Ask HN: Extremely brazen phone scammer – what to do?

22 points by aerosmile ↗ HN
I am writing this mostly to evaluate a potential startup idea. Would love to know if there's anything that can be done for people experiencing this, even if it costs money and takes time. I would pay quite a bit not to have to change my number, and I imagine there are quite a few people out there in the same situation.

I received a call from an obvious scammer (something about my social security number being stolen, etc), and in their recording they didn't provide an option to be put on a no-call list which has happened in other cases. The only option I was given was to dial "1" to talk to one of their agents. I dialed 2, and was instantly greeted by someone who had an almost accent-free English but was on a poor phone connection. He said "hello," and I said "would you please remove me from your list." He said he'll do that if I paid him $2k. I declined and said I need to be removed or I'll contact the police. At that point, he reiterated his offer, but added that he'll call me every single minute until I give in. I responded that I am not falling for this and that I'll file a police report, at which point he started using foul language and told me "that I am f*cked."

What surprised me about the call was the rudeness. I was expecting someone on the other line hoping that they are not going to get themselves in trouble and politely apologizing for calling the wrong person. Instead, the person I talked to was clearly convinced that they cannot get caught. Given the digital nature of our world, I am a bit surprised that's the case if you come across a sufficiently motivated person.

29 comments

[ 2.9 ms ] story [ 51.6 ms ] thread
I've had something similar happen. If there was a startup tackling this problem, I would certainly want to know about it!
I imagine that the $2k price point is not entirely arbitrary - people seem to be going for that price point. I know I certainly would, and the only reason why I am not paying the scammer directly is because I doubt they would keep their word.
Forgot to mention - the calls did pick up in frequency so it seems like he did keep his word.
How interesting - is he calling from a new number each time?
You don't need a new number persay.

With current infrastructure, a caller can say they are any number they want because the network trusts clients to report themselves accurately.

I suspect paying them would just mark you as easy money and they would harass you more.

It's an interesting DDoS, if an attacker sends a lot of requests to a website, there are solutions against it, but what about a lot of calls to a number?

Sounds like a job for Lenny: https://www.vice.com/en/article/d3b7na/the-story-of-lenny-th...

However I know your plight; I decided to escalate things with one of those "extended vehicle warranty" companies who swore up and down they removed my number, and said "We haven't been calling you". My caller ID on the device and records from my carrier proved this to be a lie-as the meme goes.

I calmmly asked for a mailing address for their offices so I could send them proof they had been calling (I wasn't about, but I wanted to see if they would) and that's when the asinine threats and pretend legal jargon began.

the person went on ramblig for a good 2 minutes it felt like.

"So what's that mailing address?"

They hung up on me.

Haven't gotten a call since.

I had started something similar but never found product-market fit.

My pitch was more about having multiple phone numbers and having a filter where it would only allow certain phone numbers to ring your actual phone. The idea was that you would give out a phone number, like you would give the number out but it would redirect to your real number without revealing it to the caller.

Once you are done with the throwaway number, you close the number and you no longer receive calls from people who had that number.

The big issue with my idea is that these telemarketers and other phone ner-do-wells aren't sourcing numbers. They are blindly dialing numbers along with spoofing the incoming number so it appears local.

It isn't possible to eliminate these calls by never giving out your actual phone number because your phone number is a string of 10 numbers that can be narrowed even further by knowing what area codes are in service, then narrowing even further I think on a closed set of the first three as well.

Ever notice how if you pick up a scam call, they don't immediately pick up, it takes 5 - 10s? Yeah, that's because the machine keeps dialing until it gets a signal that the call was picked up so it connects you to the caller.

I designed a technical solution to this last year and ran it as a business called CallStop for a while, see: https://news.ycombinator.com/item?id=22211791

Here's the problem with the business side: If you want to code in extra rules around PINs, requests, whitelisting, you need to route the carrier traffic through a service like Twilio, which is really expensive and cuts down on the margins of the business hard. When you combine that with Apple's margin and taxes, it's a really tight margin I found (even at 6.99$/month). If rerouted traffic could be much, much cheaper there could be a business there -- but there's always a threat Apple will just copy those features. I did get some paying customers though who really liked it.

There's also whitelisting on iOS, might that be enough for your use case? Otherwise there are plenty of blacklist/blocking services.

Yeah, I agree on the margin point.

I started my service on Twilio with the idea that the apps didn't go far enough and were too inflexible.

My plans were $9 and $29 but even then, my margins were 10 - 20% which is just absurd for a pretty high-touch + risky product. Near the end, I was wanting to pivot from utility to 'replace your current phone service' and providing data makes it incredibly expensive when compared to other providers due to not having the volume to get reduced pricing.

If I had to do it right, I would get VC and become an MVNO and position it as a 21st-century phone company ("Why can't I text on my computer?", "why can't I have multiple numbers", etc).

I still have a large amount of node server code that is a permission system for phone numbers. If you ever get serious about the idea and want to reach me, email is in profile.
I think, but maybe I'm imagining it, but all these scammers use internet phone numbers from services which have abuse departments. You would need to identify the origin and get them to shut down he numbers.
Regarding all the stories about this, with number spoofing and whatnot:

With all this surveillance and tracking going on everywhere at every level, are telecom companies seriously not able to see where someone is calling from??

The intuitive answer is - of course! But, as someone pointed out elsewhere, the technology stack really is 150 years old.
They have never cared because there’s no profit in solving this problem.
Of course there is, ever ran an enterprise PBX and had to pay your telco for toll fraud after an extension and DID pair gets pwned? This still happens even in VoIP and SIP stacks.

Seen it first hand, one month, normal billing. Next month, $44,000k in fraudulent calls to and from Cape Town over an enterprise trunk thanks to a poorly configured ATA.

Define "where someone is calling from". If the call is carried via VoIP, then all the phone company knows is who the VoIP provider is. The VoIP provider may know what account it is, but not who that is. Tracking it down to an actual human you can jail (or even sue) may not be easy.
"Not easy, but technically possible" is a very fertile ground for a startup.
They don't care about getting caught, there is no penalty. Your police can't do anything, and the feds don't care enough to start an extradition preceding over someone spoofing a US number to scam you - if they can identify them in the first place!

The solution to phone scams is SHAKEN/STIR (1). It will hopefully be rolled out next year. This is legal and social more than technical, despite the "digital" nature of the world our phone networks are built on a 150 year old tech stack where it used to be too expensive to call someone in a different country to scam them.

(1) https://docs.fcc.gov/public/attachments/DOC-362932A1.pdf

There is a drawback, since there are legitimate uses for spoofing numbers. But journalists can purchase burners and service providers who enable trivial spoofing shouldn't be shielded from secondary liability.

This is the correct answer, except it won’t be rolled out next year in any meaningful way.

The FCC created a broad exemption for providers that have taken other “reasonable steps” to reduce robocalls, which is self-certified. Providers and device manufacturers are complying with this requirement by allowing users to block known bad phone numbers and showing some special UI when an incoming call is authenticated.

Scammer dragged you into his turf and thrown dirt on you until you basically give up.

You cannot communicate scammers into doing what you want.

The solution is to auto-send all callers not in your address book into voicemail.

The only solution to phone scams is some sort of government oversight and enforcement, possibily delegating part of responsibility to providers for allowing criminal behaviors to take place. Basically KYC for telecoms or charge people extra for making un-auth phone calls.

This will make scams very expensive and turn them into losing business proposition.

We receive daily scam calls; sometimes five a day.

Each time I take up as much of their time as I can. This is time they cannot use to scam little old ladies out of thier pensions and retirement.

Until the governments decide they care enough to sanction India, these calls will not stop.

Write your representatives and media demanding solutions.

When you've had enough on a call, ask them "does your mother know what you are doing? Would she like it?"
Recently I ask them cheerfully: Hey, nice to hear from you, how's business, did you scam a lot of people today?
Me too. I wish I had more time to waste their time. Often I will just answer and set the phone down. When I have time to play, I have a fake name, real VIN of some car, a home for sale in Phoenix, a credit card that passes a luhn test, etc. And if they need to call me back, I have a Twilio honeypot number that fowards to http://www.jollyrogertelephone.com.

I am not Kitboga, but I enjoy wasting their time.

Sometimes they start the stream of profanity as soon as I answer, I guess we have met on a prior call.