Phone scams get dismissed as background noise or just annoying interruptions and unknown numbers with robotic voices we learn to ignore. But behind that noise is an industry built on psychology, automation, and staggering profitability. My guest today is Alex Quilici. He’s an engineer, entrepreneur, and the CEO of YouMail, a company focused on protecting consumers and businesses from unwanted and fraudulent calls.
Alex has spent years analyzing how robocalls and scam campaigns are designed, how they evolve, and why they continue to work despite better technology and increased awareness. What began as a voicemail platform shifted into fraud prevention after users unintentionally revealed a powerful truth that even small friction can disrupt scam operations. He shares how his own father got pulled into a tech support scam which cemented his mission to move beyond blocking calls and toward tracing and stopping scams closer to their source.
We talk about how scam calls are engineered, the tactics that trigger panic and urgency, and how criminals use data breaches, AI tools, and impersonation to sound convincing. We also explore what’s changing, including fewer random calls, more targeted attacks, rising text and messaging scams, and the difficult balance between stopping fraud and allowing legitimate calls through. Alex shares practical ways consumers and businesses can reduce risk, along with a candid look at why this problem is so persistent and where it’s likely heading next.
“Blocking a call after it reaches you is helpful, but it’s already late in the game. The real goal is stopping fraud closer to the source.” - Alex Quilici Share on XShow Notes:
- [2:23] Alex explains how YouMail shifted from a voicemail company into fraud prevention after noticing users using an out-of-service message to deter robocallers.
- [3:25] Discussion turns to robocall volume, with Alex estimating billions of calls per day and roughly five billion robocalls per month.
- [4:10] About half of all robocalls are unwanted, while the rest include legitimate reminders from doctors, hospitals, and financial institutions.
- [5:05] Alex notes that legitimate telemarketing still exists but is now heavily overshadowed by sketchy and scam-driven campaigns.
- [6:40] Scam calls have declined in raw volume, yet attackers are becoming more targeted and efficient.
- [7:15] Scammers increasingly pivot to texts, email, and messaging platforms where third-party blocking is harder.
- [9:27] Alex describes limited progress shutting down shady telemarketers but better success against large-scale illegal robocall operations.
- [11:05] Sense of urgency emerges as the dominant tactic, often involving fake charges, legal threats, or financial panic triggers.
- [13:10] Modern scams combine spoofed caller ID with breached personal data to create highly convincing impersonations.
- [16:27] Scammers are compared to extremely motivated marketers who rapidly adopt AI and optimization techniques.
- [17:30] The economics are startling, with scam campaigns generating enormous profits at extremely low cost per call.
- [18:44] Alex advises letting unexpected calls go to voicemail and returning calls through verified, official channels.
- [20:50] Panic-based bank account scams are highlighted as particularly dangerous because fear overrides logic.
- [23:19] Businesses are identified as vulnerable targets, especially through employees’ personal mobile phones.
- [31:52] Enforcement efforts are increasing, and Alex predicts stronger regulatory pressure over the coming year.
- [35:54] Impersonation scams tied to toll roads, DMVs, crypto, and romance schemes are flagged as growing threats.
- [38:19] A simple defensive principle is reinforced: pause, disengage, and verify independently before taking action.
- [41:44] Alex outlines YouMail’s call-screening approach, adding friction that blocks automated scam systems while allowing real callers through.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- YouMail
- Alex Quilici – LinkedIn
Transcript:
Alex, thank you so much for coming on the podcast today.
Thank you for having me on.
Can you tell myself and the audience a little about who you are and what you do?
My name's Alex Quilici. I'm the CEO of YouMail, and what we try to do at the company is protect America's phone numbers. We have an app that consumers can download that blocks robocalls and robotexts and things they don't want to get. But what's really important is we collect data from that on what the bad guys are doing, and we work with and have services we sell to the carriers and to enterprises to help them stop this fraud that they're putting on the network in the first place.
Oh, cool. We'll get to that, because I always have lots of questions about, no offense, but why your company exists and the carriers aren't doing it. I would love to hear some of the background. What got you into this field?
Well, it's a couple of things. I've been in telephony for quite some time. My first company was essentially Siri over a 1-800 number before smartphones. That got us into AI to be able to handle people's statements about what they wanted. It got us into large data because when they were doing Siri-like things, you had to manage all this data and make it available. It got me into telephony because we had to provide a service that would actually answer the phone when they call so they could do all this stuff.
That's how I got into the general space. I got into YouMail as an investor. It was actually a voicemail company, hence the name. It was back when we thought there were interesting things you could do with voicemail. After a while, a couple of things happened. One is we saw our users were using a feature that we had that played an out-of-service message. You know, the old, “Doo-doo-doo, this number's out of service.” They were using that to actually block robocallers and scammers.
And so we said, “Hey, we should actually focus on that.” And then my late father got involved in a tech support scam. I realized that it's hitting home. We can do a great service for people. We can build tools that help protect people from the scams. Ultimately, could we go to the source of the scam? It's too late when you're blocking your caller text on the phone. You want to try to figure out where they're coming from and shut it down at the source.
Let's talk about the scope of the data that you deal with. Do you know about how many calls are connected worldwide or US-wide on a daily basis or so?
I've heard it's on a daily basis, I'm not sure. It's in the trillions, like over a trillion overall, which would mean three or four billion a day at least in the US, if not more.
We'll start with unwanted calls. Do you know what percentage of those calls are unwanted, whether it's a telemarketer, some sleazy business, or a scammer, but what percentage of those calls are suspected to be unwanted in some capacity?
Robocalls, there's roughly five billion a month, right? About 50% of them are unwanted. -Alex Quilici Share on XWe look at robocalls more than just personal calls, right? Robocalls, there's roughly five billion a month, right? About 50% of them are unwanted. They're telemarketing, scams, spam, just stuff people don't want. What's interesting is the other 40-50% are wanted. It's the call from your doctor reminding you about the appointment, or the hospital reminding you to fast, or the credit card company going, “Hey, you missed a payment.” You're like, “Oh, I don't want to pay a bunch of interest.” It's a tough problem because there are calls people actually want.
I imagine even as a challenge with self-reporting stuff, because, well, I might be really annoyed that I'm getting a follow-up reminder and I might flag, “I don't want that.” I flag it as spam. Someone else, like, that's really important to them.
That's actually true, although what we've done is we've actually used AI to figure out what calls are about and what they're doing and combine that with data we've had overall from our audience to try to get the default right. We know we want to let reminders through. We want to let Apple's customer support when they call you back. We want to let that through.
We know if it's pretending to be Amazon, there's exactly zero chance that you'd head through. That knowledge of our audience and what's going on is really helpful to try to get it right. It's not perfect, but it really tries to sort through this stuff to help consumers.
What are some of the trends that you've seen? Because I feel like I have not received a… I've gotten sleazy telemarketing calls. I had one company that was calling me three times a day. And no matter how much I told them, like, “I'm never going to buy your contracting services,” I'd get a call in the afternoon. “Hey, are you doing any home repairs?” “No, I told you yesterday. I talked to Bob.” “The next day it's Bob again.” “Hey, do you have any home repairs?” No, it's a bad business.
But outside of that, like, I don't know that I've gotten telemarketing calls like, “Hey,” like a legitimate organization. “Hey, I'm selling life insurance. Do you want to buy life insurance?” Have you seen, like, legitimate telemarketing services drop off significantly?
I think legitimate telemarketing is still out there, but it's swamped by everything else, right? Legitimate telemarketing would be you want an insurance quote. You went to a website, gave them your phone number. Now three companies are calling for quotes. They leave an automated message asking you to call back. Totally legit.
That's a very small portion of what's out there. My guess is it's 2%-5% of all the telemarketing-like calls. The rest is random stuff about Medicare that's not necessarily legitimate. It's all the stuff about, “Hey, we can get you out of debt?” That's the dominant calls that are out there now. There's tons of that.
One trend is we're seeing more and more sketchy telemarketing, right? And that's harder to stop. You can't just block it all. You need to prove they don't have consent. It's like a whole process. We are seeing the scam calls go down. There used to be crazy amounts of scam calls, and there's fewer of them. There's a couple reasons why. One that's really kind of bad, which is they're targeting.
They're actually going to a list. I just saw a data broker got fined a bunch of money for selling a list of Alzheimer's patients. Can you imagine the scammers get ahold of the Alzheimer's patients and it's open season? They are doing that kind of targeting. That's bad. The good thing is they've switched to other modalities. They're not doing as many robocalls, the scammers, but they're doing worse things. They're sending emails with callback numbers for fraud.
You know, your Norton or whatever subscription just got billed 500 bucks. They're moving to iMessages, SMS in general, but things like iMessage, Facebook Messenger, other tools where it's harder for third parties to get in and help. The scammers are kind of taking all these different paths and they move to whatever, wherever water flows the easiest.
The scammers are kind of taking all these different paths and they move to whatever, wherever water flows the easiest. -Alex Quilici Share on XHave some of the techniques that you've been able to do for robocalls, are you able to apply those to text messages just through traditional SMS messages?
To some degree. The notion of looking at the content of messages to understand if they're fraud or not, that applies to [inaudible] where you transcribe it and look at it. It applies to SMS, it can apply to a bunch of stuff. That technique works. It's harder, for example, to block SMS for consumers to protect them. Android doesn't let you do that as a third-party app unless you become their messaging app, which, you know, who wants to switch, right?
You can just warn them. iPhone, it's a little trickier because you can't collect enough data to really know who did they attack, so you can go find that text and find the source of it right away reliably. Everything's a bit different, but the same principle of collect data, try to use that data to find out where stuff is coming from, that works regardless.
Has there been much success in going after the originators of these messages? Are we talking small organizations, large criminal enterprises, shady businesses?
It's all of the above. I'd say there's been very little progress against the shady telemarketers to this point. There has been a decent amount of progress against the really large-scale illegal robocallers who were doing tons and tons of calls with, like, sketchy telemarketing. There are some, there were just a sheer volume. They were spoofing the caller ID. That's actually a criminal offense that can go after them. I'd say there's progress, but not nearly as much.The scammers, have been some real progress. They've shut down some organizations and it takes a while for them to pop up again, but they do.
Is it more of going after, like, rather than going after the organization who's committing the crime themselves, are they going after the companies that are providing them the telephony services? Is that kind of where the success is?
When a carrier is intimately involved with the people making the call, aiding and abetting, there's been a lot of success in shutting down the carrier and those using that carrier, right? There's been actions there and when they do them, you see the total number of robocalls drop materially for a little while, at least a couple months before somebody else pops up.
So I think the struggle is to get the big carriers to really do more and make a bigger and more concerted effort to try to stop this. -Alex Quilici Share on XThe bigger carriers, it's tougher because the bigger carriers have an argument that says, “Hey, we have all this legit traffic. We're not trying to do this. It's just getting through because these other five carriers let it get through.” That's what's happening. So I think the struggle is to get the big carriers to really do more and make a bigger and more concerted effort to try to stop this. But there's a big argument: do they have a legal obligation or not? And that's going to go through the courts.
Yeah. And I assume that their argument is always going to be, “We don't ever want to risk blocking a legitimate call because then no one's going to use our service.”
That's right. They'll say, “We don't know if this is bad or not, right? Like, is this Amazon calling or is this somebody who pretended to be Amazon? Why would we know?” I think that's the problem. I think the way it's going to actually get worked on is there are carriers that are carrying all junk. If you're taking traffic from that carrier, you probably shouldn't, right? There's not any indication they're doing anything right.
You're going to see liability kind of move up the chain that way. Carriers have to do more diligence on where they get the traffic, and it'll push it all the way out to the ends where the most illegitimate carriers are.
Do you know what some of the techniques the scammers are using in terms of trying to get people to answer the call and make their initial calls more convincing?
The number one is a sense of urgency and usually financial urgency. One of the fan favorites out there is, “Hey, there's a charge for an iPhone of $1,800 on your credit card,” right? “We’re Amazon.” “We're Walmart,” whoever we are. Press one if that wasn't you. That's a really effective scam. Because even if you have an iPhone with live voicemail, you're going to see this transcription. “Oh, geez. That's Amazon calling. I’ve got to press one.”
That sense of urgency is really good on just when they start the call. Another one is they'll call and they'll be somebody like the sheriff's office. They'll spoof the number of the sheriff. Say, “This is a sheriff. There’s a warrant. We need to settle this immediately or people are going to come.” Again, it's putting fear into you, right? “Gosh, I didn't go to jury duty the last couple of years. Maybe they're after me. I did have a parking ticket.”
They leverage those things. And then they combine it now with personal data on you that they can get from data breaches. They can absolutely convince you, “Do you have account 44342?” You know, you're like, o\”Oh my God, it is. It must be in the bank. And it's not.” That combination of data and driving a sense of urgency is really effective.
I hate to ask it this way. Are they doing a good job of, “Hey, we're going to—we got Chris Parker's phone number. We're now going to call Chris, claim that we're, and I won't say, the local police department.” They're going to forge the caller ID, the local police department. Are they that advanced or are they still just…
They are absolutely.
The caller ID is from Pennsylvania and Chris is in California.
No, they are absolutely that advanced. I know I saw a Facebook post recently of someone who they pretended to be this sheriff's call from the sheriff's number. They actually had all his personal information. They actually got him in the car driving toward the sheriff's station. And as he's driving, they're saying, “Hey, if you want to settle this, you can pick up some gift cards. We'll take care of it. But otherwise we have a person out there in need.”
It was crazy detailed. They knew about the local, where the local sheriff's was. They knew the name of the local sheriff. It was a crazy-detailed scam to the point where this guy's pretty smart. I actually had to go call the sheriff. I muted the one call. The sheriff, “No, we're not doing this.” They just played along after that. He was actually nervous.
That's scary when there's enough information for you to go, “Well, maybe this is real.”
Especially things like taxes, right? Everybody messes up their taxes to some degree and this is the IRS. It just takes a little while. Like, “Wait, why are they calling? I didn't get a letter.” You have to kind of know how stuff operates to know it's really just obviously a scam.
With what you guys do, if you're listening on listings, maybe not that there's transcriptions of, let me ask, how do platforms like yours work in terms of determining the content of a call?
You're using AI to break the message or the audio into a whole bunch of different pieces. What's the topic of the conversation or the message? What techniques does it do? Does it match known bad behavior, but with some variance?… Share on XA lot of it is classification. You're using AI to break the message or the audio into a whole bunch of different pieces. What's the topic of the conversation or the message? What techniques does it do? Does it match known bad behavior, but with some variance? And so AI is really good at scoring it. Then what we do is when it scores highly, we know this is fraud.
Then we can see, “Well, who else is doing exactly the same thing?” Now that it's honing in, “Oh, it's coming from this carrier at scale, OK. What did that carrier get?” We can work with them and see the source of that tracing it back. And eventually, here's where it came.
Is there a challenge with the people that are perpetrating these that they're now using AI and those conversations. They're not playing the same exact message that they've customized. It's so much that it's getting harder for your side to tell that it's a pattern.
Absolutely. I mean, LLMs are a double-edged sword. The bad guys are using it to pick different names and different products that were purchased and different dollar amounts. It's not straight matching anymore, “Oh, this is the exact same message.” Every single message is different.
But they all have to behave the same way in principle. The LLMs are pretty good that, “Oh, it mentioned a name. Oh, it mentioned a product. Oh, it mentioned a negative action.” Like you have to press one to stop the transaction. If you put that stuff together, that's almost a 100% indicator of bad news. You can use an LLM to do that aspect of it.
Yeah, that's got to be kind of interesting to see, watch the cat-and-mouse game playing out.
And the sad thing is, you can think of the bad guys as marketers who are extremely motivated. They're adopting the tools immediately. They're the ones who, “If I can make a thousand robocalls and get a thousand victims, that's way… Share on XIt is. And the sad thing is, you can think of the bad guys as marketers who are extremely motivated. They're adopting the tools immediately. They're the ones who, “If I can make a thousand robocalls and get a thousand victims, that's way better than making a million. How do I actually reduce it so I call the people most likely to be a victim?”
Once I've called that person, how do I use all this data to get them to click, to take an action, to press one? Then once they're on the phone, how do I get them to do the next step using information about them to convince them I'm real? I mean, I wish these guys were trying to sell something legit. I'm sure they'd be good at it. But they're using their resources for these calls. If you do the math, it's exceptionally profitable. It probably costs on the order of a tenth of a cent to make a call that just hangs up. It's really cheap.
I mean, I wish these guys were trying to sell something legit. I'm sure they'd be good at it. But they're using their resources for these calls. If you do the math, it's exceptionally profitable. -Alex Quilici Share on XIf you get someone to answer, then it costs you something, but then you have a potential victim. We did the math. There were 50 billion robocalls, maybe 25 billion last year, that were sort of scammy or telemarketing, like trying to extract something from a consumer. Well, they made $25 billion on most estimates. It's a dollar a call. Those margins are better than Google. That's why they keep doing this. It's super profitable.
That's kind of scary that we're seeing the call volume go down with the total losses continuing to increase.
They're just getting better at it. It's like a marketing campaign where you start running a bunch of banner ads. You're paying a certain amount to get a certain number of subscribers. Over time, you can do fewer banners for the same money and get the same dollar amount. They're doing this with phone calls. They're doing it with texts. They're doing it with emails. They're just focused on optimizing. “How do I get the most out of each person I contact?”
Does that leave us in a position where we should just never answer our phones?
There's certain classes of people. I actually say if you are not expecting a call at a particular time from a particular party, don't pick up the phone. You can always call them back. It works, especially older people, even younger kids. They will just assume that really is whoever it is. Unless you absolutely need to expect a surgeon is supposed to call you in this window, don't answer the phone. It's kind of sad we've gotten to that point. But on the other hand, voicemail is not a bad thing. They leave a message if they're legit.
You quickly call them back. You press one, get ahold of whoever you need to. That seems like it's an OK way to protect yourself. You use tools that block stuff like our app that's going to filter out stuff or call screening or whatever other tools are there. You have less that you're going to answer. There are people who can't do this, but there's a lot of people. That is a great solution. An app plus don't call plus only call back through a number on a website.
Yeah, I'm one of those people who, unless I'm expecting someone to show up at my front door, I'm legitimately expecting someone that I don't necessarily know to call me at a particular time, every call goes to voicemail.
Yep, exactly. And that's a pretty good filter for a lot of the scams, right? They're not going to make any sense as a voice call that says press one, right? If you happen to get caught there, or it gives you that second, like I always tell everybody, take a beat. I know you get this thing, “Oh, somebody's calling about a charge.” Just pause for a second and don't just react right away. If it is Amazon, why wouldn't they let me just go to my Amazon account and press a button? And the minute you do that, a lot of stuff is just ridiculous, right? And then you can go, “OK, that's gotta be a scam.”
If we're paying for things with credit cards versus debit cards, we can always dispute the charge after the fact. We don't have to respond then and there on the phone.
Exactly. Although that's why some of the scammers do the bank account scam, which is, “Hey, someone's attacked your bank account. You need to transfer all the remaining money somewhere else so it'll be safe.” On the face of that, you and I look at that and go, “That's crazy.” But people panic, like, “There's my life savings.” “Wait, this said Bank of America or this said whatever the bank was, I better go do it.” They get just washed down this gully and it's just terrible for everybody.
Kind of on the adjacent to this is, you know, are businesses kind of at risk as well? Are they being targeted by the scammers? Because they're kind of in a position where I run a business, I need to answer my phone. I've got potential customers calling me. I can't just go, “Oh, I'll just let my customers go to voicemail.”
Absolutely. One of the things that's changed is business is not some weird landline in an office building anymore. It's people's mobile phones, right? They are getting these calls and they're getting it where they're answering their phone. They're like, “Wait, my Google listing’s bad. What's going on?” And the bad guys take advantage of, “Well, this is calling a business, right? I don't have all the normal consumer protections. I can robocall them. I can do things.”
The businesses get all the telemarketing. And what's really bad is they get that vision in this mission. They get the attempts to get into an enterprise through employees of the enterprise. “Yeah, this is your CEO. I really need you to go do this.” Or, “This is somebody from the operations. We need to verify your account or you’re cut off.” Then they get the bad guys use that to get in the network and total chaos ensues at that point. Business is really under attack and sometimes has more to risk.
Yeah, there was a company I worked for. And at one point, they were pretty small. There were a couple of times when the person who would normally answer the main telephone number was out. I would just try to be helpful. “I'll take all the calls when you're at lunch.” And I was the person no one ever wanted to answer the phone. “Who are you? Why do you want to talk to accounting? Do they know who you are?”
Absolutely. The thing about the enterprise or even smaller companies with 20, 30, 40 people, you're as vulnerable as your weakest link is. It's the weakest link of your employee’s personal cell phone, right? Because the bad guys go to LinkedIn, they find the numbers, they make the connections, they contact, they call everybody, they text everybody, you just need the one. That's what makes it so effective.
The thing about the enterprise or even smaller companies with 20, 30, 40 people, you're as vulnerable as your weakest link is. -Alex Quilici Share on XAre there any things that businesses should be doing to help their employees protect the business?
A couple of things. I mean, they've done these studies that show training helps, but only briefly. But what we've got is we've got some large customers now who are actually interested in
stopping anything that mentions their name or puts them at risk. For example, there will be a bank, there's people impersonating the bank, they're paying us to work with all the carriers to make that stuff go away, whether it's attacking a bank customer, it's attacking a bank employee.
They can actively invest in having less of this happen. But the problem is, it's hard for someone to go say, “Well, we're going to go and spend all this time talking to the carriers and hire a company to do that. Why don't the carriers just fix it?” They just kind of sit on their chair while more and more damage happens. But there are quite a few that are now starting to take real action to protect their employees that way, which is really going after the source of these things.
Gotcha. Is there any particular carriers we should gravitate to as consumers and any particular carriers we should avoid as consumers? Or does it really not matter which carrier we choose in terms of getting unsolicited calls?
We don't see any real difference between the carriers in the long run. There might be—a particular carrier puts in a new defense for a little while. Then we see all that carrier is doing better and the other big ones are doing worse. But in the long run, it's all the same. Because the bad guys find whatever source there is to make the call. And it's hard for the carriers to stop it.
Are most of these generated over are not domestic? Regardless of where the consumer is, are most of these not domestically sourced calls?
Most of the scam calls do originate from organizations overseas, right? Those are generally for not all, surprisingly. A lot of times it's like there's a SIM farm. They get the SIM farm, but the SIM farm might be in the US, but the people making the calls and initiating them are in some other country like India, Cambodia, Burma, wherever.
It's a big mix on what's involved in getting this call ultimately to the consumer. The telemarketing stuff is sketchy. Telemarketing is often from the US.
I remember a news story a few months ago that they found—I don't even know who found it—but there were a number of SIM farms found in abandoned buildings in New York with some setup that had 10,000 SIM cards on it in multiple locations. Is that the sort of thing that the scammers are using?
Exactly. That one was found because it was a secret service because the folks there had called some very high-level people in the government doing impersonation or called other people pretending to be those people in the government. There was a lot of very intense interest in shutting it down, but they're everywhere. It's easy to buy the equipment. If you don't buy the equipment to put SIM cards together, you can make it, grow it yourself, right? It's not that hard. They can put them in a van and drive around. I mean, it's really easy to get 5,000, 10,000 SIM cards blasting calls, and it's hard to stop.
And it makes sense as to why you would see that in a place like New York where you have really high population density, where you've got a building in it that might have 10,000 legitimate telephone users in it. The cell phone companies aren't going to see that as particularly unusual. But if I drop a 10,000-line SIM farm in some city in Omaha, Nebraska, some city in Nebraska that has a population of 600, that might look a little suspicious.
I guess, although I don't really get the carriers off the hook for that one. Because if you've got—these are prepaid cell phones. OK, so now you've got a huge number of prepaid cell phones initiating calls from the same location, which isn't Madison Square Garden.
Yeah.
It's, “Why are they doing this? Why are they making calls? Why are they all behaving the same way? Why are they calling all these people in all these other places?” Just some basics I think would have actually found that, but you would have had to know to go look for it.
Yeah. Do you suspect a time when the carriers will start looking more at that of
going, “Huh, we're seeing a whole bunch of connections or devices all behaving in the same way.” Who would they even call, or would they just disconnect the devices?
I think they get kicked, dragged, and screaming into doing those things to react to the past problem. But the bad guys will just find another way to do it. If you really wanted to start addressing the SIM farm problem, the first thing you do is you wouldn't let someone get a SIM unless you knew who they are.
When I go to my T-Mobile phone, it's like, “Let me bring my ID, my passport, like 10 things to get a new phone.” These guys got 100,000 numbers or whatever, 100,000 SIMs from a number of different prepaid providers, probably resellers in bulk, and no one asked a question. I think we have to start tackling KYC, knowing the customers everywhere.
But then that's not enough. You've got to then observe the traffic. “Does this make sense? OK, this is a dentist. Why is the dentist making a million calls? Oh, someone did an account takeover on his PBX.” That's the kind of thing that we're doing now, like looking for behavioral clues where this just changed. It's fundamentally not what it was before.
When you say take-offs of people's phone systems, do you guys provide a service where you monitor outgoing calls from an organization?
We do, but it's not our big focus. It's more as part of what we do, we notice that stuff. The PBX likely has a carrier associated with it. The carrier can hire us to watch all the numbers they have. And then we'll say, “Hey, these numbers are suddenly doing a bunch of weird things.” Then the carrier can talk to their customer and say, “Hey, we just found this. Let's go see what's going on with your PBX.” It's kind of indirect how it gets to enterprise. Well, there are a few that do that directly, but it's mostly at the carrier level.
How often does that happen where someone's PBX gets compromised? Because I remember when I was a kid, there was ways that you could call into someone's phone system and then get it to trigger to dial back out. But that was a one-at-a-time sort of thing.
I mean, now you need an account, right? You hack into an account doing credential stuffing, right? All of a sudden, you're in and a lot of these systems, like the school districts, it's 20 years old, doesn't have any of the security stuff. Nobody's patching it. There are lots of ways to get into it. Once you've taken over a school alert system, you can do whatever you want, right?
Because nobody's blocking those calls. You're going out to everybody. People expect big bursts at random times. They just go after it basically the same way they hack consumer accounts: hack every account that they can find on known platforms.
Oh, that's all just really disturbing.
We've had to talk about, “OK, what's the world look like?” I think the way it gets fixed is people start paying a lot more attention at every level. Every carrier should be watching every number it gives out for signals that that number is misbehaving. That's actually one of the services we provide, right? That's helpful. They need to know who their customers are. That's not a service we provide, but that's upstream. They need to act on it.
Once they see that, “Hey, there's bad behavior; they need to stop that customer. Its numbers are things they're supporting from another carrier passing through. They need to go after that.” I mean, everybody has to attack it really aggressively. And that's the challenge. I think if everybody did that, we make it harder for these guys and they move to other channels, which just means it becomes Facebook and Instagram and some other thing, but it's not on the telephony side.
It becomes somebody else's problem.
It does, and I think then they have to figure out how to apply the same techniques there.
Yeah, and hopefully everyone makes a collective decision of we all just need to do better about these kind of things. But I think, like you said, companies don't want to invest time, money, and resources into things that don't specifically positively impact their bottom line.
Exactly. It's really—a lot of it is insurance, right? It's going to insure us against some potential big, risky event in the future. Everybody wants to pay as little for insurance as possible and put it off and not insure for all sorts of stuff. That's the world we sit in. With carriers, it's even worse because they make money from this stuff, even if they don't mean to. Somebody makes a million robocalls, that's profit. Somebody sends a million texts, that's profit.
They have a double whammy, right? They will lose revenue, and it's going to cost them money. What's going to happen, it's really clear that the government is ramping up enforcement. We see the AGs have a task force. We see DOJ going after folks. When they do it every quarter, it kind of keeps things level. If they could do it every month, you start seeing this stuff decline. I think you're going to see an acceleration in enforcement over the next 12 months or so. That will start pushing this somewhere else.
Where do you suspect the somewhere else will be next?
I mean, it's clearly social media is where there's a lot of scams and younger people, right? Facebook, Instagram, Snapchat, TikTok. You're going to see more and more stuff over there. It's just it's more work to make videos and try to scam people that way and break into their Instagram account. But it's going to happen. It's just going to move.
Are there any particularly interesting scam or spam campaigns that you've seen and just thought, “Does that really work?” Or, “Why in the world are they using that approach?”
The biggest one is Publishers Clearing House. They impersonate Publishers Clearing House and say you won some great prize. At first, it was, “We need money to do the check, print the big check and go to your house.” You’ve got to do all this stuff. How does that work? But it's successful. It's still going on at scale. People fall for it. Then it just comes back to human nature. “Oh, I won some. That's really cool.”
And it's such a big win that you don't think about, “Why is that real?” That's the thing that all these scams have in common. It's like some elements of, “Hey, this is awesome.” And they forget to question. “I don't want to question it. I've got a Mercedes and a million-dollar check.” That's great. Why question it?
And I think someone is like, I think Publishers Clearing House is a good example because I think most people don't even understand how that works. They just see—I don't think they rent commercials anymore—but I used to remember seeing commercials for them all the time of them delivering big checks to people. It was always like, as the younger me was like, “Why are they doing that? It doesn't seem like that.”
I've never seen a lottery commercial from them. It's like, “How do they make the money and why are they doing this? Do these people even know?” I think because so many people are familiar with the name that they figure, “Oh, maybe it is just some sort of random thing that they do for some reason.”
Absolutely. You nailed it when you said they're familiar with the name. When they hear like a voicemail from Walmart that someone bought a PlayStation in their account, they've heard Walmart. They know PlayStations. They can imagine someone hacked their account. Press one.
I guess if it's, you know, “Hey, this is from Bob's Dentistry. You haven't paid your dental bill.” And you're like, “I don't use Bob.”
And it's my down bill.
They must have the wrong Chris. They're going to go somewhere else.
Exactly. The big brands, that's the double-edged sword, right? People recognize them, but the bad guys can impersonate them.
As we kind of wrap up here, you know, we've talked a little about consumers can do some of the things that business can consume. Are there a couple of rising categories that people need to be particularly aware of if they're getting calls about? I think we've all gotten the Medicare calls.
We've all gotten the, “We can get you a lower rate on your credit card.” We've all gotten the, “Hey, you know, someone bought something using your credit card. We think it's fraud. I don't know why we didn't stop it, but we're going to ask you anyway.” What's kind of the new sleeper thing that you think is coming next?
Well, I think impersonation is scaling. We saw the toll road tech scams that, “Oh, you went on a toll road? You owe some money.” My brother got caught with that. Just tapped the button. “I think my wife must have driven on that road. I'll just pay for it.” Then all of a sudden, it just felt weird. But by then they've already gotten a credit card number.
That was so successful. We then saw the DMV impersonation. Whenever you see a few of those, you're going to see a bunch more, right? Those are scaling. Unfortunately, the crypto and romance scams are scaling. Those are really effective because they just seem like normal text messages. “Hey, did you get the bag?” It's not, “You got the wrong number. Oh, what is this?” You go down a path. So I think you're going to see those continue to scale and hit more people.
Going after Medicare health insurance for older people, impersonating big banks, impersonating e-commerce, impersonating healthcare. I think healthcare is going to rise. -Alex Quilici Share on XOn the call front, the old favorites just work, right? Going after Medicare health insurance for older people, impersonating big banks, impersonating e-commerce, impersonating healthcare. I think healthcare is going to rise. You're going to see more and more impersonations of the United HealthCares and that the Kaisers because people have a relationship with those brands. You can have the country with each one. That's going to make it easier for people to respond. You will just see more and more of that stuff. Keep going.
I can see, like, the healthcare one being particularly effective because my wife and I were just recently talking about this. She had gone and seen the doctor and she, “Hey, they didn't collect the copay.” I remember that—I remember this group. They don't collect it for a while.
Then, like six months later, I get a letter in the mail saying, “Hey, you haven't paid your copay.” Nothing ever goes right with medical billing. I could totally see that as being something that everyone's really annoyed with. And it was like, “Oh, well, I did recently go see a doctor. Maybe they coded the exam wrong.”
There's that. And there's also, “Oh, your insurance has raised in price. Your employer hasn't made the difference up. We need X dollars if you have your credit card or your coverage ends tomorrow.” It's anything where there's a sense of urgency, a known brand, known experience, and real consequences. If you don't, in theory, if you don't do it, that's the magic set of triggers. It gets this emotional reaction. “I’ve got to do something.”
It's anything where there's a sense of urgency, a known brand, known experience, and real consequences. -Alex Quilici Share on XThe adage of just take the information. “OK, thank you very much. I will call back and deal with this.”
Exactly. “Oh, no, I can't deal with it now.” They'll go, “No, no. If you don't deal with it now, all these bad things happen.” “It's OK. I'll live with that.” People just have to be able to say, “I'll live with that and know that nothing's going to happen.”
“I'm driving right now. I'll call back when it's safe for me to have a conversation.”
That's right. “My cell phone battery's dying. Sorry, I'll call back,” right? Just something to get out of the conversation.
That's particularly—it’s just awful that we even have to have this conversation. But I think as long as telephones have existed, I feel like there's always been someone trying to run some scam somewhere.
There has. Now, the good news now though, is that you don't have to use the telephone network for all your communications with, say, a bank. You can see this coming where the bank apps that are on all our phones, except maybe the most elderly, those apps are going to be what they call it. They're going to do a push notification: “Press here to talk to a rep.” You're going to see, unfortunately, or fortunately, a lot of traditional telephony is going to move to other channels. But those channels can be really secure.
Do you see more a rise in scam and fraud? Because, I probably get more fake connections on WhatsApp than legitimate ones, or more fake calls in some of these platforms than I would elsewhere.
Yeah. If you're open on any of those platforms where anybody can call you, it's just a disaster. I've really locked it down to where if they're not a contact, I don't care. It's so, “Oh, you want to watch me? Well, here, here's how to do it.” I think people have to do it. You just can't be open season where you're in the white pages.
Then again, I feel bad for people with small businesses because, like, you have to take those, you have to take the calls. You are the brunt of all that drama.
What's interesting is small businesses actually are the most willing to pay for solutions. With our app, we have a free solution, which is just a known spammer list, block what we can, and do some label voicemails. But we have a paid service in that the lowest tier paid service has an audio capture. To get through automated systems would have to press one, two, three or whatever the magic is. They can't, but people can get through.
The service after that automated capture will say, “And who are you?” Now your caller ID says, “It's this person you know.” They're a person. They got through. Now you can answer the phone. There will still be some scammers are calling one at a time, but it's way less. And businesses will pay for that. They'll pay for another number they can give out to separate their cell phone from other things, but still answered on their cell phone. I think the businesses are actually driving a lot of the investment in solutions that then apply to everybody.
That's interesting, like how the audio captcha, how does that work? What does the mechanism look like for someone who's making the phone call?
They'll hear, “Hi, this user is protected by email. In our case, press one, two, three to get in,” and it's always a different one or two digits, right? They press it and it's great news. We just need to know who you are and we'll try to find them. And that's it. We don't ask why are they calling because none of that really matters. It's just who is it? “Oh, Chris Parker. Oh yeah, I expected a call from him. I'll pick up the phone.”
All the unknown calls get routed through us. We don't ring until they process this and then just avoid call to ignore our mechanism on the phone.
That's a neat solution. Do you find much pushback from legitimate callers on that sort of thing?
The two things that we had to do to make it work well is we had to know where the good numbers were. We had to build up a big database of likely good numbers where even though it's automated, it doesn't go through the captcha. We built up that list. We can tell when it's being spoofed and that's been a ton of work. The other thing is that the audio prompt for the caller is, you know, grandma hears that when she calls you. Why am I pressing one, two, three? Took a lot of work to work on that.
And there's a little pushback of, “I don't want my grandma to do that.” “Well, then just put her in your contact list and you're good, right?” There's a little bit of work around the edges. But by and large, I mean, I'm a raving fanatic about it because I was getting about 150 calls a month that were just crap, right? They just call, hang up. Now it's down to two or three and it's just a sales guy on the other end who did all the work.
And you're almost obligated to. No, you don't.
No, that's what voicemail's for. Don't let the good voicemail and I can call them back.
If people want to learn more about the product offerings that you guys have, where can they find out about it? Who are your different audiences that you provide services to?
Sure. As an individual, you go to YouMail.com. That protects you as a consumer. If you're using your cell phone to run a business, that's all our services are there. And you can go to the App Store and download YouMail. If you're a carrier, we have a website called youmailps.com/protective-services. That explains all of our services for carriers and for enterprises and how we can help take down all of the phone numbers that the scammers are using and other things that we can do.
Awesome. Are you open to people trying to connect with you directly?
Yeah, connect with me on LinkedIn. I leave that pretty open. Just don't appear to be a scammer.
Do you ever guys put out numbers that you want scammers to call? Do you do honey trap phone numbers?
We have what we call honeypot numbers, but we've actually gone to different carriers and gotten hundreds of thousands of numbers that just sit there. It adds up in the tens of millions overall. And they just sit there and get calls. They don't try to encourage the calls. It just means the bad guy is so dumb. They're just calling random numbers. But we pick up all sorts of signals. If they hit numbers at scale, that's enough to get information for enforcement, take an action or for a carrier to understand, “Hey, you're calling honeypots more than real people.”
Yeah, I guess that's a good giveaway. When you dial a million telephone numbers that have been out of service for over a year, it's a little bit on the suspicious side.
Absolutely. That's the best way to do it. It means someone had an auto-dialer. They need to bother to configure with the targeted list.
Awesome. Alex, thank you so much for coming on the podcast today. I really appreciate your time.
Thank you for having me on. It was a lot of fun.
