DOJ Accuses AT&T of Millions of Dollars of IP Relay Fraud
AT&T overcharged U.S. businesses millions of dollars by improperly handling and billing thousands of Internet Protocol relay calls made by Nigerian scammers, the Department of Justice alleged in a complaint filed Wednesday. The DOJ says AT&T violated the False Claims Act by seeking payment for IP relay calls made by international callers who sought to use the system for fraudulent purposes. The Telecommunications Relay Services Fund has reimbursed AT&T more than $16 million since December 2009, of which up to 95 percent of payments were made for non-compensable IP relay calls, the complaint said.
"AT&T has followed the FCC’s rules for providing IP relay services for disabled customers and for seeking reimbursement for those services,” spokesman Marty Richter said. “As the FCC is aware, it is always possible for an individual to misuse IP Relay services, just as someone can misuse the postal system or an email account, but FCC rules require that we complete all calls by customers who identify themselves as disabled.” The spokesman declined to comment specifically on whether AT&T purposely adopted procedures to allow fraudulent users to keep its IP relay call volumes up.
IP relay allows hearing-impaired individuals to place telephone calls by typing messages over the Internet that are then relayed by communications assistants who speak to the called party over traditional phone lines. The TRS Fund, which is made up of statutorily mandated contributions from carriers providing interstate telecommunications services, reimburses IP relay providers at about $1.30 per minute. FCC rules say that calls from outside the U.S. are not eligible for reimbursement, but DOJ says that since the fund’s inception in 2002, overseas callers have used the system to defraud merchants in the U.S. by ordering goods with stolen credit cards and counterfeit checks. Callers engaging in such schemes “take advantage of the anonymity provided by the IP Relay system,” the complaint said.
In late 2008, in an attempt to combat the growing fraud, the FCC required all IP relay providers to register their users and verify the accuracy of each user’s registration information. This spurred AT&T to act, the DOJ said. “In response to fears that its IP Relay call volumes would drop once fraudulent users were prevented from registering and making calls on its system, AT&T adopted electronic registration procedures that it knew would not verify that each user was located at the U.S. mailing address provided,” the complaint alleges. “AT&T also failed to adopt any procedure to detect and/or prevent dozens of fraudulent users from registering with the same U.S. mailing address, despite knowing that this was occurring on its system."
As a result, AT&T has billed the TRS Fund for “thousands of calls by international fraudsters,” the complaint said, claiming that fraud made up 95 percent of AT&T’s IP relay calls since November 2009. “With its knowing facilitation of this high volume of fraudulent calls, AT&T has thereby undermined the IP Relay fraud prevention efforts of the FCC, which informed AT&T of its concerns about the company’s registration procedure before it went into effect,” the complaint said.
An FCC spokesman said the commission welcomed the DOJ’s filing, which arose from an investigation that the Commission’s Office of Inspector General actively assisted. “Fraudulent IP Relay practices are a serious problem the Commission has been addressing, and the Commission’s Enforcement Bureau also has ongoing investigations of IP Relay practices,” the spokesman said. “We will continue to work with DOJ and other law enforcement authorities to protect these critical services from abuse."
Complaint Details
The DOJ filed as an intervenor in an ongoing whistleblower suit filed in Pennsylvania by Constance Lyttle, a former Communications Assistant (CA) who worked in one of AT&T’s IP Relay call centers. DOJ’s complaint lays out a detailed set of facts describing AT&T’s history of dealing with IP fraud: In 2004 AT&T personnel examined IP addresses associated with its IP relay users and found that they were originating calls from overseas to commit “commercial and financial fraud,” the complaint said. AT&T adopted a “pegging” system in which CAs manually flagged the IP address of callers they suspected were fraudulent, and then AT&T periodically blocked IP addresses associated with fraudulent usage. But by 2007 an AT&T employee estimated the IP relay product was “probably being used 50% by non-deaf people out of convenience or fraud,” according to an email quoted in the complaint.
In 2008 the FCC adopted a system requiring registration of all TRS users, and assignment to each user of a ten-digit telephone number (CD June 26/08 p2). The assignment required IP relay users to provide registration information, including their location, by November 2009. AT&T began implementing the registration requirements in April 2009, sending postcards with verification codes to U.S. mailing addresses. But by September 2009, AT&T had registered only 20 percent of its existing users. “AT&T knew that most or all of the unregistered users were international fraudsters,” the complaint said, alleging AT&T relay managers grew concerned about losing IP relay customers to competitor providers. “The short-term growth in minutes is good as it protects our ‘09 business plan; but when Nov. 12 arrives (7 weeks) we are expecting a serious decline in [Internet relay] traffic because fraud will go to zero,” Burt Bossi, a manager of AT&T’s relay technical team, told relay Director Greg Smith, according to the complaint.
In response to these concerns, AT&T relay managers decided to change from the postcard system to an electronic registration process. The AT&T relay managers who devised the new process “knew that this system would not verify that each user is actually located at the provided U.S. mailing address or that the person is who he says he is,” the complaint alleged, claiming the new registration system was approved by then-Senior Vice President-Business Development Susan Johnson.
In an ex parte conference call, FCC officials questioned whether AT&T’s proposed process complied with its rules mandating that providers verify the accuracy of registrants’ names and mailing addresses. The FCC specifically questioned how the process would address IP relay fraud issues. After participating on the call, Mike Yoest, AT&T’s regulatory liaison for the company’s Customer Information Services group, sent an email summary to several AT&T employees saying “the procedures we seek to implement do not technically comply with the language of the FCC’s” rules. Upon implementing the new registration process, new user registrations increased from about two per day to 40-100 per day. “Despite its knowledge that its eRegistration … was facilitating abuse of its IP Relay system by a huge number of fraud callers, and despite the belief by many relay managers that a different system was needed to address this problem, AT&T has not stopped using the eRegistration system,” the complaint said.
"Since April, 2011, on each monthly claim for payment from the TRS Fund, AT&T Senior Vice President Susan Johnson has signed a statement certifying that the minutes submitted for reimbursement ‘were handled in compliance with section 225 of the Communications Act,'” the complaint said. “Every one of these monthly certifications is false."
Refreshing the IP Fraud Record
Last month the FCC Consumer and Governmental Affairs Bureau sought to refresh the record on several issues pertaining to misuse of the IP relay service, including issues it initially raised in a notice of proposed rulemaking in 2006 (CD May 4/06 p8).
Sprint Nextel said it “fully complies” with the requirements imposed by the FCC’s 10-digit number verification regime, although it has “long doubted” that this system alone could address the FCC’s concerns about controlling and minimizing fraud (http://xrl.us/bmy5wx). Therefore Sprint hired a supplier of real-time identity verification solutions who compares the information received from Sprint with information in databases of public and commercially available information such as voter registration, motor vehicle information, property and Social Security records. Sprint also checks the IP address to ensure the registrant is using a device located in the U.S. That said, Sprint noted that criminals in Nigeria, Ghana and Russia “have the incentive and the means to develop ways to evade” fraud prevention efforts. Sprint said that shortly after discovering the problem, it created a database of international IP addresses with which to block calls to its relay centers. Although the method is costly, it “was, and continues to be, effective” in controlling the volume of international calls it receives, Sprint said.
But international callers can sometimes obtain IP addresses from American companies providing hosting services in foreign countries, making the call appear to have originated from a domestic location. Therefore, Sprint said it utilizes a “call intervention program” to further minimize international fraud. The intervention program encourages CAs to place callers on hold while they advise merchants about possible fraudulent activity.
The FCC prescription of a detailed regulatory framework to deal with fraudulent IP relay calls “could be counterproductive,” Sprint said, because it may “provide bad actors a roadmap for ways to circumvent” fraud prevention procedures.
Sorenson Communications, which offers IP relay services, said the FCC could “virtually eliminate misuse of IP Relay almost immediately” by no longer requiring providers to allow users to make IP relay calls before their eligibility has been verified (http://xrl.us/bmy5yz). “In Sorenson’s experience, virtually all IP Relay misuse is attributable to users who have not been verified, so closing this loophole would resolve the problem almost immediately."
The Commission could also require CAs to monitor the calls they handle for certain indications of misuse, Sorenson said. Sorenson’s CAs already alert the hearing party of the issue and offer to terminate the call. That procedure “has largely eradicated misuse of the service,” Sorenson said.
But a coalition of consumer groups representing the deaf and hard-of-hearing expressed alarm at the idea that CAs may independently monitor calls for signs of abuse. “Permitting CAs to screen out, block or terminate calls, or even warn the other party that the call may be fraudulent is not functional equivalence and violates the mandates of Section 255,” said comments filed by the National Association of the Deaf, the Association of Late-Deafened Adults, and others (http://xrl.us/bmy5h9). Section 255 of the Communications Act requires that products for people with disabilities be as efficient and accessible as possible. “It is the expectation of privacy in calls that makes free and open communications possible. Confidentiality is one of the sacrosanct” principles of relay services and “must never be compromised,” the groups said.
The groups said providers should not be allowed to keep any transcripts or records beyond the duration of the call, even if the provider assumes it’s an illegitimate call. “We fear that the rights of deaf and hard of hearing people may inadvertently be violated and records will be made of legitimate calls,” the comments said. “Even the slight possibility that a user’s legitimate call might accidentally or unintentionally be recorded and stored will taint the trust in the confidentiality of the relay system."
Last month, the Florida Public Service Commission approved a three-year contract with AT&T to provide relay service to about 3 million hard-of-hearing, deaf, deaf/blind, and speech-impaired Floridians (CD Feb 15). The agency said that, of the three bidders, AT&T was the only company opting to locate a call center in Florida.