This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog
Lots of web sites give advice for stopping telemarketeers. Some advice is good, but some is bad or just naive. For example, over at WiseGeek is advice like “registered on any government sponsored ‘do not call’ list”. Virtually all of the calls that I receive don’t bother checking the no-call lists and enrolling has done nothing to lower the volume of these undesirable calls. A few years ago, the FTC realized that the no-call lists are a complete failure and offered $50,000 to anyone who could come up with a solution.
In contrast, Erica Elson wrote some great tips over at LifeHacker: “I’m a Telemarketer. Here’s How to Get Rid of Me“. Most of her tips are very useful:
- “Don’t immediately hang up the phone.” Telemarketeers will view this as a non-response and call you back later.
- “Don’t give up mid-conversation and hang up without an explanation.” Again, this is a non-response so they will try to call you again later.
- “Don’t let the telemarketer call you back at another time.” That’s just inviting them to call you.
- “Don’t get irrationally angry at the telemarketer.” I agree with this. They are used to rejection and will mark you for a call-back just out of spite.
- “Don’t engage with the telemarketer in any way.” She says that this gives them a false hope, leading to more calls. This is good advice for most people. But personally, I disagree with this tactic.
In my experience, there are two types of telemarketers: honest and dishonest. For the honest ones, allow them to talk for a few seconds. If they pause, say something like, “I’m listening” or “Please continue”. Then at the next pause, say “Remove me from your calling list”. Not “Could you please remove me” or “I’d like to be removed”, but the more forceful “Remove me”. This way, they don’t have an optional way to interpret the request.
There’s a reason for letting them speak a little bit and not starting off the call with “Remove me…” Although they may be from a legitimate company (honest), that doesn’t mean they are not slimy. Some telemarketers hear the removal request coming and hang up before you can finish the sentence. If they don’t hear you say the full sentence then it doesn’t count. By letting them talk for a moment, it catches them off guard and guarantees that you will get the full sentence out. (They never expected you to say that out of the blue.)
For the dishonest ones, no amount of asking to be removed will make a difference. They’re not legitimate anyway.
At my office, there are two types of unsolicited phone calls that I receive often. I previously mentioned one of them: the fake IT support call. The other common calls are from people who want money to help me find more clients. For both of these types of calls, I usually try to find out who they are before playing along. I want their company name, address, and phone number. Inevitably, they will lie to me.
In my previous IT Support call example (MP3), he gave me a fake company name, fake phone number, and told me that his address “won’t be relevant” before he hung up. That was on February 2.
About a month later (March 18), I received another one of these calls (MP3). This guy was a horrible script reader — he clearly has a written paragraph that he used. Still, I pressed him for more information. Keep in mind, he’s a quiet talker and kept mumbling at the end of each sentence.
Q: “What is your name?”
A: “My name is Brad. Brad Willis[mumbled].”
Q: “What is your company?”
A: “Cyber Support. I told you at the beginning[mumbled].”
Good thing I record calls. He did not previously state his company’s name. A quick search for that company name turns up official scam warnings issued from Microsoft. There’s also a warning from Malwarebytes (one of the comments explicitly mentions “Cyber Support”) and other people had similar words of warning. Make no mistake: this is a scam. Real people who get this call should hang up by now.
Q: “What is your company’s phone number?”
A: “Company’s phone number? Right now, we are connected. I do believe we are connected and talking over the phone. Right? And you don’t have to worry about anything…”
This is a refusal to answer. A legitimate company will always give you a phone number. Since he doesn’t want to provide it, I pushed him again for this information.
Q: “No problem. What is your company’s phone number? Just in case we get disconnected and I need to call you back, or if I have problems in the future?”
Area code 201 is New Jersey. The area code and prefix (201-259) is a Verizon cellphone based in New Brunswick, New Jersey. A search for the phone number turns up other people who reported receiving unsolicited “fix your computer” calls from this same number. One of the reports even claimed to speak to “Brad” a few days before he called me.
As with this review, I asked for more information:
Q: “And where are you located?”
A: “You said you wanted the number and I gave it to you. Now you want where we are located? We are located in New York City. Anything else? Any other information you want? You want me personal number?”
A: “You want my personal number??”
Q: “Sure! You offered! Yeah!”
A: “Okay. Note down the number I am giving you. 206-239-4603.”
He didn’t give me his company’s address, but he did give me another phone number. Area code 206 is Washington State and 206-239 is a Qwest landline phone in Seattle. I doubt that this is really his phone number.
After giving me his phone numbers, he hung up on me. A real company would not have hung up. This call was definitely a scam. Personally, I’m kind of disappointed that he hung up. Since I’m playing with him, I was ready to have him fix my computer. (I was working from my Raspberry Pi and it always runs slow.)
*Ring* *Ring* Hello?
Every now and then I get calls that want to offer me government jobs. I didn’t start to get calls like this until I signed up with Dun & Bradstreet and the CAGE system back in 2010. Those two services have only led to spam and unsolicited phone calls — even though I selected every one of the “do not give out my information” options. In 2012, I explicitly tried to get removed from their lists. I know that I got removed from CAGE back in 2012 and earlier this month I think I finally got removed from Dun & Bradstreet. Yet, these unsolicited and undesirable calls keep coming…
A few days ago I received an unsolicited telephone call that asked me if I wanted to work direct with the government through a five-year no-bid contract. My “scam” radar immediately went off because the automated message never told me who was calling me.
The recording only wanted to me press “1″ to work with the government and “2″ to be added to a list. There were no other options… so I pressed “0″, hoping to speak to an operator. Instead, it just replayed the message. So I chose “1″.
The phone was quickly answered by someone named Angela. However, she mumbled her company name. “Federal Express Consulting”? “Fredricksberg Consulting”? Something like that. Entering variations of the name into Google did not identify any likely companies.
Anyway, Angela had trouble finishing sentences. She wanted “to reach the owner of… Hello?” but she didn’t name my company. In fact, she never asked who I was and she never validated that she had reached the correct number or office. Was she speaking with a decision maker or someone who just answered a ringing phone? Did she even know my company’s name?
Telemarketers follow a script. Fortunately for me, I also follow a script. My script basically says:
- If he/she did not identify their company in the first few seconds, then ask why they did not identify themselves. The FCC has requirements and one of them is that the caller must identify their name and company.
- Find out who they are: name, phone, and address. Other information is a bonus.
- Find out what they know about me. Do they know my name? My address? My company’s name? Do they know what my company does? I must not confirm anything about myself (including my name) and I must not provide them with hints. This deters them from cold-reading me and allows me to find out how they learned about me.
- Ask them about the no-call list. If they know my name or my telephone’s area code (area codes map to states), then they know what state and country I am in. There is a national do-not-call list and the Colorado no-call list. I’m registered with both of them. Telemarketers are legally required to consult with those lists before contacting me. (And if they checked with those lists, then they should never contact me.)
- Tell them to remove me from their calling lists.
My actual script is more like a decision tree. If they are taking a survey, if they sound nice, if they hesitate, etc. I have plenty of options. (As an aside: Does anyone know of any good, public system for flowcharting these decisions and option? I think having the tree public would make for a great open-source project.)
With Angela’s call, she sounded like a bored script reader. So, I followed the decision tree for aggressively handling the call. I may speak sternly, but I never yell and I never get mad. With this tactic, my questions are more important than hers, so I want her to answer every one of my questions before we move on to the next question. As a social engineering exercise, my goal is to keep her off balance by keeping her off the script. This increases the likelihood of her getting frustrated and telling me exactly what I want to know.
Q: “Why did your automated recording not identify your company name?”
A: “Uh… that’s… I would wonder about… It is a recorded message. I have to tell you the truth, and we’re calling regarding a five year GSA contract with the Federal government. And I can identify myself, which is [unclear]Fredricksburg consulting…” (back to the script)
Q: “Do you know where I am located?”
A: “As of this point, because you are right now an inbound call. Sir, our reception department has probably 50-60% of your company information in our system because you might quality for GSA.” (back to the script)
How can I be an inbound call if they called me? That’s how telemarketers work. An automated system establishes the call and then you are connected to the next available drone. Anyway, she did not answer my question.
Q: “What company do you think you have called?”
A: “Uh… okay… I see a name: Kravitz. And I don’t know if you are a consulting firm as well or if you have products or if you. Okay, I know a little more, sir. You do IT services.”
At this point, it is clear that she doesn’t know my company name, doesn’t know what I do, and grossly overestimated that “50-60%” that she knows about my company. When enrolling with D&B and CCR/SAM, you have to provide a business category. For D&B, I had entered the code for “Other IT”. For CCR, I selected “OSHA SIC code: 7379 Computer Related Services, Not Elsewhere Classified”. The information that Angela provided strongly suggests that she is working on partial information provided by D&B.
I explicitly informed her that I do not do “IT Services”. I view IT Services as something akin to system administration. I try not to provide sysadmin services to anyone except myself and my father (and that’s only because I think it’s rude to hang up on my father).
Of course, Angela used this as an excuse to get back to her script:
Well then, I can tell you how that works, sir. Businesses work with us. We are the number one in the nation for awarding GSA contracts and what we can give you is of no harm. We can give you information in how to obtain a GSA contract. Information, if you qualify for GSA, which, the requirements would be your business… you would need to be a minimum two years in business. Your products and services.
This kind of reminds me of the movie The Truman Show. At one point in the movie, Truman (played by Jim Carrey) blurts out “Who are you talking to???” Angela says that businesses work with her company. But she also says that she doesn’t know if I’m a business or what I offer… So why she still talking to me?
Also, that “minimum two years in business” sounds familiar. The calls from Dun & Bradstreet kept saying (incorrectly) that I had been in business for four years.
I thought Angela had gone on long enough, so I decided to ask more questions and take her off-script. (I like how she stutters every time she goes off-script.)
Q: “Are you aware that the number you have called is on the no-call list?”
A: “That I wouldn’t know, sir. And, uh, we we we’ve been called, we’ve been told that businesses, that you are a business, sir. You can be looked up in the yellow pages or I don’t know if you have a number that has been restricted. I don’t know.”
Angela, you just lied to me. My company isn’t listed in the yellow pages. And earlier you stated that you didn’t know if I was a business. In fact, you still haven’t told me my business’s name.
Q: “What is your company’s address?”
A: “Interest! To…”
She must have misheard me. She tried to go back on script!
Q: “Address. Street address.”
A: “Address. And why would you need our address, sir?”
Q: “So I would know who I am talking to.”
A: “Of course… The address is GSA Application Services, Tampa Road in Oldsmar, Florida.”
Bingo — this is why we keep her off-balance and stay off-script. Google finds this company name very quickly. The address is 4035 Tampa Road, Oldsmar, FL 34677. (Some records say that their address number is 4033, 3925, or 3875, but they are all on Tampa Road.) The company has two web sites, but neither returns anything (a blank page and a server not found). Also, the name “GSA Application Services” is not the same name that Angela gave me earlier (“Federal Express Consulting” or something like that). There’s a comment on yellowpages.com about this company:
Run away. The Sprecher organization, to which this shell company belongs, has a history of felony embezzlement and fraud. Research this company carefully before you give them a dime. Check the other names they use, too. GSA 1000, GSA Preview, GSA Greenville, GSA Tampa, Federal Verification, Countryside Publishing. Check the Florida Attorney General’s website for a status on the AG’s investigation into the Sprecher organization for deceptive practices.
They have similar reviews at the Ripoff Report, Complaints Board, and with the Florida Better Business Bureau.
According to the various write-ups, this company will ask me for a few thousand dollars (non-refundable) and then fail to deliver a GSA contract. Of the many names that this company has gone by, the funniest is the Lewisburg Group. According to one person (who claimed to work at the company for a short duration), this name is funny because the company owner spent several years in Federal Prison at the Lewisburg Penitentiary.
This is explicitly why it is important to know exactly who is calling you. They sound helpful. They sound like something I might be interested in. But when you push them for their contact information, they turn out to be a scam.
However… we’re only half-way through this call. And I’m not done yet.
Q: “What is your company’s phone number?”
A: “My phone number is 502-410-2779 and my name is Angela.”
That phone number is for Louisville, Kentucky. Searches for this phone number turn up lots of complaints about telemarketers pushing government contracts.
Q: “You can remove me…”
A: “I can’t. I can’t.”
Q: “Remove me from your calling list.”
A: “Sir, stay on the line until I get your number completely. I show it is 970-282. Because as I said, we are sending out recorded messages to all small businesses. You have an option to say ‘I’m interested in government contracting’ and…”
Notice the delay tactic. She says I have to stay on the line while she reads my phone number to me. Then she reads a little bit of the number and goes back to the sales script. However, she explicitly said “970″. That means she knows I am in Colorado. (Area code 970 is only found in Colorado and the prefix 282 places me in Fort Collins.)
Q: “REMOVE ME FROM YOUR CALLING LIST.”
A: “I’m about to get the last four digits. And please verify your phone number, sir. I have 970-282..”
Q: “Why do I need to verify it? I’m the person who answered the phone.”
A: “Because I have not dialed out. You are one of 20 thousand business that we are calling today. I mean, how can I verify who you are right now? Unless you speak to me and verify your company information.”
I’m glad I recorded this. She tries to make me think that I called her, but that definitely is not the case. The laws regarding telemarketers are very clear about this: if the person who answers the phone requests to be removed, then the telemarketer must remove them. This is not a debate point.
At this point, I just want to keep her off script:
Q: “If you are in the United States then you should have run that number past the no-call list. I am listed.”
A: “Sir, you know why we are calling? US Federal Government uh GSA uh…”
Q: “I am not Federal Government.”
A: “But sir, you kind of putting words in my mouth. We are not outsource and we do not want to be outsourced. We want to help US American economy. If you want to be part of it. But right now I put your number down. 970-[redacted]. And sir, it sometimes takes 48 hours sometimes before we have purged out all these numbers. I appreciate your patience and I wish you a wonderful day.”
I like how she says “US American economy” with her thick foreign accent. She tries to make me feel guilty about not participating in the economy because I want to be removed from her calling list. And who was talking about outsourcing? I can only assume that she accidentally jumped to a different part of her script.
At this point, I’ve kept her off-script. However, that won’t be enough to keep them from calling me again. Time to put the fear of Gawd in her:
Q: “This call has been recorded and will be posted online.”
A: [long pause] “Sir, really. I mean, that makes no sense. You have not. And I tell you something right now. You did something unlawful. Because you have not told me that you recorded me. You are not at liberty to record me.”
Q: “Oh sure I am! I’m in Colorado. Colorado is a one [click] call state. Hello?”
I meant to say a “one party state”, but it doesn’t matter because she hung up on me before she could hear that. As she was arguing with me, you could hear the panic in her voice. (And you can probably hear the smile on my face.) And at the very end, you can hear her under my voice saying “Thank you for your time!” *click*
Let me make this abundantly clear for every telemarketer that calls me: I will record you. As stated in 18 U.S.C. §2511(2)(d), Federal law permits recording as long as at least one party on the phone is aware that the call is being recorded. Only 12 states override the Federal law and require full-consent. The remaining 38 states — including Colorado (where I and my recording device are located) — only need one party to consent. I am in Colorado, I am on the phone, and I consent to recording these unsolicited cold-calls.
Her reaction to being recorded brings up one other issue. Her company cold-called me with a business offer. Had she known that the call was being recorded, would she have given me the same sales pitch? I caught her in a couple of lies. Would she have still lied to me if she knew she was being recorded? (This goes toward those reviews that mentioned ‘deceptive business practices’.) Then again, I’ve had plenty of telemarketers hang up immediately when I say that the call is being recorded. A legitimate offer would never be concerned about being recorded.
Here’s the entire recorded phone call: MP3. The only thing I redacted was my own phone number (you’ll hear it as a warble sound). However, I left my area code (970) since that identifies a phone in Colorado.