I worked on countering phone scams and robocalls at the Federal Communications Commission for over a year. This operation was a big win and an impressive international collaboration.
That said, the robocall problem is getting worse, not better. Robocall volume is at an all-time high: https://robocallindex.com/
In many respects, the problem of telephone spam today is similar to the problem of email spam in the early 2000s. Litigating against spammers had limited efficacy, so the community developed blacklists, better filtering, and stronger authentication (SPF, DKIM, and DMARC).
Until the major carriers get serious about similar steps, especially filtering and authentication (i.e. SHAKEN and STIR), these fraudulent calls won't stop. And, in the interim, vulnerable populations will continue to be disproportionately victimized.
I think the problem has gotten so serious that the traditional voice-based phone system is pretty much unusable. I don't even bother to answer the phone. Instead I have a voice mail message that tells people to send a text message instead. I can't be the only one who does something like this or has some other system in place to not have to deal with robocalls/scam callers.
Job seekers and those with medically needy relatives are among those who cannot tolerate any false positive especially if calls are entirely rejected and cannot even leave a voicemail.
TMobile has 2 levels of it. One just labels the Caller ID for those suspected numbers as "Scam Likely". An additional feature (which OP is referring to) blocks the calls automatically.
I hope it works... it's kinda terrifying that getting no scam calls for 2 days is significant!
I have a test/dev phone that I used for a project several years ago with an associated ph#. I forgot about it (don't think about the charges accrued 8^) for several years, but just charged it and turned it on.
It's a number that was never used or answered for 3 years and it gets several scam calls a day. They must be calling every valid number.
Does this work for the sweepstakes type scams where they try to induce the elderly send money for a fabulous prize they supposedly won? Just curious in general how they ID a scam?
Email spam became tractable on the end user side with domain and IP address risk scoring. Caller IDs are so easily spoofable it's like open relay email servers of the past.
I never get any robocalls. I do get robots when I initiate the call though (which is very annoying). Then again, we got privacy and telemarketing laws here.
The world could have such a wider set of solutions to many problems on the internet if there were just a good system of micropayments. Any idea why the US government or some other government does not create such a system? If people not in my contact list were immediately sent to voicemail and charged 10 cents to leave me a message, spam would basically go away. Similar for email spam. One can dream.
Its into supplying its citizens with a useful currency. Micropayments of dollars is just usefully currency online. Seems like microdollars would be a natural monopoly, ideal for the US government to produce.
I have do not disturb turned on always, but my contacts are exempt, so for people I know it will ring. If I get a call from a non contact they can leave a voicemail. But most of the time it's a robocall. Not having to deal with my phone ringing all the time has been a big improvement.
My wife gets a call every day about how she is being sued..... every day a new nasty VM.
I'm talking to random scammers more now because I'm looking for a job and I feel like I have to answer the phone even if I don't recognize the number. Man it is annoying.
The workaround I used for this was Google Voice. I put the Google Voice number on my resume and in settings told it to use my own GV number as the caller id. If I saw a call coming from the GV number I knew it was a response to my resume. For some reason my GV number doesn’t attract scammers.
Pretty much this. With the current tech stack in telcos, the only way anything can change is if they're put in a "you're responsible for this call, unless you can point to who sent this call" situation. While the receiving / forwarding party can't validate the originating number, they can always point at the telco that sent the call in. Repeat until you find a company / person to fine.
Then it has an international caller id. Most people get so few international calls that they will quickly figure out that it can't be real. If it had a locale caller id it is obviously spoofed because otherwise the call wouldn't have come in from the foreign telco.
Once someone does this, legitimate telephone companies elsewhere will become interested as well, and may "play nice" so long as local laws allow it.
> If it had a locale caller id it is obviously spoofed because otherwise the call wouldn't have come in from the foreign telco.
That is not correct. You can send legitimate calls with spoofed caller id between different countries. Many providers will let you do that. (as in, you can assign a caller id from country A to a call originating from country B to A)
I'm saying that those become automatically illegitimate and Country A should reject them. The only exception is IF the telco in country B agrees to assume legal responsibility in country A.
Problems are international calls are already in a technically deficient state. e.g. caller IDs are not sent properly and a generic dummy is sent. Telco 1 uses Telco 2 to connect to Telco 3 which finally terminates on Telco 4's network and rings the phone.
There are literally treaties that govern phone traffic that would have to be updated. Most telcos are a monopoly or oligopoly and don't care about customer dissatisfaction. It's not like there's a substitute to the PSTN ready to go. Are you going to tell all of your contacts you are only reachable through Skype/Hangouts/Facetime? Cutting off a spammy foreign telco would also hurt revenue.
Frankly, the definition of telecom fraud should include corporations ripping off their customers not just petty criminals getting free calls.
But there are plenty of ways for my phone company to verify that it was my phone. (they might verify a clone of my sim, but that is a different problem that they already have to handle)
It costs a lot more internationally, so I'm not sure how much of a problem it really is. While many people would hate this, the same rule could be applied with "if you're forwarding international connections, you're responsible". Bad interconnects would probably drop immediately with a moderate amount of chaos, while legit foreign partners are found who can filter traffic on their end.
My service provider offers <$0.01/min. calls to many countries.
I have a hunch that no telco wants to entirely block a foreign telco because they would lose money and because of the ensuing chaos.
Robocall friendly service providers intentionally mix robocalls with legitimate traffic to avoid terms of service enforcement. e.g. Robocalls are laundered by splitting across n carriers so spam (identified by bad ASR/ACD stats) stays below each carrier's threshold. https://news.ycombinator.com/item?id=12339739
Since you have expertise, maybe you can explain why this seems to happen in the US only, while SS7 (which many commenters mention as the culprit) is used all over the world.
I live in Europe, but do not receive robocalls at all (zero), while when I enter the US, and put in my US SIM, I immediately start getting multiple per day.
> Most taxpayers in the UK are taxed at source and so do not need to complete a Self Assessment Tax Return. ‘Taxed at source’ means that the money you receive has already had tax taken off, such as the wages you get from your employer when paid under the Pay As You Earn (PAYE) system, or UK bank interest taxed at source.
Later versions of Android really help with the 'spam call' filtering, though I've noticed that callers tend to just recycle through nonsense caller IDs and/or unknown numbers (which is really annoying if you have clients phoning you from unknown numbers).
At one point I was getting 10+ a day, which seems to have calmed down now. Everything from tax scams, to PPI, to car accidents.
How do you filter spam calls in Android? I keep getting calls where my screen turns red and it warns that the call is spam. I'd love to stop having my phone ring and stop getting all the voicemails.
There's a difference between speaking English and expecting a local call to be in English. Sure they could have the conversion, but trying to do a tax scam on a Dutch person in English has ~0% chance of succeeding.
As I understand it, in Europe to register for a phone number you have to give some identifying info to the telecom so they know who the number is registered with. In the US, however, you can get phone numbers anonymously.
Get rich quick and clawing over others to get to the top is also relatively prevalent in poorer countries, those with great wealth/income inequality, and societies undergoing rapid economic transformation.
It's part legal enforcement and part culture. There are dishonest individuals in every country.
They are illegal in the US and often originate abroad, anyway, so legality under the law of the target country (or the source country, as most are illegal where they originate, too) doesn't seem to be a controlling factor.
Although no law will prevents all scams, some European governments do have much stricter laws on when you can "cold call" period. In Germany, for instance, thanks to legislation passed a decade ago, I believe the customer needs to grant explicit permission in order for a business to be able to cold call, and no telemarketer can impersonate your phone number -- https://www.thelocal.de/20090804/21021.
It would be interesting to see if there is a correlation with these sorts of laws, and the prevalence of phone scams.
My experience was that the major carriers had little economic incentive to invest in improving telephone service, which they viewed as a legacy line of business. They were focused on selling data plans, building their networks, and entering new markets (especially online services and advertising).
Spam calls are actually a cash cow. Uses your minutes and Verizon also makes money selling a subscription spam blocking service that would be worthless without the annoying calls:
The receiving provider usually gets paid to terminate the call.
It may only be a fraction of a cent per minute, but these are the same telecoms that will gladly send you a bill every month because you owe them 1 cent.
In the past, cellular network operators earned revenue based off minutes sold. That's why voicemail has very verbose instructions that are read to you every single time. It's a way of inflating average call duration and thus revenue.
These days with unmetered calling, the receiving telco still makes some money off incoming calls through termination charges.
If they truly aren't interested in it, that'd be great, they could just stop, open up to become dumb data pipes and create a market of competitive third-party service for the telephony part.
And there are insufficient dis-incentives. There are no competitors who offer a superior spam filtering solution and market it.
If carriers became financially liable for robocalls by a government mandated date, e.g. 2020, they would find a solution. Even if was as simple as not getting paid to carry spam traffic (as opposed to an EU level % of global revenue fine).
Another trivial solution would be to offer some sort of voice CAPTCHA for phones - get asked question and provide answer in order to connect. Someone on here posted awhile back that they implemented their own and said it completely eliminated robocalls.
I have done this. I have my own VoIP system. One of my DIDs picks up and is a recording of me saying "I'm screening my calls for telemarketers and scams. enter code 5300 any time to be connected to $myname". If 5300 is entered, it dials out to the DID for my cellphone and transfers the call. No code, or no action, call goes nowhere.
You can fairly easily make the code whatever you want or make it a multi step process.
Yes, costs average less than $6 a month. Wholesale SIP termination and origination is remarkably cheap if you are dealing with the US48 states and Canada.
I believe I'm at something like 6/10ths of 1 cent per minute.
$6 a month is more than a fair price for me to eliminate robocalls; I receive about 5-10 on average in any given day.
The collateral damage are systems that have you mark your place in line and call you back. It seems like these could be manually whitelisted though with some ingenuity.
If I remember correctly from the conversation I mentioned above: this is only implementable yourself with a VOIP solution and not an actual phone line?
I really recommend against introducing analog anything into a modern VoIP system in 2018. Better to port your landline's DID to a VoIP service and route it from there. If you need a physical landline looking phone, good quality sip desk phones are $50 (assuming you don't care about huge color screens).
Definitely. End-to-end digital is best for fidelity and reliability. Running your own PBX is another point of failure for a service most people expect very high uptime out of, and opens you up to toll fraud. It's only worth it if you have a lot of phone or want call recording or transferring.
DTMF based challenge is probably easier. Even requiring callers to dial 1 to ring through is enough to keep robocall campaigns from ringing your physical phone.
I've been thinking about issuing my friends and family priority access PINs. If they save it to their contact entry for me after the number, I can entirely gate access. e.g. "5558675309,9876" Especially if combined with a time condition e.g. 11 p.m. to 6 a.m.
This is a good analogy unfortunately. SMS is the worst culprit there from my standpoint, given companies use it to send short term credentials (yes they do...) or for 2fa.
I either disagree or am ignorant about SS7. See my other post on this page. Interested to read others thoughts about implementing a "opt-in, call back only or GTFO system".
If I have full control of a DID, implementing callback isn't hard. That would be a bandaid type solution built on top of the existing phone network, however. Fixing ss7 at a systemic level so that all call routing in and outbound is verifiable, CID spoofing is impossible, is what is nigh impossible.
Are there any proposed replacements? Even SIP has vulnerabilities, foot gun features, and fundamental design problems like use of MD5 digest, NAT intolerance, and vendor and device specific bugs.
@jonathanmayer
Any idea why the landline companies don't address this issue? Do they make money from spam calls? I signed up for the Nomo Robo service, that I believe won an FCC sponsored contest to provide a partial solution. And I think the landline providers actively faught against its use.
I imagine a significant number of POTS lines are used by robocall/scammer operations, if not directly through third party VOIP services. Make not qualms about it, ATT still treats POTS as it's bread and butter. They will do whatever it takes to keep that cashflow coming in.
The problem with fixing this is that, to extend your analogy, SS7 is like how SMTP worked in 1992 before anything like spf, dkim, dmarc, SSL/TLS. Adding extensions to it will break interoperability with the truly gargantuan installed base of old ss7 equipment around the world that nobody wants to pay to replace. It needs to be burnt to the ground and started over from first principles. But really, everything that we need can be implemented with pure VoIP.
I just don't answer my phone anymore unless I recognize the incoming number. And caller ID is trivially easy to spoof. Thankfully nobody spoofs any of the numbers of my top 50 contacts.
Last year, a spammer spoofed with my business phone number as their caller ID. Mid-day, I start getting phone calls from people yelling at me to stop calling them, stop harassing them. Every 2-3 minutes, someone new and angry. After about 3 hours I had figured out what had happened and got ahold of my carrier and had them change my phone number.
I don't know enough about SS7 to understand if this is feasible, but it is clearly time for a call back based system. Millions of people signed up for the do not call registry. I am sure millions would sign up for a system where incoming calls trigger a call back. If your out bound call system doesn't support call back, don't worry because nobody wants to talk to anyone hiding behind the cloak of invisibility.
This is getting way out of hand, and I don’t know anybody who hasn’t the same observation, and has already changed their behaviour to NOT answer the phone by default.
If the major carriers don't soon understand the magnitude of the telephone spam/scam problem and treat it seriously, They will soon be crippling their business. While this is been likened here to the email spam problem in 2000, back then, everyone in the computer industry took the spam problem much more seriously telephone industry does now. E.,g., Verizon gleefully offers a blacklist where you can block 20 numbers (nevermind that the spam calls typically have spoofed caller IDs) -- they think they’re good, and it’s utterly useless.
They really need to implement a true Source ID (regardless of the presented caller ID), and a way to instantly flag calls as spam then do targeted tracking and prosecution. If they fail to do this or implement another effective solution, I expect they will lose a century-old line of business to new habits that work around the established habits.
Did you all have a sense for the scope of the problem in terms of number participants and market share? Is the bulk of the calls from a few larger networks, or is the bulk of the market one man shows?
So what am I doing that I've never once had a telemarketer call me, other than my car dealership or phone company. Canada can't be special. Is it because I use a cell phone for everything?
Not canadian but used to travel there a lot and had a nice collection of prepaid sim cards. Every new prepaid line I registered got tons of calls from debt collectors, to telemarketers, to scammers.
So yeah it happens, though probably less blindly than US and more from information sharing.
Two other conspirators in Illinois were sentenced in February to between two years to just over four years for conspiracy, and a third person in Arizona was given probation in a plea agreement, it said.
Sounds like the Prisoner’s Dilemma paid off for that third person.
Kitboga, over on Twitch[1], frequently livestreams the experience of talking to people executing IRS scams. Among other types of computer scams like "unlock your computer for X dollars," it's fascinating to listen in on the tactics used to prey on unassuming victims.
I am so happy to see some of these predators get caught. A former coworker, a very smart but also very naive network engineer from the middle east, was hooked by these people shortly after immigrating. They said they were the US government and that he would be immediately deported if he didn't cooperate. He ending up sending them $30,000 if I recall correctly. :(
The reality is that the world is complicated. Some calls asking for money are completely legitimate, and if you don't act, bad things will happen. Others are total scams.
If you're new here, they both sound the same because they are: People asking money for stupid reasons. E.g. mis-applied payments, a "1st-world" banking system where payments take several days, lack of chip-and-PIN resulting in overdrafts and failed bill payments.
In some places, if a reporter stops by your work to ask you questions, you'll lose your job if you don't answer them, because the newspaper is the government. In the USA, it's usually the opposite.
> Some calls asking for money are completely legitimate, and if you don't act, bad things will happen.
Have you got some examples? I don't think I ever got a call asking me for money. Or at least not one that I needed to act on immediately - a call from letting agency to check my rent payment would be the closest, but it was both verified and done outside of the call.
> I don't think I ever got a call asking me for money
I have gotten fraud alert calls from my bank or card issuer. When I got those, I would thank them, hang up and dial the number on the back of my card. Usually legit, but once it was not.
Not necessarily asking for money, but it can still lead to fraud. My wife got tripped up by one.
A guy called claiming to be from our bank. He said there were suspicious transactions in our recent account history, and he had some information about us. He knew our names, address, phone numbers, and even the last 4 digits of our social security numbers. He asked her to confirm her debit card number, and she gave it to him.
There's something surprising about a stranger having your personal information. It makes you think they're legitimate. My wife has a pile of degrees, and they still managed to trick her.
That's interesting. I never got more than "did you make this transaction?" question, but I could imagine a scammer could start asking more detailed questions.
I’m talking about not-north America. Where non-payment for something can lead to follow-up phone calls before it reaches the debt collection stage.
Sure iTunes gift cards sound strange to you, but the idea of asking for a cheque is unbelievable for a lot of the modern and developing world.
But in North America, I have gotten calls regarding payments from smaller vendors. My ISP likes money, so they’ve called me when my credit card expired. As has my dentist when a claim only went through 90%.
The IRS won't, but there are others who will. It is not possible for a human to know all the entities in the world who they might owe money to and how they would contact you if you did owe them.
The IRS is big and scary, but if you get a call from xyz inc saying you owe money and this is your last chance before it goes to court, that is scary, and it could be true.
> 2 contractors in India involving five call centers in Ahmedabad, a city in western India, have been indicted on wire fraud, money laundering and other conspiracy charges as part of the operation, the department said. They have yet to be arraigned, it said.
Is there any realistic chance of Indian law enforcement catching up with these guys?
None. Especially from that state, Gujarat. Home of corporate and financial crime. Sagar Thakkar fled to East Europe last year after netting $300 MM. It is upto FBI too pull its weight.
Gujarat indeed is the home office for corporate and financial crime. Denying it will be a travesty. Gujarat is where biggest bitcoin swindling happened in India, to the tune of $1 Billion. With active police involvement too.
Police in India plays a game on both sides of good and bad, they only take sides after its clear who is winning.
Its a standard tactic among police in India with regards to any crime/criminal.
Its very common for them to work for the the criminals. I remember a few years back there was an anti-corruption raid on a police inspectors home(in Koramangala, Bangalore) and in the gold jewelry recovered many residents complained it was the same jewelry stolen from their home a few years back. In short, the police helped the thieves to steal(provide information, logistical support and guard the home while the thief is stealing) and shared the spoils :) :)
Recently there was a journalist whose scooter was stolen by the cops and was caught on CCTV.
In these cases the cops would have been paid off, its only when the crime becomes intolerable and larger media attention catches on do they act per law. Some times they even pay off the judges in lower courts.
I wonder why this isn't a problem in Europe, at least I haven't heard of anything like it. Is it because Indians don't speak German/French/Spanish/etc.? Or is the American phone system somehow worse than the European?
Probably because it’s easier to find Indian/Filipino call center operators who speak English and the US is such a large market that there’s no need to expand into smaller European markets.
I have the same question, the situation seems pretty dire in the USA but as far as I'm aware we don't have nearly the same problem over here. And while most Indians probably don't speak French many African countries do (after all, that's where we put our call centers) and I'm sure if it was possible to make millions that way somebody would've tried.
Sell, or just (pretend to) don't notice it being taken away.
The story I've heard several times from different people about how it's handled in Poland - your operator usually subcontracts their support & telemarketing to a third party; some spammer will pay an employee of that third party to "liberate" their customer database as they end their employment.
I hear people all the time saying "if I made a startup and sold if for millions of dollars, I'd retire and never work again", when most people who do make millions on their startup continue to work. It's that work ethic that is what made them that multi-million dollar startup.
Whether criminal or not, there's a particular work ethic that keeps people like this making more money when they could retire happily.
Indian press reported the crime netted single crime ring >$300 Million. Guy fled to an East European country. Haven’t followed the news since about what happened later.
I've been pestered several times a day with the "last chance to lower your credit card rates" phone scam. I finally hit on a solution. I press 1 to speak to a representative, I get a human, then I follow their script until it gets to the "what's your credit card number" question.
I say I have to go look for it. So I randomly make noises like opening doors, closing drawers, shuffling papers. I had one on the line for 10 minutes before he gave up.
After a couple doses of "the treatment", they stop calling. Blessed relief!
This method works because it costs them human time. Just hanging up on their robot, or their human, doesn't work. They just call again.
I had an old landline number ported to Google Voice about 10 years ago. Now, 90% of the calls on that number are spam. Anything marked as spam in Google Voice still passes through to the Hangouts app. Google has done the most supremely crap job with Hangouts and Google Voice integration. Hey let's passthrough spam to the app and have no search function!
Hilariously quite a lot of calls are "Google SEO" related, scammy sounding credit offers, and political donation solicitations.
A lot of the Indian scammers have moved on to pretending to be the CRA (Canada revenue agency), the Canuck version of the IRS. Toronto and Vancouver area codes are plagued by robodialers connecting to fake cra scam call centers. Canada has a lot less resources than the US to spend manpower investigating and building cases with the Indian law enforcement agencies.
A friend lost a significant amount of money to what could have been this scam. The MO fits (posing as the IRS, threatening with arrest/deportation, collecting payments via gift cards).
The article mentions restitution. Does anyone know how he could find out if he's eligible?
This response is going to sound like a joke but it isn't: be sure to tell him that they won't call him to discuss restitution. It's extremely common for scammers to sell the list of their successful "buyers". Marks on the IRS scam lists will now be called by people saying "we are from the IRS scam restitution department, just need your bank details so we can return your money..."
Business idea: shared phone assistants. Whenever someone calls your number, the assistant answers only "hello?", they have to speak to your assistant and ask for you by name and/or passphrase to be connected to you.
You can add some prestige to calling someone (having a human answering and screening your calls for you) at a pretty low cost (1 minute per call? 2-3 cheap workers could cover the whole biz, could share lines between ~ 50-100 people with distinct sounding names). eliminate all unsolicited calls for the customer.
Too expensive to scale. Recorded greetings and directories have been around for a long time. Just having "Welcome to XYZ Co. For sales press 1, for support press 2, for a staff directory press 3" etc. is fairly effective in rebuffing robocalls as only human spammers bother pressing digits.
I have just read some recent reports and complaints filed by people at http://www.whycall.me/631-318-6350.html about these IRS scams. I think people should have been really aware of such scams, because they have been around harassing us for years. We also need to keep spreading the words to everyone about this.
Dang, I liked wasting these guys time. My technique was to pause as long as possible while obviously stuffing my face with Cheetos and telling them hang on
> They chose their victims through information obtained from “data brokers” or from other sources, the department said.
Would be interesting to know more about this. In the legit call center business the phone numbers of people who have previously bought something are more valuable. The ability to target specific demographics is probably a prerequisite for a scam like this, calling randomly would be really expensive.
It could be either way. Obviously targeted to specific demographics is the most effective, but phone calls especially robocalls are very cheap. Even ratios as low as 10^-6 are profitable when you make millions of robocalls. The USA Do Not Call list is a de facto live number list. Illegal telemarketers (redundant?) can directly use it as their target list. Another method is to randomly call numbers and mark "Hello?" responses as live.
I rarely receive calls these days and when I receive, they are mostly scams or telemarketers, so I basically accept call from a small set of whitelist and drop the rest.
Most people who need to speak to me attempt to contact me via different means anyways. I don't have much faith they will ever fix PSTN that I'm dreaming for the day I can start ignoring all calls.
You know, this scam probably wouldn't have been as successful if the real IRS didn't behave like a bunch of shady scam artists themselves. Twice over the years, I've been sent very intimidating letters by the IRS claiming I owe back taxes on clearly erronous assumptions by them. These have both been cleared up by submitting documentation but I've had to spend a good chunk of time in doing so. I also cannot phone them directly, I must fax reams of personal info to some random fax number with no confirmation they even received it.
By the time I received the IRS letters, I typically had to respond within a matter of days or face additional penalties (what if I was on vacation). Even the most basic of cross checking my tax forms would have clearly shown everything was legit. And these were by no means unusual or complex tax situations, just very basic things that millions of Americans report on their taxes every year. But even though I knew everything was above board, the tax laws are so convoluted that I was in constant fear the IRS would still find some BS reason I owed them more money.
Good work, it's heartening to see that these institutions eventually work together. Hopefully this success can be replicated with scammers who have targets less directly interesting to the state.
From what I've read the victim is asked to go buy itunes gift cards and read the numbers to the scammers. They are looking for only the most vulnerable of people.
Collective action problem [1]. Namely, our system requires people to document and report such problems. Few people do. As a result, certain problems get disproportionate interest compared to others.
The inherent difficulty in catching criminals who act from a distance, international police cooperation is required, following due process and using extradition treaties. Even extradition between USA states can convince local police to shelve less severe crime cases until the suspect visits the jurisdiction again. If a scammer is located in Russia, it will take a literal FBI trap to bring them to justice.
Most calls from scammers I get come from my area code. Well it makes it easy for me, since I don't live in the area code my cell phone is from, so I know not to pickup. But in general blocking international calls might be easily circumvented.
The signaling data includes the real origin. CID is convenience data provided by the originator. The telcos wouldn’t use it for anything important, like billing.
That said, the robocall problem is getting worse, not better. Robocall volume is at an all-time high: https://robocallindex.com/
In many respects, the problem of telephone spam today is similar to the problem of email spam in the early 2000s. Litigating against spammers had limited efficacy, so the community developed blacklists, better filtering, and stronger authentication (SPF, DKIM, and DMARC).
Until the major carriers get serious about similar steps, especially filtering and authentication (i.e. SHAKEN and STIR), these fraudulent calls won't stop. And, in the interim, vulnerable populations will continue to be disproportionately victimized.