The telephony and call center “Platform as a Service” offerings (I’m talking Twillo, Amazon Connect, Plivo, etc), have made it much easier for people to create their own custom call center applications. I’m beginning to wonder if they’ve made it too easy. I’ve just encountered my first scam built on this tech.
About two weeks ago, I started receiving automated calls every few days from an entity representing themselves as a major Canadian bank. Now, we’ve all experienced scam robocalls before. These were different. And far more dangerous, for they implemented a sophisticated IVR app to phish for answers to security questions.
A Well Designed Scam IVR
- Used professional voice talent
- Asked me to “Press 1 for English, 2 for French”. Yes, they implemented a full multi-language IVR
- Said, “If this is [my name], press 1”. Yes, they implemented text to speech
- Said, “To make sure that you are [my name], we need to ask you some security questions. Using the keypad, please enter your date of birth, For example, if your date of birth is August 23, 1977, enter 08231977 on your keypad”. Yes, they implemented a data capture app.
I hung up then. Although I was 99.9% sure that it was a scam, it sounded so authentic that I thought that there was a very, very small chance that it was a misguided program from the bank. I wandered into a branch, who confirmed that the last time that they called me was in 2016. So, I reported the calls to their fraud department.
Ironically, the bank’s IVR wasn’t as slick as the scam IVR. I had more trouble entering information into it to report fraud than I would have had to be defrauded.
I got another scam call today, and this time I let the “If this is [my name]” message time out. On timeout, they asked me to call back to a toll free number. Still sounding realistic. But then they said I could send mail to a post office box. Eventually their greed exceeded their smarts.
Low Barrier Will Encourage Bad Actors
Everything that they did could be built in a matter of a couple days, tops on Twillio. The programmer wouldn’t have to be very good to be successful. Signup requires nothing more than an email address and a credit card. And, they can take advantage of a very wide range of services to present an authentic face.
Yes, outbound calls have been misused since the invention of the telephone. These platforms makes it dramatically quicker, cheaper and effective, and as such, they will be pretty compelling for bad actors.