Why has Apple and other cell phone makers & providers done so little to protect against spam?

I’ll bet that I am not the only TidBITS member to experience having my iPhone increasingly swamped with robo spam calls & texts, now up to the rate of 6 or 8 a day. Almost all of them with some bogus offer for 50K or 60K loans that I have supposedly been approved for.

I have been using Malwarebytes for protection against viruses and malware, which I’ve generally been happy with, so when they offered a new service scrubbing one’s personal data from the web (for an additional ten bux a month, mind you), I gave it a try in hopes that it would help solve the spam call issue.

Well, initially it seemed to clean me out of something like 120 personal data sites (though a good portion of those sites required that I had to go through annoying procedures to confirm my name and email). However, after doing this, what had been a steady trickle of spam (1 or 2 a day) turned into the present deluge of 6 to 8 a day.

Yes, I have been going through the iPhone’s complicated procedures to block the offending phone #s and ID the calls & texts as Junk, but since these are probably spoofed phone #s and locations, anyway, I doubt that this makes much difference.

Does anyone have a method that works for you to prevent these calls?

I don’t understand why either the phone makers or the cell providers have allowed this state of affairs to come about, to the point of rendering their phones and services nearly unusable. From my perspective the phone industry has been whistling and twiddling its thumbs, while allowing this to grow into a near crisis condition.

Sorry for the rant, but this is nearly driving me bonkers.

In my view, it has become impossible for mobile phone software makers and carriers to be the only defense against junk phone calls and text messages. War dialers and VOIP have made it extremely easy and inexpensive for trash marketers and criminals to spoof originating phone numbers, call or text every number in an area code, and operate in regions with lax regulations and law enforcement.

War dialing has also reduced the effectiveness of “remove my number” services and Do Not Call lists because a bot dialing thousands of numbers sequentially every day doesn’t rely on or check any database for targets. It just uses brute force to find victims.

So phone owners, in addition to using the tools and services offered by carriers and OS makers, need to consider additional defenses, including:
*Setting up a second phone number—services such as Google Voice make this easy—that is only disclosed to friends, family, and a limited number of other parties.
*Try to use non-SMS methods (for example, iOS Messages) as much as possible for texting with people you know. Then when you receive a SMS (in iOS, a green bubble message, not a blue bubble message), you know to be cautious.
*Silence notifications for calls and texts from numbers not in your Address Book.
*Remember that anybody with a legitimate reason to phone you will leave a voice mail if their call is not answered.
*Keep in mind that very, very few situations require immediate action.

In short, there isn’t any way to 100% prevent junk and scam communications. My personal strategy is based on three principles: Divert, Ignore, and Keep Calm.

The lion’s share of the blame here belongs to the telecommunications industry and federal and state regulators. There’s only so much phone manufacturers such as Apple can do when the system for identifying callers is so fundamentally insecure. Apple can check databases of known spam call & text sources, and try to catalog patterns of how spammers operate, but they can’t do more than that without violating the privacy of your calls and messages.

The FCC and the phone service providers, on the other hand, have long been dragging their feet on developing and implementing a secure replacement for Caller ID. The technology exists—it just needs to be turned into a reliable network-wide standard and pass regulatory muster, so it can be implemented by both carriers and manufacturers. Congressional defunding and political crony appointments to the FCC board don’t help.

I wish for one simple improvement: I want the ability to block texts and calls by originating country code. Just about every spam text, and many spam calls, I’ve gotten this year originated from a +63 number, which is the Philippines. I don’t know anyone in the Philippines. I don’t have any business or social connections of any kind to the Philippines. (I went to high school with a kid who was half Filipino, but he’s 100% American.) The odds that I’m going to get a legitimate call or message from the Philippines is so low as to be effectively zero. So why can’t I have those calls and messages automatically sequestered? This is something Apple could do without needing the phone companies to do anything.

Apple is adding a call screening function to IOS 26. If you enable this feature, when an unknown caller reaches you, they will be asked to provide identification before the phone rings. The phone will then ring and display the text of what they said. You can then take the call or divert it to voicemail. I assume that if they hang up when challenged, you won’t even see the call (although it may show up on your list of calls received.

Honestly, I kind of miss the days of phone calls being 10¢ a minute. That would put a quick stop to all of this.

Well, in a way you’re asking carriers to be mind readers, and Apple to take on the liability of blocking possibly legitimate calls.

One more thing that just came to mind: other MacInTouch readers might have a better recollection of the specifics but I think a well-regarded iOS call screening app there that included the ability to block area codes as well as individual numbers was Robokiller.

Unfortunately the spammers can spoof the country code as well as the phone number. I regularly get unwanted calls from “Newcastle” or “Melbourne” in Australia (I am in Sydney) but they are clearly from an overseas call centre (going by the chatter in the background). Most times I just cancel the incoming call, which gives the caller the option of leaving a voice message.

This issue go back to the days of analogue phone networks when a call had a fixed path through the network and so, in theory, the caller could be identified. Apparently digital networks were naively introduced without consideration of the nefarious use by anonymous callers.

The horse has bolted!

Some providers provide (at extra cost or as part of their more expensive plans) spam blockers. For example, my T-Mobile plan has a feature called Scam Shield. It will identify potential spam calls (when the number or Caller ID is presented, the phrase ‘Spam Likely’ appears above it), and will, at the user’s option, block all such calls preemptorily.

Whether the country code is genuine or spoofed is irrelevant in this case. The originating numbers that are coming through for these texts and calls have a +63 country code. Until these people realize that the country code gives them away, blocking it would be a useful way to reduce my spammy distractions.

I’m convinced that most people don’t look at the origin of spam at all, whether it’s phone, text, or email (not the name in the “From” field, but the actual attached email address). If they did, more spammers would make the trivial effort to spoof the origin. But most of my email spam falls under one of two categories: either they use my own email address as the “From” (a dead giveaway), or they make no attempt to hide the suspicious email addresses they’re using. This becomes especially obvious with phishing attempts, as (for instance) PayPal is never going to send you a message originating from a Gmail or Hotmail address, and your bank based in Pennsylvania isn’t going to send you email from Russia. Similarly, most spam calls and texts I get don’t even try to pretend they’re from a legitimate number now; if they spoof anything, it’s the name, but not the number.

(I did get one that was actually a little more clever today. Instead of having the phishing link in text in the email so it could be revealed by hover or reading the source code, they put it in a QR code, which requires scanning to identify where it goes. I hope this doesn’t catch on.)

Honestly, the #1 thing any developer of email clients can do to protect people from spam scams is show the sender’s email address by default, not just the name.

(And no, bringing email into this isn’t a digression; the spam problem is an issue with all forms of digital communication, and what helps with one form can help with others.)

Doing this has been illegal for a long time, but law enforcement seems completely uninterested in enforcing these laws. And a lot of calls come from overseas call centers, making it even less likely that law enforcement could do anything without getting diplomats involved - and they care even less.

This won’t do a thing about spammers that bulk-dial every number that exists. And there’s no guarantee that someone else didn’t have the number before you.

Far easier said than done. Especially when you remember that any such system has to work on calls that originate from every service provider in every country worldwide.

How are you going to force the Boris & Natasha phone company in Upper Slobbobia to implement the protocol?

And if you don’t, then crooks can route their calls through these rogue phone companies.

You can’t just look at which circuit the call comes in on, because calls can get routed all over the place. A call from England might come in on a circuit from Spain, or Nigeria. So even the country code has to be a value provided by the call originator.

The tech works for a limited scope, but does not work on a global scale.

What makes you think the call actually is coming from the Philipenes? Caller ID is easily spoofed. It could be coming from the building next door to you, but have that same caller ID number.

Yes. For me, the utility in having a limited-use number is making it easier to ignore or delay dealing with calls to my “public” number. In any case, in my decade or so of having a carrier number and a virtual number, I’d say 99% of unwanted calls to the virtual number are “fat finger” wrong number calls, not junk or scams.

I never said I thought they actually came from the Philippines. I said that the originating number had a +63 country code. “Originating number” means the number my phone shows on the Caller ID, regardless of whether it’s the actual source of the call. It’s the only information I can get about the source of the call. As has been repeated many times in this thread, Caller ID is so trivial to spoof that it’s useless for dealing with spam. But the consistency of this country code in the spam, combined with the infinitesimal odds of me getting a legitimate contact from the Philippines, means that blocking that country code would, at least temporarily, greatly lighten my spam load.

Not in the way you’re implying. The existing Caller ID system isn’t implemented by the same standard worldwide. Bellcore FSK, ETSI FSK, and DTMF are just three of the more widely used standards. These already must be translated for international calls.

Implementing a more secure standard, as with the original deployment of Caller ID, starts in one or a few places and then spreads as more nations adopt it. The obvious solution to lack of adoption is to use the existing Caller ID as the default fallback when a nation or carrier doesn’t use a secure standard. That is already compatible globally.

I never said that this would be a simple, global solution to Caller ID spoofing. Effectively implementing a new standard will take years, maybe decades. But it would be a start, and you have to start somewhere. The US is a logical place to start because of the large population and tech base, but it could just as readily start in, say, China. Once one major nation does it, others will follow.

There is no existing defense against war-dialing until both law enforcement and telcos start taking it seriously. There are potential provider-end technological solutions waiting to be developed, but at least one telco, or the federal government, has to decide that looking for one is a good investment.

Your basic argument here, on all the spam-stopping concepts being raised, seems to rest on the idea that since you can’t stop everything everywhere all at once, you shouldn’t bother trying to stop anything. This is an absurd fallacy that accomplishes nothing except inducing paralysis. You have to start with something, somewhere, that will help reduce some portion of the problem. Then you look at reducing another part of the problem. Repeat ad nauseam until the problem is completely solved or becomes irrelevant.

I’ve had my main cell phone number since 1996. Until just a few months ago, I haven’t had too much trouble with spammers over the years. Recently, however, I’ve been getting bombarded by cell phone spam.

It has gotten bad enough that I finally disabled rings from numbers that aren’t in my contact list and then delete the spam numbers at the end of each day. Further, when I schedule a phone call where someone is going to call me, I ask them to supply the number from which they will be calling in advance so I can put it into my contacts before the call.

I’ve had to do the same on my second cell phone line.

I’m not happy about the situation at all.

Political texts are going to drive me nuts. They aren’t “spam”, and calling them so doesn’t help. Unsubscribe and they keep coming.

At least Verizon’s Call Filter Plus works decently. Can’t screen out unknown calls because I run a business and I need new clients.

I got sadder and sadder reading this Topic. Seems like every new technology gets ruined by scammers and schemers after some time.
Call abuse is a societal problem imho so gov’t and tech companies can only do so much, and it does seem Apple has been prominently trying some ideas…

I read most of the Tom’s Guide article and find the Call Screening an interesting attempt to reduce annoyance, but continue to wonder what an ‘unknown number’ is. Every phone number is ‘known’. Do Tom’s/Apple mean ‘a number not in recipient’s Contacts App’?

For odd users like self, who have only a few numbers in Contacts and only icons/Emoji as ‘Profile Pictures’ (no names or other data), every call would be intercepted and analyzed if I turned this on, so every caller would go through extra hoops and have to ‘prove’ they are legitimate, have their voice analyzed by Apple, etc.

Kind of like presumed guilty and must prove one’s innocence, which brings me back to the point of this being societal.

I try to imagine what I’d suggest if I was on a company committee tasked with solutions to this. I can see there might be tech solutions but finding a balance between that and say, Privacy/dignity/respect is a definite challenge. Counteracting abusers is a full time job.

Why hasn’t STIR/SHAKEN solved this problem?

STIR/SHAKEN has been highly, though not perfectly, effective for me. I get a lot fewer voice calls, and those that I do get tend to be flagged as suspicious by my iPhone.

But STIR/SHAKEN only means a spam caller only has to find a phone provider that is willing to fraudulently authenticate a call in exchange for money. There is apparently no shortage of companies willing to do that.

And STIR/SHAKEN only comes into play with voice calls (and only SIP/VoIP voice calls, which is most of them these days.) It doesn’t come into play with SMS/MMS/RCS text messages.

RCS in theory supports very high levels of encryption and authentication, but those have only been implemented in proprietary Google extensions so far. As is typical, security has been left for later in the rush to deploy the technology.

Here in the UK, I routinely forward any spam/scam SMS I get to the number for Action Fraud, which works with the network providers here to block and shut down the numbers associated with them. I guess I’m fortunately in having dumped my original mobile number many years ago and not publicising my current one, meaning the occasional scammers trying to contact me are most likely just picking numbers at random. I have calls from unrecognised numbers silenced on my iPhone, most of those calls don’t go to answerphone and the ones that do are usually silence.

I get very little cellphone spam because I don’t use my iPhone much. My primary phone is my home/office landline, and my default is to let it ring unless I am waiting for a call. I don’t use my iPhone on the Net, don’t use texts, and generally avoid giving out my cell number unless absolutely necessary. I have had this number (but not an iPhone) for over 20 years, and somebody else had it previously (as I learned from a series of calls about medical bills or problems in the early years). I know this won’t work for everybody, but it works for me.

We have two land lines and my wife and I both have and sometimes all the phones in the house ring for government emergency warnings. However, the trickle of maybe a call or two a week on my iPhone tells me there aren’t many spammers doing war calling.