Anyone with a telephone (wireless, wired or otherwise) should be now accustomed to our modern culture where you are getting calls from scammers. Many times, these are automatic dialers that will call you and play a message, usually in a synthesized voice. These calls will sometimes claim to come from Social Security or from Internal Revenue Services. They will threaten you with an arrest warrant or like the one that I got the other day, cancel my social security number.
The thing is, they will give you a phone number to call back on and in an increasing number of cases, that number is the same one that comes up on caller ID. Many scammers use "neighbor spoofing" where they get a number in your local exchange in order to try to fool you into thinking that the call is coming from your local area.
Since they are giving a number to call back and assuming that the number they give in the message is valid (otherwise, why would they call you), that means that some company has provided that phone number to facilitate the scam.
Voice over IP (VoIP) providers offer Direct Inward Dialing (DID) numbers to their customers in association with their transport services. VoIP service usually has two elements, the transport portion which may be a flat rate with a possible limit on the number of free minutes or a measured rate where you are billed for all minutes used. The second piece is the DID number or numbers that you may use. DID numbers provide anyone with the ability to have a local number in any rate center (exchange) in the country, no matter where they are. In the old days, we called that a foreign exchange and in California, we used to have to pay $6.40 per mile to bring dial tone from a "foreign" central office to your location. These days, you can get DID numbers for less than $1/per month each.
For someone to set up a scammer service, it's pretty easy. It could be done using a system that is capable of programmatically originating outgoing calls, such as software like Asterisk and FreePBX. For incoming calls, the same software could be used to direct the incoming calls to the scammer. The software could exist in the cloud in some overseas datacenter. The DID numbers are routed to that equipment from the participating VoIP provider.
These DID numbers are usually purchased by VOIP providers, sometimes with additional middlemen in the way from competitive local exchange carriers (CLEC) who obtain blocks of telephone numbers pursuant to the North American Numbering Plan (NANP). Let's take a typical DID number such as the main Washington, DC phone number for REC Networks, 202 621-2355. A check of the Local Exchange Routing Guide (LERG) data, which can be viewed by the public through sites like localcallingguide.com shows that 202-621 is a "pooled" prefix and that different blocks of a thousand numbers belong to different providers:
- 0000~0999: Level3 Communications
- 1000~2999: US LEC of Virginia, LLC
- 3000~4999: Omnipoint Communications CAP Operations, LLC
- 5000~5999: Broadview Networks, Inc.
- 6000~9999: Comcast Phone of DC, LLC
Since our number is "2355", this means that the original CLEC is US LEC of Virginia. It is very likely that they are allowing another company resell their spare number inventory which has provided it to our VoIP provider, who in turn resold it to REC on a retail level.
Currently, in a different world, if your organization receives a large number of spam e-mails or abuse to a server such as a Denial of Service (DDoS) attack, you may, in some cases, get the actual IP address that is originating the offending traffic. With that IP address (a group of 4 numbers, like 11.22.33.44), you can use one of many "WHOIS" tools to look up the name of the provider. Once you do that, you can determine how to reach the provider to report the abuse (unless it is coming from somewhere like Russia or China, where the providers don't really care). You may not receive the actual end user's identity (such as a subscriber to internet service nor the name of the university student who's dorm room is assigned to that IP), but you will have something deeper to go on.
This raises the question, why can't we have something like this for DID numbers? If I get an abusive phone call (and I consider IRS(vcs) scam calls that make threats to be abusive), why can't I look up somewhere to get a more focused view of what provider that DID number is associated with? Sure, you could use the CLEC that hosts the prefix and block, but there is usually two if not more levels underneath them.
The United States is one of the most liberal countries in the world where it comes to DID numbers. In some countries, such as Japan and Singapore, you have to provide ID in order to verify your identity. It allows their governments to register the names of end users of the phone numbers. In other places such as Ireland and other places in the European Union (with the notable exception of the UK), in order to get a local DID number, you have to show other evidence that you are actually physically located in the exchange that you are trying to get a number in. You do this through showing an ID with that address on it or through another utility bill, etc.
I am not advocating that the US government start registering end users of DID numbers, but I do feel that there needs to be registration of DID numbers at the final provider level and that there are methods of being able to contact the final provider. Would this mean a small (less than 10ยข per month) regulatory fee for each DID number to maintain this database? Sure, no problem.
The bottom line is that our North American Numbering Plan resource is being abused by the scammers and there is no accountability by the providers that are knowingly or unknowingly providing these scammers with the DID numbers that they use to profit off of Americans, especially seniors. While the FCC seems to be taking some actions on "robocalls", I do not feel they are doing enough to go directly after scammers who are abusing the use of US DID numbers.
We need a "whois"-like database for retail providers of DID numbers and we need to hold those retail and wholesale providers more accountable for not reacting to DIDs used by scammers.
