir/Shaken to identify and trace spoofing efforts could have the biggest potential to curb robocalls. AT&T, Comcast and Verizon have already completed tests, and other providers have pledged to embrace Stir/Shaken by the end of 2019. (AT&T owns CNN’s parent company, WarnerMedia.)
But because it involves massive crossover — a person using an AT&T wireless phone will need to be verified when they call a Comcast landline — it’s a challenging technical undertaking. Some experts like Wadhwa worry the solutions could be somewhat obsolete by the time they hit the market.
In the meantime, robo-blocking apps like YouMail can play an out-of-service message when a known robo-number comes in. The message makes it seem like your number is disconnected, so scammers won’t call you back. Meanwhile, carriers like Verizon, AT&T and T-Mobile offer free-to-download apps that auto-block these types of calls. For a monthly charge of several dollars, the apps can reverse lookup the caller.
Robocalling scammers rely on cheap technology that works on a large scale, but new schemes could get smarter and pose an even bigger threat in the future.
“If we don’t get a hold on this, I believe we’ll look back on robocalls as a much easier problem to deal with than what’s coming down the pipeline,” Wadhwa said.