For the past two years, my personal cell phone, and now my work phone, have been rendered nearly unusable by call centers and robocallers taking advantage of security holes in Signaling System 7 (SS7), the protocol which underpins the telecommunications network, Caller ID, and Voice over IP (VoIP), which allows computers to participate in it.
These calls spoof the Caller ID identifier to indicate they are calling from either a local phone exchange, a familiar-looking phone number, or even my own phone. They call at all hours offering discounted health insurance, offering contest winnings or vacation deals, or asking to donate to fraudulent charities.
The prevalence of fake charities calling to support police and firefighters was so much that we put out a notice to the entire workforce warning them of this scam.
Last year, a group of scammers was arrested in India for operating three call centers. They were calling unsuspecting people, mainly the elderly, spoofing the Washington DC phone number of the Internal Revenue Service, and threatening to arrest people if they didn’t purchase thousands of dollars in gift cards, iTunes cards, or Green Dot cards, and give them the numbers. This scam caused millions of dollars in financial losses to numerous people who were duped and put some of them in serious financial distress to the point of losing their homes.
I have numerous friends and family who have had their number spoofed to send thousands of scam messages to unsuspecting people, and who have had their personal phones inundated with phone calls as a result.
The lag with large security companies
With all the negative stigma and scams attached to using spoofed caller ID from call centers to spam and inundate people with messaging they do not want, why do large information security companies still do it?
Several times a day I get phone calls from obviously spoofed phone numbers from companies calling on behalf of large information security vendors. While I will not directly name any of them here, I can assure you that they are well-known — and in one case, a household name.
I’ve been picking up because several of these calls have numbers that look like our customers. In addition, several of them have called the main switchboard of my job, asking for me.
You can hear the numerous other people in the call center when they call. They always start off by indicating that they are calling on behalf of <Large Security Software Vendor>, and that they would like to offer me a free white paper or infographic. I always respond by asking them to take my number off of the list, and never call me again.
This is disturbing for several reasons. First, I run Information Security for a company that does business across an entire state. We have numerous locations, and also partnerships with several other health systems. There is no way that I am going to ignore all calls that I do not know, because customers call me, and I am not going to ignore them. We have team members who live in neighboring states, and so I will not ignore a call from a Kentucky, Ohio, or Illinois number, because it may be someone using their personal phone. We have residents and physicians who move here from across the US. That phone call from Michigan, New Jersey, Florida, or New York City could be one of them calling us to report something.
When you spend a lot of time interfacing with your customers and assuring them that they’ll reach a person willing to help if they suspect something bad, putting all calls to voicemail because of a few bad apples is a sure-fire way to get people to stop calling you — and stop reporting in security issues.
Secondly, this shows a complete disconnect between the messaging provided by security companies, and their actual business practices. Why would I trust a company for security that utilizes the same marketing and scammer tactics we try to protect our users against? How can I present this to our senior leadership team with a straight face and tell them that this company aligns with our mission and values?
I have spoken with several large companies, including a very large vendor that has an entire Brand Protection team dedicated to stamping out this behavior. In two cases, it was resellers misusing the name. With smaller companies, numerous shady lead generation companies have taken advantage of them, and they’ve stopped contracts because of it. With several other companies, I have reported this, and would get the same calls from the same call centers, literally the next day.
Know what your marketing teams are doing
If you run a security company, you need to be very aware of what your marketing and reseller teams are doing. This does not give a good picture of your company. If you try to justify it as getting leads, you show yourself as being very short-sighted. Many of the IT and security professionals out there remember companies who are persistent spammers, and you will lose deals because of it.
I have incredible respect for many of the sales professionals I have worked with. There are many examples of consummate professionals who want nothing more than to have their customers succeed. I’ve been able to apply what I have learned from some of these professionals to do my job better, and will always make time for them. This is not about them. It’s about those who take shortcuts to get the same sales numbers. It’s about the companies and people who don’t employ the same degree of professionalism, detail, and ambassadorship.
If you’re in sales, take this lesson to heart. Please make sure your companies don’t do this. If someone even thinks phone spamming is a great idea, sit them down and explain that it turns off people and damages your brand. If you have resellers doing this, you should seriously rethink the relationship. You don’t want to be represented by shady characters who use scam techniques. Sales takes work. It takes lots of shoe leather and really hard work to maintain relationships. There is no shortcut to big $$$ that is sustainable in security.
Take it from someone who uses the sales techniques from their vendor days to sell their program to customers. If it looks even a little scammy, people stay away.
This piece was written by Mitch Parker, Executive Director of Information Security and Compliance at Indiana University Health, and Adjunct Lecturer of Health Informatics at Indiana University–Purdue University Indianapolis. Previously, he held the CISO role at Temple University Health System.