By Brian Fung, CNN Business
No sentence in the English language may be more infuriating than the following 12 words: “We have been trying to reach you about your car’s extended warranty.”
If you’ve picked up the phone in response to an unknown caller anytime in the last several years, chances are you’ve encountered this incessant and irritating automated message. But according to state and federal officials, just two men may be responsible for an overwhelming share of the billions of auto-warranty spam calls that have hit US phones.
Now, a new lawsuit in Ohio is trying to cut them off at their source, following a years-long effort across the public and private sectors to turn the tide on the scourge of robocalls once and for all.
In a complaint filed last month by Ohio Attorney General Dave Yost, the ringleaders of the auto-warranty robocall scheme are identified as Roy Melvin Cox, Jr. and Aaron Michael Jones, two California individuals described as repeat offenders of US telemarketing rules.
Using a web of shell companies, aliases and fly-by-night phone providers allegedly under their control, Cox and Jones have allegedly sent billions of robocalls nationwide since 2018 offering vehicle service contracts misleadingly characterized as car warranties, according to the suit. The scheme that inundated consumers with calls they never consented to has made millions of dollars, Ohio alleges, by acting as a middleman between call victims and salespeople for shoddy service contracts.
“It is the most sophisticated illegal robocall operation I have ever seen, by an order of magnitude,” said an enforcement official at the Federal Communications Commission, speaking on condition of anonymity because they were not authorized to speak publicly.
The Ohio suit seeks millions of dollars in fines for alleged violations of state telemarketing and consumer protection laws, alongside the nation’s premier telemarketing law, the Telephone Consumer Protection Act.
Cox and Jones, along with their alleged front companies and attorneys, did not respond to CNN’s requests for comment.
It’s the highest profile case in years concerning illegal robocalls — an issue Yost described to CNN as a “biblical plague of locusts that’s descending on our cell phones.” Last year, Americans received an estimated 21 billion scam robocalls, according to YouMail, a robocall blocking and analysis company. Consumer advocacy groups say unwanted robocalling costs Americans an estimated $30 billion a year, ranging from money lost directly through fraud to as much as $3 billion a year in lost time and nuisances.
“If a slap on the wrist doesn’t work, punch them in the face and knock them out,” Yost said in an interview. “Take every dime they’ve got.”
The Ohio lawsuit is not the first to take on a major robocalling campaign, nor even the first to target Cox and Jones, who have both been sued by the federal government before. But the case provides a unique window into how some of the latest robocall scams work, as well as the novel tactics investigators are developing against them.
The same day Ohio filed its suit, the FCC told telecom providers they could voluntarily stop servicing the operation’s robocalls, and eventually ordered all US providers to block the calls outright. By late July, the volume of auto-warranty spam calls in the US had fallen sharply, from an estimated 5 million per day in June to 1 million, an 80% reduction, according to a YouMail analysis. The numbers do not appear to have recovered since.
“The warranty calls from Cox/Jones — the ones the AGs and others went after — are down to near zero,” Alex Quilici, YouMail’s CEO, told CNN in an email. “There are other warranty calls out there — probably in the 500k-1m range — but they are from other folks. So the biggest culprits have been effectively shut down, and now it’s on to the smaller fry.”
The data show illegal robocalls do appear to be trending downward overall, according to Quilici. “If you look back since the October 2019 peak, there are definitely fewer illegal robocalls, no matter how you slice it,” he said.
The crackdown reflects what authorities describe as a wider coordinated effort by all 50 states, the US government, and the telecom industry to combat illegal robocalling. It involves not just litigation against individual robocallers but also unprecedented pressure on phone providers to stop carrying the bogus calls in the first place. Forcing phone companies to block the calls may seem obvious, but it’s taken years for the necessary pieces to come together, including new tactics and technology, as well as new laws.
While it may not feel like it yet, experts and officials express optimism that the country may finally have reached a turning point. As the Ohio complaint shows, however, officials are also up against a creative, committed and ever-adaptive foe.
A new way to combat the robocall epidemic
For years, and across multiple administrations, the robocall epidemic only seemed to grow despite bipartisan agreement something had to be done. Then, in 2015, a group of US phone providers came up with a way to collaboratively trace illegal robocalls back to their point of origin.
That technique, known as an industry-led “traceback,” has turned painstakingly manual forensic efforts into a more digitized, automated process. Starting with a consumer’s own phone provider such as AT&T or Verizon, every traceback compares a robocall’s metadata — including the phone numbers involved, which provider last handled the call, and when — with matching data from the previous upstream provider. That provider then does a similar analysis, and so on.
The investigation continues back up the call custody chain until it reaches a provider that either doesn’t respond to the probe or acknowledges having generated the call for a customer in the first place. Then authorities can investigate both the originating voice provider as well as the robocalling customer. Over half of all tracebacks result in the originating provider cutting ties with the customer whose robocall triggered the probe, according to Josh Bercu, vice president of policy at USTelecom, the trade association behind the multi-provider traceback consortium.
Despite the new technique’s rapidly apparent benefits, however, it has taken years for it to become mainstream through legislation. In 2019, tracebacks became a congressionally approved investigative tool in the TRACED Act, a landmark anti-robocall bill. Thanks in part to that law, all US voice providers must now comply with traceback requests.
The industry traceback group now processes hundreds of tracebacks a month, and it’s widely credited with saving law enforcement critical time and resources.
“Before we built this mechanism, the FCC would do this same thing, but they would have to send a subpoena to each provider along the way,” said Bercu. “In those days, tracing one call would take the FCC two to three months. We’re often getting that same data in a day or two.”
The information generated by tracebacks has identified specific phone providers responsible for dumping huge volumes of robocalls onto the US phone network. In the Ohio case, the data combined with law enforcers’ own investigative tools led authorities to Cox and Jones, according to the complaint, which adds that tracebacks have linked their operation to more than 300 distinct auto-warranty solicitation campaigns since 2018, each of which may have been responsible for hundreds of thousands if not millions of robocalls.
A high-stakes game of hide and seek
Accused of running eight phone providers that pumped out billions of unwanted calls for years, Cox and Jones are well-known to regulators. Both have been sued before by the Federal Trade Commission for other telemarketing violations and were ordered to cease their activities.
Yet the two men persisted, taking advantage of the fragmented nature of the US phone system and using its vast scale to help conceal their operations, officials say.
The scope and detail of the alleged scheme were staggering, according to the FCC official, who described an interlocking set of front companies, several of which were based in countries such as Hungary and Panama, and in some cases were led by people who were not known to each other. According to the Ohio complaint, some members of the scheme even appeared not to exist, except on paper.
Reached via LinkedIn message, one of the named defendants in the Ohio case, Jóvita Migdaris Cedeño Luna, told CNN she was recruited by Cox and has performed “administrative work” for Sumco Panama, one of the alleged front companies named in the suit, since 2019. But she claimed not to know Jones, the second accused ringleader. (The suit claims she is in fact Sumco Panama’s director and president as listed in the company’s Panamanian registration, and directly received money from voice providers controlled by the operation.)
To make its activities harder to detect, and presumably to seem more legitimate, the operation allegedly bought or rented millions of phone numbers that could be used to place unwanted calls, according to the complaint. It adds that Jones even allegedly hired a developer to build a bot, powered by artificial intelligence, that could interpret would-be victims’ responses and route them to salespeople.
The robocallers were also adept at playing hide and seek, according to USTelecom’s Bercu. When a traceback would uncover one of the voice providers the group was allegedly using to place its calls, the ringleaders simply spun up operations at a different business to generate the calls instead, Bercu said.
The operation’s nimbleness shows how challenging it can be to take down a robocaller for good, according to Margot Saunders, a senior counsel at the National Consumer Law Center who works with victims of telephone scams. It’s a multi-faceted problem that no single company, government agency or policy can solve on its own.
“All of these unwanted robocalls are undermining the value of our telephone system,” Saunders said. “This is a critical piece of our national infrastructure … and the more these calls invade the telephone system, the less people use it and trust it.”
The crackdown targeting Cox and Jones is just one of several recent enforcement actions against unwanted robocalling. In 2018, the FCC issued a $120 million fine against Adrian Abramovich for making nearly 100 million illegal robocalls using manipulated caller ID information. Last year, the FCC announced a $10 million fine against Scott D. Rhodes for allegedly manipulating caller ID information in a series of abusive robocall campaigns. A few months later, the FCC also proposed a $225 million fine — the largest in agency history — to John C. Spiller, who was accused of sending a billion robocalls to consumers and selling short-term health insurance plans.
In the case of Cox and Jones, federal officials took aim at the scheme more systemically in relation to the entire telecom ecosystem. The FCC is increasingly putting other telecom providers on notice that they are responsible for stemming the tide of illegal robocalls too, and those that don’t will be held accountable.
“The message is out there to industry, especially with the recent Ohio-FCC action, that you need to police your network. You need to stop this illegal traffic from getting out there,” said James Evans, an attorney in the Division of Marketing Practices at the FTC.
The mechanics of the move illustrate how future mass takedowns could work.
On July 21, the FCC publicly named all of the individuals and businesses allegedly part of Cox and Jones’ network, and ordered US voice providers to stop carrying their traffic. Companies that keep passing on the illegal calls could face consequences themselves, including potentially being forced out of business, the agency warned. While the spammers may simply create new shell companies in response, providers now know that if a business customer shows any ties to Cox and Jones, it’ll be the provider’s responsibility to act.
Giving the FCC order teeth are two important tools the agency didn’t have until a few years ago.
First are the industry tracebacks. Until recently, robocallers have largely been able to stay a few steps ahead of the authorities partly because of how long the investigations could take. Now, not only have the tracebacks reduced the time it takes for investigators to home in on the worst offenders, but they also let officials respond more quickly when those offenders try to spin up alternate operations.
The second tool is the threat of being cut off from the telephone network. The TRACED Act required the FCC to set up a database to track what providers are doing to curb illegal robocalls. Every voice provider in the country must file paperwork on their robocall efforts and be listed in the database to be allowed to receive traffic from other providers. Being de-listed means other providers cannot connect to the blacklisted provider.
In its July 21 order, the FCC warned that threat doesn’t just apply to Cox and Jones’ companies. Voice providers that don’t take steps to block the operation’s calls could find themselves under investigation and potentially cut off from the rest of the US telephone network, too. Removing a provider from the database is not a minor setback. It’s a potential death sentence, according to the FCC official, because a provider that can’t send or accept traffic from others won’t be able to stay in business.
This spring, the FCC said it was looking at ways to expand its approach, including potentially the automatic de-listing of providers tied to illegal robocall activity. The agency also proposed expanding the use of call authentication technologies that can help verify that a caller’s caller ID is accurate. And the FCC has heightened its know-your-customer expectations for carriers, the FCC official said.
More to be done
All of these developments are largely aimed at what happens after a robocall makes it onto the US phone network. But perhaps half or more of illegal robocall traffic, according to the FCC official, originates from outside the United States, often in places as far away as India and Pakistan. To go after the individual robocallers overseas, US officials must depend on the cooperation of international counterparts, which doesn’t always work out.
The crackdown on robocalls domestically reflects an effort to control what US officials can control. But here too the government could do more, said Saunders.
One of the most effective changes, she said, would be for the FCC to create a bonding and licensing system for voice providers, then seize their bond or revoke their license if they repeatedly break telemarketing rules. (The FCC official acknowledged this would likely be within the agency’s authority to do but could require significant new regulations.) Another idea, she said, is to wield database de-listing far more aggressively rather than waiting for a full and exhaustive investigation that could take months.
The overall focus on the providers that facilitate the robocalls is the right approach, she said, because it targets the problem at scale, forces well-intentioned providers to become part of the solution, and makes illegal robocalling more costly.
“Studies have shown repeatedly that in order to deter illegal behavior the punishment needs to be clear, swift and significant,” Saunders said. “The FCC needs to figure out how it will cost the providers more money to keep making these calls than it will to stop making the calls.”
Authorities could also look at bringing criminal charges against repeat offenders. In the interview, Yost told CNN that option is still “on the table” for Cox and Jones.
Repeat violations of FTC civil settlements have also been known to lead to criminal contempt of court charges, Evans said. But federal decisions about bringing criminal lawsuits would fall to the Justice Department, not the FTC or FCC. While DOJ has sued some robocallers to obtain their fines, experts like Saunders say criminal prosecution could be messy and time-consuming, when other alternatives already exist.
Even as illegal robocalls appear to be on the decline, said YouMail’s Quilici, it isn’t clear “how steep and sustainable that trend is.” The decline has coincided with reports of a troubling rise in text messaging spam.
— CNN’s Paul P. Murphy and Gabe Cohen contributed to this report.
™ & © 2022 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.