Hacker News new | past | comments | ask | show | jobs | submit login
If a Caller Says, 'I Am with the IRS,' He's Not (npr.org)
197 points by adamnemecek on April 4, 2015 | hide | past | favorite | 124 comments

If the caller ID says "anonymous" or "unknown", I don't answer. I refuse to talk to callers who won't identify themselves. That gets rid of most of them. For the rest, if there are a few seconds of silence after I answer, it's a robocaller and I hang up.

Somewhat related, but my girlfriend lives in Singapore, and I recently visited there while stopping by my parents' in Palau, which is a Pacific island. The internet infrastructure in Palau is pitiful, so when I tried contacting her by phone while there, and it turned out she blocked the number because it was weird (she said the number was a bunch of 8's. Coming from Palau's whacky telecom corp, it's not surprising). You never know if your loved one is stuck at the side of the road somewhere trying to get to you. I usually answer the phone and figure out who is on the line and I usually can determine who is a scammer and who isn't.

Then again, I don't get calls very often, so may be I have more patience with calls. Emails? I am probably much less diligent about determining their authenticity.

That's a really interesting story! I've noticed similar strange numbers appearing from those who call from a VoIP service like Skype. One heuristic I use when I see a call from an unrecognizable number is to drop the first call and take the next one (if it comes). Well meaning folks, usually will retry in a short while, while scammers will usually move onto the next target.

I take the "if it were important enough, they'd have left a voice mail" approach to phone screening. I won't answer any number I don't recognize, but will immediately call back after hearing the voice mail.

Maybe it is my provider, but I hate voice mails because the I have to navigate using button presses and constantly wait until it is done reading things back to me.

An sms is so much simpler.

Likewise. That rules out most telemarketers. I've been getting the fake IRS calls described in the article, though, and they DO leave voice mails.

I take the "don't check voice mail ever, and disable it if possible" [1] approach to phone ownership. These are broadly incompatible in the same society.

[1] Oddly, on my last phone, with T-mobile, disabling voice mail wasn't possible through their internet account management. I did manage to get my voice mail disabled, but I had to call them and complain until they agreed to disable it.

I have the following setup with Anveo: if you're on a whitelist, my phone rings directly, else if you're on a blacklist, you go directly to voicemail. For everyone else, you're asked to press a digit to ring my line, otherwise in a few seconds you go to voicemail. This stops virtually every robocall.

I was forced to implement this after I started getting several junk calls a day. I don't think I've has a single junk call ring through since I put it in place. Rarely one will leave a prerecorded message. Interestingly, from looking at my call logs the frequency of junk call attempts has also dropped to just a couple a week after about a year with this is place.

Another nice thing about Anveo: their voicemail transcription mostly works compared to the comedy that is Google Voice's transcription.

My parents were in the same situation and now I'm doing the same in the UK with an Obi box (Anveo is just a virtual number right?), except without the voicemail. The message asking to press a number just repeats, after a while robocaller gets the idea and hangs up. It got rid of 95% of spammers.

I used to do the same, but then discovered my bank's fraud department comes up as unknown.. ugh. Calling them back is far more annoying than just answering all the calls.

How's this for annoying? I once received a call from a bank's (Citibank?) fraud department, but wasn't sure it was really them or a scammer. I asked for a callback number and then called the known number on the back of my card to verify that the fraud department call was legitimate. The Citibank representative said that they were unable to either confirm or deny that that was a valid Citibank number.

I received an aborted call (hang up after half a ring) from a non-anonymous number. When I searched for that number online, the only results that came up were forum discussions of wondering whether it was really Chase's fraud-detection line or a scam. For the most part, they concluded it was a scam, in part because several Chase branch managers had not heard of the number.

Fortunately, I came to the opposite (and correct) conclusion, seeing as how I had received the call 30 seconds after attempting to use my Chase card for a large international purchase online and was able to quickly get that issue sorted. Still, it seems to current state-of-the-art that the rest of the bank is not aware of the phone numbers used by their fraud departments.

What worked well for me was to tell the caller that I wanted to call them back for security reasons, and write down the number.

Searching for that phone number will (if it's legit) likely point to a contact page on the bank's website.

In this case, a Google search didn't turn up any results on an official website, but didn't turn up any any definitive proof that it was a scam either.

From your own description this sounds super annoying

In my imaginary "ideal" world, the computer would answer any incoming call, check to see if the number was in my database, if not it would then trace the origin of the call. It would then present the caller with a simple turing test, it would answer, say "Good morning/afternoon/evening" and wait 3.8 seconds. If it got no response it would simply hang up. If someone started talking it would take a message.

Google Voice basically does this.

Having worked as an IRS contractor, I can tell you that actual calls from IRS land lines will also show up as UNKNOWN.

Then I'm sure if it's important enough they'll leave a voicemail with details on how to call back.

Unfortunately the scammers are doing that too, though.

If it's important enough they will leave enough information for me to personally identify who or what I need to call. Then I can go on the IRS website and verify.

I would expect the IRS to send a letter if they need to reach me, not make a phone call.

That's correct only for initial contact. If you phone them, they may do a follow up via phone.

Your doctor's office will show up as 'unknown'. Some doctors also hesitate to leave a message -- even a simple "this is Dr. X, please call us back" message is something some people don't want their room-mates or SO's to hear.

I've seen worse than that... "Please call (NUMBER) regarding a medical issue." that's it, and the number wasn't my doctor's office's published number, and I called the office to check, it was legit. That's absolutely horrible in terms of actual security and rings of a scam was my first reaction.

I really wish that more companies would back the robo dialers with real people who can actually listen/respond to the outgoing message. There's some standards to detect voicemail vs. an actual response, just the same nothing replaces real people with a working mind. For a while I had my outgoing message prefixed with the disconnected tone. That was a fun way of getting off of call lists.

Google voice + AT&T gives me a few seconds pause with any number I receive or dial. Also, lots of hospitals use blocked numbers when calling you, presumably not to leak patient info if they have the wrong number, and there are restrictions on what they can say in a voicemail message. I always pick up these calls. Better to face the problem, and file a complaint with the FCC if need be.

Considering the number of times they spoof the numbers I don't take calls from places I don't know the number or name. Even then its iffy as here in Georgia they were spoofing the name for the local EMCs. Have had cases where MY number was shown too

I try to sell them my products.

some job recruiters also hide their numbers for some reason

My parents got one of these calls and it really made them panic. They're getting older now.

They should put more enforcement effort into catching these people. You record everyone's phone calls and you still can't catch people pretending to be IRS agents?

I had an uncle actually get scammed and send money because of a call like these. He's a pretty intelligent guy, I was really surprised he got fooled by it. But goes to show how effective these scams are. There never seemed to be much interest from anyone in helping him recover his money / tracking down who did it. I also wish there was more action to stop this kind of thing, although maybe there's a lot more action than we think in the background.

My parents got scammed by this last year. They definitely were scared into giving up a few thousand dollars. These people must have their script down really good to make it seem pretty believable. I havent heard anything after reporting it last summer. Either they are really good at covering their tracks or there's just not enough law enforcement into this type of fraud.

be careful what you wish for -- allowing use of nsa recorded phone conversations for non-terrorist crimes means they set a precedent for using those recordings against any citizen for any infraction, no matter how minor. there is a good reason we DON'T accept the use of warrantlessly obtained phone recordings in bulk (at least not yet).

If my personal data must be collected, I should be able to use it for my personal benefit.

It's pretty easy to reach these guys without wiretapping...just like the Windows virus scammers, you can find a friend who has been called by them, get the number, and pretend to be a victim.

I don't think he's advocating for warrant-less wiretapping.

That information can be collected without an illegal search warrant.

The phone companies are required to keep call records for at least several years. I tell the IRS investigator that I got such a call, and now they request the records from the phone company.

I always appreciate it when you guys are honest about your willingness to let people get hurt for the sake of principle.

Think about the alternative. If you're not willing to let anyone get hurt for the sake of principle, the only principle you can ever hold is "don't ever let anyone get hurt for any reason, no matter what". In the first place, that's impossible. In the second, the more you attempt to force people not to get hurt, the worse off you make everyone's lives. We can't all live shut in padded rooms.

Indeed. This is an excellent explanation of exactly how fundamentalism works: everything must reduce and cohere down to a particular set of principles, rather than reacting and adapting to reality with an understanding that the present understanding of morality isn't fixed and is subject to change.

Once you pick a line in the sand you will not budge over, you have maimed your capacity for reason. So yes, the only principle I could ever hold is an impossible one. Fortunately, I do not hold it.

Yep, I'd rather some people get scammed than my rights be further violated.

My wife got one of these calls a month or so ago. And not bragging, but she is very intelligent and they had her going for a bit too. She was actually getting upset with them because they kept hanging up on her and blocking her number. She would call back from other cell phones and VOIP numbers trying to figure out what was going on.

The problem is that these operations use hacked PBXs and are very hard to trace.

I was contacted by one of these scams recently. A quick Google for key terms in the message (the "officer"'s name and the phone number) showed it to be a scam that particularly enjoyed exploiting immigrants because they are very likely to pay quickly to keep everything quiet. How they have been able to operate such a scam for years without getting arrested is beyond me.

>>How they have been able to operate such a scam for years without getting arrested is beyond me.

Yep, I'm flabbergasted. Impersonating a federal officer is a felony, and on top of that, the IRS takes its shit seriously and hates getting screwed with.

I doubt they're in the US. voip and one compromised something with an ethernet connection and a modem.

It's that, plus it's not being investigated very seriously. I ran a VoIP company, and supposed federal investigators wouldn't even go through the hassle of getting s legal order for customer information.

It's the same for robodialling. The FCC or anyone could put a major crimp if they wanted to, but no one really digs into complaints very much.

Some of these scams can be extremely elaborate and sophisticated. Does anyone remember this one, where the scammer already knows all your personal info, tells you to call the number on the back of your card, and when you do so you end up still talking to the scammer? http://www.theguardian.com/money/blog/2013/jul/29/courier-sc...

I'm not sure if their policy has changed recently, but at least as of a few years ago, the IRS definitely did call you.

I got audited (joy!) and was notified by a relatively-friendly phone call by the auditing agent.

Now, she was following up on a letter she'd sent first (to an old, invalid address), to which I hadn't replied, so the "we contact you by mail" thing is also correct. But at least in my case, they most definitely (and legitimately) called.

I've been audited once before and they sent letters well prior to calling.

For hilarity: I ended up finding more receipts and getting additional money back so the agent ended up doing me a favor.

I'm curious - what happens after you get audited?

In one case, I got an audit letter, said it was a random audit, and everything checked out. A second time, I got a letter that I made an addition error (in their favor), and ended up getting another couple hundred bucks back.

An audit can also result in them asking for a paper trail to back up what you claimed. Keep in mind that many of the common items (interest earned, mortgage interest paid, etc) are all filed with the IRS by third parties, via a 1099 or 1098 form. But for some other items that you can claim deductions on, such as business expenses, you will need to provide them a copy of the receipts if they ask. If you can't back it up, they adjust what you owe, and may apply interest / penalties, which you will have to pay. If not, they can do things like garnish wages, freeze bank accounts, etc. But that will come after a court judgement typically.

Keep in mind that some of the items they will go after: If you turn in expenses at work, and they reimburse you for that, the IRS may still require you to retain the receipts to show that it is a valid business expense that you got paid for -- otherwise they can consider that income and tax you on it.

I got a call that I'd be audited, and the letter only arrived a few days later.

I honestly don't understand why caller ID can be spoofed or disabled by the caller. The only things this enables are illegal and/or annoying. In this case, one should be able to report the number to the authorities and they should be able to identify fraudsters very quickly and put some people in jail.

There are legitimate uses for "spoofed" caller ID (it's not really spoofed, it's whatever the call originator declared to be, you can originate calls without ability to terminate them so a particular call may not have a "real" originating phone number at all).

E.g. companies use their 800-number or some kind of central dispatch to ID all their phones.

Google Voice has an option to show the original caller ID on forwarded calls or your own Google Voice number, both seem to be more useful than an ID of whatever box Google used to originate the call to you at the moment.

Basically the caller ID is as useful as the reply-to in e-mail: if you want to get replies then you make sure you fill it with correct information but it's not authenticating the sender by any means.

Caller ID as a Reply-To header is a really good way to think about it.

It's worth noting that there is a more reliable piece of data for actually identifying callers: the ANI field. It doesn't show up on caller ID, but if you run your own PBX you might be able to log it. Its used for billing purposes, so it's much harder to spoof.

If you own your own PBX, you can modify Caller ID, but you can't modify ANI.

More info: http://en.m.wikipedia.org/wiki/Automatic_number_identificati...

So if I make a call with an outgoing VoIP service and set my caller-id to a particular number, what gets sent as the ANI?

The scammers are definitely using a VoIP service around here anyway...

Though my understanding is that ANI isn't blockable by the caller. So if you have a toll-free number, you can see the calling number for callers that have blocked their caller id.

Most Asterisk VOIP services easily allowed setting the ANI last I checked.

That's still not a technical reason why the barn door needs to be wide open. Google being able to set the originating phone number should be the exception rather than the norm. Just like money transfers, there could be an obligation for telephony services to provide valid identifying information, enforced through a chain of contracts where a link doesn't get to set originating info unless it also agrees to the contract.

There will always be holes, but at least this would provide a mechanism for eliminating them. Also, a "green zone" could start in the US and expand outwards, eventually kicking scammers off of VOIP links situated in the US, forcing their costs up.

PS Google has been experimenting with verifying email senders.

Law enforcement can already request whatever identifying information there is for any phone call (which amounts to much more than a 10 digits number). Caller ID is a customer service that is intended to serve customers, not to catch criminals. Criminals are only being able to use it as an attack vector because there are people who believe it's some kind of authenticity certificate.

If any laws were to be changed I'd mandate a mandatory "This is the number the caller chose to identify oneself with" sticker around caller ID display on any phone witch such a feature.

I don't know if you've ever tried to report a nuisance call, but, as the article hints at, there's a wall of apathy at the phone company and law enforcement end to overcome. If they go the extra step to look up ANI, well, that is spoofable as well. Do they regularly go further than that? Making it not so trivial to spoof caller ID would reduce abuse just like some ISPs have elected to implement egress filtering.

Just because the service is currently wildly untrustworthy doesn't mean that it should be or is required to be. There IS a market for better authentication and filtration of nuisances that companies like Google seem to be aware of.

>> Law enforcement can already request whatever identifying information there is for any phone call

So why did we just read the linked article where the IRS (government agency) is warning people about scams but doesn't tell them to report them?

>Google being able to set the originating phone number should be the exception rather than the norm.

Most non-residential buildings have a PBX which is interfaced with the PSTN (actually, a telco like AT&T) via some "trunking" system. Trunking systems, like SIP (which runs over IP on the regular old internet) and PRI (which runs over a T1), unlike simple analog circuits, carry multiple calls for multiple numbers at the same time.

The telco decides internally which PBX a call will be routed to, then presents the audio stream and signaling data (caller ID, destination phone #) to the PBX, which can do pretty much whatever it wants in response.

In a typical business installation, some numbers might be routed directly as calls to specific people's extensions (we call these DIDs), while others might ring several phones at once (and go to the first person to answer), a call queue, an IVR menu, a prompt to "dial your party's extension number," etc.

Or you could do something exotic, like Twilio.

The PBX is also responsible for connecting outbound calls to the outside world. It sends signaling data (CID, destination phone #) to the telco along with whatever audio it pleases, and the telco responds accordingly.

Hundreds of different phone numbers might route to a PBX. No one except the PBX is in a position to know which one makes sense to send as caller ID.

You might say we should only let PBXes send CID of numbers which are routed to them. But this breaks a use case where a business with many branch offices wants the same caller ID (in at least some cases) on outgoing calls from all its locations. To present the "main" number, you would now be forced to route the call over the internal network (typically a VPN, or else a leased line) to the main location's PBX, then out its trunk. This can get really hairy as you have a lot of load on this device as well as a single point of failure for potentially hundreds of locations.

So to support lots of different branch offices presenting the same CID, we now have to be in the business of maintaining a list of authorized CIDs we can send on a specific trunk line. Could it be done? Absolutely, but it isn't simple and telcos don't seem to think it's worth the effort/overhead. And all it takes is one telco who doesn't implement this requirement to make it worthless. (Just run your call spoofing website off an Asterisk instance trunked to that telco).

It might be nice to have a WHOIS equivalent for telephony - some way to find out the legal name of the entity which pays the bill for receiving calls at a specific number - but no one has gone to the trouble of creating an exhaustive database and forcing telcos to participate in it.

"we now have to be in the business of maintaining a list of authorized CIDs we can send on a specific trunk line"

Yeah, that's what I was thinking. Similarly, some ISPs have implemented egress filtering to reduce abuse. At least a few speedbumps in the way of total anonymity over the phone would make scamming less trivial.

There's a funny parallel here about IP addresses.

Except that it's not funny there either.

Allowing hiding caller ID is important for privacy reasons (the privacy of the person being called).

Allowing spoofing caller ID is important so internal landlines don't need to be revealed, and instead they can present you with their main number.

I find it odd that the article did not comment on why the scam works: Many folks have the perception is that the IRS is an unreasonable, strong-arming organization.

(Not that I've had any large issues, but I've found the agents there to be fairly reasonable for the small stuff I've dealt with.)

Since I signed up for the free (to consumers) www.nomorobo.com the scam calls don't bother me anymore. They won an award from the FTC for innovative ways to stop automated phone calls. You use your phone service's simultaneous ring feature to ring your house and Nomorobo at the same time. If the call is from a known scammer / automated dialer it picks up the call and immediately hangs up. So your phone only rings once.

Recently my friend from work got a similar call which asked him to transfer $5000 immediately or else he will get arrested for improper tax filing/tax evasiongoo within 30 minutes!!! Being new to the US, he was scared and started panicking. But people calmed him down and told him to ignore it. He might have transferred the amount if he had no one to consult that day.

Relevant: https://www.youtube.com/watch?v=ZSIO2z3qrwA

Not surprising that they don't have any bad feelings about it.

Amusingly, I once got a call from the actual IRS -- and the caller asked for my SSN before continuing! I declined to provide it, asked for his name, looked up the IRS number in the phone book (this is how long ago it was), and eventually got through to him. He did not seem at all upset or surprised by my wanting to do so.

Turns out there was a similarly-named company not that far away from us, whose CFO had the same last name as me. As soon as I called and gave my SSN he said, wait, do you work for "Cygnus" and I said yes, but we figured what had gone wrong out and he said, "sorry, never mind". Total time on the call: less than 60 seconds. Total time to get through to him? About 30 minutes.

Still, the commissioner's advice was essentially correct: I was surprised to get the call because it wasn't for me. Was the IRS, but not a call for me. Good thing I called back though!

These scammers have been hitting me with a phone call per day for the past 3-4 months. They always use a different phone number, and only twice did they leave voicemail (one was a recording, one was a bunch of guys chatting as if they forgot to turn on the robot). The recording says something like "the IRS is suing you."

For the numbers that weren't blocked, I tried checking them using Twilio's Lookup service: https://www.twilio.com/lookup

While the numbers are often in my local area code, the Twilio API shows the "Mobile {Network,Country} Code" is typically in South America or Eastern Europe.

How did they get my phone number? I replied to a Craigslist ad a while back that turned out to be a scam :( I wish there was a way to get rid of the calls ...

Google voice my friend.

Yep. I have two GV numbers and never give out my real number ever. If someone legit wants to talk to me, they'll leave me a GV voicemail.

One suggestion, I set my voicemail on my actual phone to the disconnect tones followed by a very long random message... I use an mvno that doesn't let my set conditional forwarding.

Love GV been using it for years.

Someone should start an SSL verification service for official phone calls.

Great idea - but with with what verification level? admin@domain.tld email verification?

I got called once and said "Oh really? What office?" but they realized I wasn't buying it and hung up.

These things are pervasive and they are annoying, they are also impossible to prosecute in the "small" so I'm wondering if there is a case to be made for user provided call tracing. Specifically, if you get a call, you can originate from that same phone a request for trace which returns the origin point of that call. These days with call setup being 100% digital the trace information is available immediately (rather than after some fictional period of time with an open line) so why not provide this as a service to phone subscribers? I'd be willing to pay $10 whenever I triggered the service, and the data is out there so its essentially "free money" for the phone company.

I'd be tempted to string them along. If you pay your taxes, these people are basically stealing from you by increasing fraud and decreasing the willingness of others to pay taxes, as well as stealing from other people.

I'd be fine with IRS CID spending $100 to catch $1 of criminal predation on taxpayers, here.

Which is tied to law enforcement involvement and is of no use in this case, they won't follow up. I've tried. But if the phone company would send me that information, I could use it to follow up with an investigation into who these people are, where they live, how they get their money, who is complicit in the money laundering, etc. And then either give that to the press, the Internet, or the police depending on the desired effect.

Vaguely OT, but does anyone have good information regarding how to identify or block scam/shady websites?

My grandfather tends to fall victim to these types of things - not even always explicit scams like this, but believing hugely inaccurate political websites ( think Obama impeachment conspiracy type BS ), and buying into wonder-products or just the general drivel you see in spammy ads on AOL.

I'm probably going to start by cleaning up his computer some and installing Ad-Block, but most of the links to the websites are coming from his emails - any advice from someone that have dealt with similar scenarios?

Although it may seem a bit harsh, maybe it's better to just have a whitelist. My dad started using a computer a few years ago and I've been worried about the same as he gets older. The number of sites he browses is minimal though. It's not as if he needs to go on a massive search to figure out the best practices for X new technology and read a load of blogs.

I use Pollock's HOSTS file: http://someonewhocares.org/hosts/

It blocks a handful of spam/scam sites but it's mostly for malware, maybe there's another sort of HOSTS file for spammy sites?

Our landline has been called by 1) IRS scammers 2)FBI scammers 3)Some fake govt health organization suing my company for 40K!!

Funny story - So finally I told the fake health organization that if they were genuine, they would send my company a letter and paper work. And voila, a few weeks later we get paperwork with misspelled company name from those scammers! I have to give them credit for trying!

Maybe it's just me or maybe I have too much time on my hands but I really enjoy messing with the scammers. This is most entertaining when done with sound bites from movies.

Also, the IRS wants their money much much more than they want to send you to jail so they'll work with you and be more than accommodating as long as it means getting paid what their owed.

It's 2015. Every bank will communicate with me using TLS and email. Why the hell won't the IRS?

It's insane, backward thinking.

I've been getting a lot of the IRS and the "This is Windows calling" calls recently. I usually tell them to fuck off, but once in a while I will string them along. I figure my best revenge is to waste their time so they can't spend it harassing someone else who doesn't know better.

And Bridget, et al, with cardholder services.

Hypothetically speaking, how could one go about retaliating against this? If one could identify the source numbers, could one set up a network of counter-robodialers and effectively DDOS them?

Say "Oh yes, I will get them, just wait a few moments", then put the phone down and come back some time later.

ELIZA or other natural language responder could be effective too.

If you want to spend a couple bucks you can use Twilio's api to spam the hell out of them.

don't to that please.

1. you could get it wrong.

2. that is not the intended use for an API like that.

3. it would be better if you spent your time to report or collect information to help law enforcement catch them.

It might be fun to use the API to hurt them but you're effectively stooping to their level if you did... and in the process remember you're hurting twilio if you do that.

I was thinking more like drone strikes.

As with fax spam and email spam, these people deserve death. With 7 billion people hanging around the last thing we need is a handful of first-world career criminals.

My colleague has been getting these kind of calls at the office. The callers do have heavy Indian accent.

It is amusing for us for any of these scammers to call any of our direct extensions.

>> Koskinen said. "Our way of contacting you is by letter."

Scammers cannot contact by letter purportedly?!

I'm assuming the difficulty of finding a decades-old IBM Selectric to get the authentic "government form letter" feel is what keeps the scammers out here.

I would also assume that mail fraud is easier to investigate than telephone fraud.

one of those link on that page should totally go to a page stating 'I just told you to not fall for scam links and first thing you did was to click on a random link on a random internet page! next time, know better not to!"

What's wrong with clicking on an unknown link? It can only hurt you by taking advantage of an unpatched security bug in your software. But if you have that, you might be vulnerable doing all sorts of other things on the internet. And you probably do have that and are vulnerable doing all sorts of other things. It's just not very likely to hurt you in either case.

It's about preemptively scaring people on how much is easy to have them do this and that action when the communication looks legit

And following a link from a scam email has a greater risk of drive by infection, since it is specifically crafted for that and has the user already has convinced being legit: you have to take in account that once the seems legit feeling is active escalating action gradually is likely to succeed.

It's about context and psychology. If one of those link from an officially sounding page had a download this to check if you have been scammed a lot of people would have done just that. In the same way you need to preemptively scare them, so that the message of trust no one really comes across vivid

LOL, people still answer the phone.

This is flippant and not very HN, but I did upvote it. I get more nuisance and spam calls than I get legitimate calls, and that's with getting on any do-not-call register I can.

I pay $40-50/month for the privilege of getting mostly time-wasting phone calls at my office and it's infuriating.


> What if you get called by someone who is with the IRS?

FTFA, 3rd ¶: "If you are surprised to be hearing from us, you are not hearing from us," Koskinen said. "Our way of contacting you is by letter."

Except the article is wrong.

In 2010, I received a call from the IRS. Agent 0199475 wanted me to go to http://pay1040.com and pay my taxes.

Unsolicited call? Check. Asking me to use a 3rd party website? Check. Was curt with me when I asked how I could trust that he was with the IRS? Check.

In this case it was all legitimate. I looked up the IRS phone number on irs.gov, called back, and got a hold of the same guy.

I was a foreigner, which I think is why I was treated differently. Maybe domestic payers never receive phone calls, but I certainly did.

"pay1040.com" looks fake. They have a low-rent SSL certificate. Since they handle large amounts of money, they should have an EV cert. Their Trustwave seal leads to FIS, which is a big company that does back-end processing for banks and other financial services. Their Entrust seal just leads to Entrust's main page.

Yet they really are an IRS approved payment processor.[1]

[1] http://www.irs.gov/uac/Pay-Taxes-by-Credit-or-Debit-Card

Google and Facebook don't use EV certs either. EV cert's are no more secure than any other SSL certificates, they're just a bigger rip-off.

I use the same strategy when I get an "authoritative" phone call:

1) what is your official website? 2) where is your phone number listed on that website? 3) what is your name?

then i go to the official website (irs.gov or whatever in this case) get the official number, and ask for the person by name.

If it's the same person, then congrats it's all legit.

In the UK those protective measures don't work because of a difference in the way the phone systems work.

In the US when either party hangs up the phone the line is cleared; the call ends.

In the UK that only happens when the dialing party hangs up. The call is still connected if the dialed party hangs up. This used to be many hours. I think there's a 5 min limit now.

So, the scammer calls you; gives you the phone number and extension and name, and website. You hang up. You go to the real official gov website and see that the phone numbers given match. You then pick up your phone -- and the scammers play a fake dial tone; and you enter the number and they play a fake ring tone; then they "answer" the call.

This scam has been used to fleece people of their entire life savings - tens of thousands in one go, sometimes even hundreds of thousands of pounds. The scammers normally pretend to be the police investigating a criminal who works for your bank. They need you to transfer a bit of money into an account so they can trace it; then it builds up to a bit more.


There's an interview with someone who handed over £15,000 to the Microsoft fraudsters. https://news.ycombinator.com/item?id=7868166

And these people do not get their money back! In England if you make a bank transfer to a fraudster it's your fault and you lost that money.

I don't think it's about being smart or not. Most people are generally trusting and compliant and scammers exploit that with a refined process that they've iterated on over hundreds of other victims.

I just confirmed this works on my BT landline, albeit with a 60 second timeout. I can't believe I never knew this was a thing

Yup; got a call from NCIS once (not the show, the real thing). The agent was more than happy to tell me what office she worked for and her name. I then looked up the number on navy.gov independently and got transferred back to her.

Fun fact: it was over a guy who was stealing equipment from the Navy and selling it online. Turns out they didn't want the equipment back (since it couldn't be re-deployed for security reasons). They just wanted me to testify against him. I believe he ended up pleading out once confronted so I never ended up testifying.

Yeah that works until... http://www.spoofcard.com/

The key part is that you're calling them back.

If someone fakes their caller ID candy you call the number they claimed to have, you're not going to reach the faker, you'll reach the legitimate owner of the number.

Yea this is also important when someone allegedly calls from your bank.

I have trouble with this story. I'm also a foreigner, and around approximately the same time (+/- 1 year) I made a mistake on my return and ended up owing some small amount like $150 or $200. They sent letters. I called them on the phone, and I mailed the check to an IRS office. They've also sent letters other times when I didn't owe money but should have filed with a different version of the form, and another time when I overpaid.

On general principle, I never deal with anything financial or legal over the phone. I listen if it seems legit, and then say 'Can you put it in writing? I like to have these things on paper.' I hope the call you received was an experiment which has since been abandoned by them.

Maybe they changed their minds about this in the five years since then, after seeing the potential for abuse. No idea if it's true, just speculation.

Good point!

As I think about it, the IRS agent mentioned that there was in fact a first contact by mail in my case. I had moved and didn't receive the letter.

An IRS agent would never say "Pay us now by wire transfer or we're going to arrest you."

Who is saying they would?

The scammers the article is about

Sure...but how does that relate to this subthread of comments?

I like how the title of the story implies that the scammers are all men, but in the article the person who left the voicemail was actually a "stern woman". Where is the PC police when you need it?

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact