Unsecured External Data is for Spammers and Scammers

On the subject of spam, Privacy Bee CEO, Harry Maugans often says, “Telemarketers don’t just pick up the phone and dial random numbers.  They buy targeted lists from Data Brokers, then plug that list into their spam software and hit the big green “mass call” button.”  If your organization receives as many telemarketing calls and unsolicited emails as others, you’re probably suffering from some degree of lost productivity.  With profit margins tight in most industries, allowing spam calls and scam calls to continue is an unacceptable waste and one that you needn’t suffer.

While for the most part, telemarketing and email marketing are not illegal, they are a drag on productivity and the regulations put in place to curb egregious abuse are poorly enforced and largely ignored by unscrupulous actors.   This irritating problem by itself is not typically severe enough to compel organizations to seek a specific solution. However, when CISOs and CIOs realize the connection between spam/telemarketing and a host of other much more serious information security threats, they become much more receptive to advancing a mitigation solution.

This paper reveals the depth of the challenge posed by rampant telemarketing and spam operations.  Moreover, it will illustrate how the same factors enabling the telephone spammers are the ones enabling the telephone scammers engaged in much more damaging information systems warfare.  Lastly, the document details how investing in a solution to manage one challenge – in this case the scourge of spam/telemarketing – simultaneously reduces the risk of far more damaging consequences.  And all for a very modest cost, particularly viewed against the cost of falling victim to all manner of cyber threats.  In short, read this paper to learn how to defeat the spammers at the same time as the scammers.

The Scope of the Spam Call & Scam Call Problem

ZDNet Business News reports spam phone calls cost US small businesses half a BILLION dollars in lost productivity annually.  Many may not realize that the federal government’s Do Not Call Registry leaves businesses exempt from this regulation and vulnerable to being spammed without limit.  What’s more, VoIP and other technologies (now including AI) have made it easier and far less costly for spammers to generate tens of thousands of phone calls in just a few minutes.  The advent of AI is a boon to scammers in particular who have been using the tech to generate “deep fakes” used in phone scams.  The threat of voice deepfakes is on the rise as this illustration shows.

The Damaging Drain on Productivity

These productivity losses to spam are compounded by significant losses driven by the proliferation of telephone scams.  A 2022 report produced by the Electronic Privacy Information Center and National Consumer Law Center revealed that more than one billion scam robocalls – calls to defraud telephone subscribers – are made every month in the US.  In 2022, nearly 60 million Americans lost a collective $29 billion dollars to these scams and logged more than a million complaints to the Federal Trade Commission (FTC).

The Damage to Legitimate Phone Based Business Models

Existing solutions to the scourge of spam calls frequently have an over correcting effect on the same businesses who engage them to protect against productivity drains.  The science of detecting whether an inbound phone call is legitimate, or spam is imperfect.  It is not uncommon for spam call filtering solutions to sometimes screen out legitimate inbound business calls which results in lost business opportunities.  And in these instances, the business never even knows they missed out on a prospective sale.

In a similar vein, for legitimate businesses that rely on telesales as a key part of their business model, the use of anti-telemarketing solutions by their business prospects can severely hamper new business development efforts.  When legitimate outbound sales calls are flagged as spam or scam calls by indiscriminate anti-spam phone filters, real businesses are prevented from contacting their target prospects. 

Phone dialer systems provider, PhoneBurner, produced a survey that yielded eye-opening evidence of this depressive effect on legitimate businesses.  Their survey revealed that 78% percent of those businesses surveyed reported having to lay off workers, eliminate positions or choose to not hire new employees due to significant volumes of outbound calls incorrectly labelled as spam or scam.  53% reported the same for 10 or more positions for the same reason.  15 percent of respondents reported greater than $100k in lost revenue.  35% reported up to $30k in lost revenue and a full 81% reported some level of revenue loss.  More than half of the businesses surveyed reported a decrease in telephone call answer rates.

Despite the challenges for telephone-based businesses, nearly three in four respondents in the PhoneBurner survey still say phone call-based sales is the most effective way to do their business.

The Damage to Hiring and Staffing Efforts

With telephony and cellular phone companies investing in tech tools to screen out spam, scams and caller ID spoofing, everyone is likely acquainted with the “Spam Risk” or “Scam Likely” screen that comes up on the phone when the screening tech suspects an inbound call to be spam.   In an article published on LinkedIn by HR expert, Heather Lobeck, spam calls are hurting recruiting efforts.  These screening tools make it harder to reach candidates and reduce the efficacy of phone-based recruitment efforts.  Many staffing agencies and hiring managers rely on cold calling to recruit candidates, especially in a tight labor market.  These anti-spam call tools are not refined enough to separate the wheat from the chaff and as a result, valuable time and resources are wasted trying to reach qualified candidates who aren’t even receiving the call.  This slows time-to-fill and makes hiring more inefficient. 

The Failure of Regulatory Action

As noted earlier, the most well-known piece of governmental regulation – the Do Not Call registry – does not protect businesses from being called using auto dialers and other such practices.  The 2004 Consumer Protection Act which made it nominally illegal to send spam texts or make robocalls to US citizens, similarly, did little to help businesses.  So, in March of 2023, the Federal Communications Commission (FCC) issued new rules aimed at ridding telecom networks of unwanted communications. 

According to analysis provided by Forbes magazine the new FCC rules, “require mobile wireless carriers to block SMS and MMS messages that come from invalid, un-allocated or unused numbers—in other words, those that are most likely to be illegal. What’s notable about this is that texts would be blocked at the carrier level—they would never reach consumers’ handsets.

The new rules also address lead generation—essentially, consent to be contacted. Some businesses collect contact information and consumers’ consent to be called on behalf of merchants and other businesses. Sometimes that consent is gathered based on misleading statements.”

At the same time the FCC also dropped new rules on Robocalls aimed at compelling telephone service carriers/providers to adopt a new caller ID authentication framework.  This puts the onus on the carriers to ensure the origin point of any call is legitimate before the call reaches the phone company of the consumer receiving the call.  Additionally, the new rules require all providers to register with the FCC’s Robocall Mitigation Database and prevents downstream carriers from accepting calls from intermediary providers if they’re not included in the database.  Penalties for non-compliance can cost a provider between $2,500 and $23,700 per violation/call.

These new rules will require businesses to make some tough decisions about what phone providers they engage, and it is unclear whether enough will take action to render these new rules at all effective.

Focusing on External Data Privacy to Prevent Spam & Scam Calls

The second half of the Harry Maugans quote at the opening of this paper points toward the solution to spam calls and scam calls.  Maugans remarks, “If we delete people’s unsecured external data from Data Brokers and People Search Sites, it makes sense they’d get less telemarketing.  It’s worth noting the routine refresh of call centers from Data Brokers, percolates through the ecosystem, so it might take 3-6 months after signing up with us to see a decrease in spam, but it WILL happen.” 

This is because the vast majority of marketing “call lists” used by myriad telemarketers and sales forces are purchased from Data Brokers.  The same data is also purchased (or sometimes stolen) from Data Brokers by threat actors with more sinister objectives than selling products and services. 

To ensure your phone numbers and other contextualized personal data are not included in the lists for sale by Data Brokers, one must endeavor to remove as many of the sources of their personal data from the reach of these organizations.  Doing so involves understanding that this personal data is out in the wild and fully unsecured.  So, not only is it there for the taking by telemarketers and telephone scam actors, but it is also accessible by threat actors of all kinds.  Allowing unsecured external data to exist for your organization practically invites tele-spam, robocalls and the deleterious consequences enunciated above.  To put it succinctly, unsecured external data is not only a threat to your organization’s productivity, but its overall security.

However, as is the case with a broad array of cybersecurity objectives, unsecured external data sits at the root of many problems.  Left unaddressed, unsecured external data is the key to success for threat actors of every stripe and is the lifeblood of their activities.  Whether their goal is to steal and resell sensitive your customers’ personal data, hold your information systems ransom for extortionate purposes, dox your executives as a form of political or religious protest, engage in industrial espionage and intellectual property theft, engage in malicious mischief, or to poach your valuable employees, success is enabled by the ready availability of unsecured external data. 

It is with this reality in mind that InfoSec thought leaders are arriving at the conclusion that in order to address any of these threats, including spam & scam calls, they must address all of them.  Though spam & scam calls are probably not at the top of the list of cybersecurity concerns, these understated threats can be neutralized at the same time as all of the more pressing ones.  Working to mitigate unsecured external data is the only truly effective way to guard against data breaches and unauthorized intrusions into secured data systems.  Focusing on external data hygiene is the only effective method of ensuring executives and other key employees are protected against doxing and other physical threats – particularly in controversial fields such as politics, religious advocacies, reproductive care and many others.  External data privacy management is key to preventing intellectual property theft and other forms of industrial espionage. 

The vast majority of cybercrime occurring today is propelled by Social Engineering schemes like Phishing, SMShing, Business Email Compromise and others.  The availability of unsecured external data from legitimate sources like Data Brokers and People Search Sites – as well as from illegal sources such as the Dark Web – is what makes the epidemic of cybercrime a reality.

Depriving these sources of the personally identifiable information of your organization, its employees and the employees of any third-party vendors is the only truly effective means for drastically reducing risk of scam and spam call activity.  Doing so has the added benefit of reducing the risk of all the other threats facing information systems at the same time and for one affordable price. 

To illustrate how this strategy is effective, Privacy Bee for Business applies a zoomed out view of the entire cybersecurity ecosystem.  In a white paper titled, “CyberSecurity Isn’t Enough – The Information Security Ecosystem Dies Without External Data Privacy” a graphical representation is provided illustrating the totality of what must be accomplished to achieve strong, functional security for any business organization.  This includes protection from the productivity drains of spam calls and the risks associated with losses from scam calls. 

The innermost, lightest blue circle graphic shows the legacy strategies, already widely adopted by most organizations, including hardened physical security protocols.  This is the segment wherein traditional telephone-based spam call filters reside.  Other physical security protocols like password protection on workstations and business machines, governance policies restricting the use of portable and external media/hardware, physical plant security like key card access to office locations, surveillance cameras and so forth are in this segment as well.

The middle circle, in darker blue, represents the more cloud-based cybersecurity protocols that are industry standard for InfoSec programs.  Common cybersecurity best practices include hardening endpoint security, data encryption, password protocols, vendor risk management (VRM), identity access management (IAM) firewalls, spam filters, antivirus scans and employee cybersecurity trainings.  

Where contemporary practices begin to fail is in the outermost, darkest blue circle in this graphic.  This is the area Privacy Bee refers to as “External Data Privacy” or EDP.  Physical security and cybersecurity measures are, by definition, inwardly focused.  That is, these strategies are designed to keep prying eyes from accessing data that is behind the walls of the fortress.  They are designed to prevent spam calls or scam calls from reaching their intended target.  Yet, most today’s data breaches aren’t the result of bad actors successfully penetrating these defenses via brute force attacks.  And the scourge of robocalls and telephone scams are enabled by the same failure to address external data privacy.

So, What Can Be Done to Solve the Spam & Scam Call Challenge?

Any business case presented to key stakeholders in pursuit of budgetary approval for a new product or service to bolster cybersecurity must show strong ROI potential.  It must also explain how the value of the proposed purchase is felt by the greatest number of departments across the organization.  If finding a way to reduce or eliminate telemarketing and spam is the task you’re assigned, then take the opportunity to be a hero by illustrating that, not only have you found a highly effective and low-cost solution to this problem, but one that also adds significant layers of protection for the entire information security apparatus of your organization.

Privacy Bee for Business is proven to reclaim the sunk productivity costs – an average of $5,469 per employee per year – lost to sales harassment.  It also boosts employee wellness by reducing the stress on your talent who can spend their time on core activities and not suffering from a never-ending stream of spam emails, telemarketing calls, text messages and junk mail.   These benefits alone provide a compelling business case for the Privacy Bee solution. 

However, add to these benefits the reduction of HR poaching, the dramatic drop in risk of costly data breaches, the increased protection against doxing and physical attacks on executives and the value proposition becomes undeniable.  Especially because each of these different benefits do not require activation of different solution modules to achieve.  The ongoing practice of external data privacy management accomplishes all these goals simultaneously and for one, affordable fixed price.

To help build your business case, here are some resources you can tap to educate key stakeholders on the manifold benefits of engaging Privacy Bee for Business to stop spam and scam calls:

More About How Privacy Bee for Business Stops Employee Churn and HR Poaching

More About How Privacy Bee for Business Stops Doxing and Protects Executive Security

More About How Privacy Bee for Business Guards Against Industrial Espionage and IP Theft

And last but not least, this document provides a rigorously researched and detailed methodology for calculating the return on investment into the Privacy Bee for Business solution that includes every benefit to be gained.   More About How to Calculate the ROI Into External Data Privacy Management Solutions.