Imani N. Sherman (University of Florida), Jasmine D. Bowers (University of Florida), Keith McNamara Jr. (University of Florida), Juan E. Gilbert (University of Florida), Jaime Ruiz (University of Florida), Patrick Traynor (University of Florida)
Robocalls are inundating phone users. These automated calls allow for
attackers to reach massive audiences with scams ranging from credential
hijacking to unnecessary IT support in a largely untraceable fashion.
In response, many applications have been developed to alert mobile phone
users of incoming robocalls. However, how well these applications
communicate risk with their users is not well understood. In this
paper, we identify common real-time security indicators used in the most
popular anti-robocall applications. Using focus groups and user
testing, we first identify which of these indicators most effectively
alert users of danger. We then demonstrate that the most powerful
indicators can reduce the likelihood that users will answer such calls
by as much as 43%. Unfortunately, our evaluation also shows that
attackers can eliminate the gains provided by such indicators using a
small amount of target-specific information (e.g., a known phone
number). In so doing, we demonstrate that anti-robocall indicators could
benefit from significantly increased attention from the research
community.