Home
 » ISP News, Key Developments » 

Ofcom Introduce New UK Rules to Tackle Mobile Messaging Scams UPDATE

Wednesday, Jul 15th, 2026 (8:41 am) - Score 1,760
Three-UK-Parcel-Fraud-scam

The UK internet content, telecoms and media regulator, Ofcom, has this morning published a “comprehensive package of practical measures” to help UK mobile network operators “block, limit and disrupt scammers” from sending messaging scams. In addition, they’ve strengthened rules to help protect people from international calls that imitate – or “spoof” – UK mobile numbers.

Most of the United Kingdom’s major broadband, phone and mobile network operators have already implemented various technical measures to tackle things like Nuisance Calls, Scam Calls and Scam Texts (e.g. mobile operators block an estimated 600 million+ messages each year).

NOTE: Estimates based on responses to formal information requests indicate that mobile operators’ scam detection tools blocked an average of c.50 million messages each month between January and March 2025. This year some 40% of UK mobile users reported having received at least one suspicious message on their phone in the past three months.

However, existing systems aren’t always 100% effective and there are still plenty of operators and device manufacturers that could do more. For example, scammers often still use mobile messaging services to reach victims at a mass scale and manipulate them into making payments or sharing sensitive information (e.g. pretending to be government services or parcel delivery firms – business messaging scams).

Advertisement

Sometimes scammers may even impersonate a friend or family member texting from a different number, often asking for money as part of a fabricated emergency situation (i.e. person-to-person messaging scams). This criminal activity causes significant financial and emotional harm to UK people and businesses and damages their confidence in vital communications services.

Ofcom-How-Messaging-Scams-Work

Ofcom has this today confirmed the range of measures they intend to introduce to help combat this, which seems to be primarily focused on SMS/MMS messaging and not OTT services like WhatsApp, RCS or iMessage etc. This is because the latter uses functionality that is not dependent on telephone numbers and they are thus not regulated under the Communications Act.

Services such as RCS share characteristics of the traditional messaging services like SMS and MMS but also share characteristics of online messaging apps. Whether such a service is now, or could in the future be, regulated under the Communications Act will depend on how it is implemented in the UK. It is for operators to determine in the first instance whether their current implementation of RCS constitutes a service that is regulated under the Communications Act or the Online Services Act,” said Ofcom.

Advertisement

Ofcom’s Changes to Tackle Messaging Scams

We are implementing new rules and guidance to significantly reduce the risk that people and businesses receive P2P and A2P scam messages.

This package of measures is intended to stop scammers from accessing mobile messaging services in the first place and also to stop their activities where they have gained access.

For P2P messaging, we are introducing new General Conditions (GCs) to require mobile operators to prevent scam messages from being sent or received on their networks, by:

• Setting volume limits for pay-as-you-go (PAYG) SIMs, to make it harder for scammers to message large numbers of potential victims.

• Blocking numbers used by scammers: preventing scammers from sending messages from numbers that have been identified as responsible for scams. This includes having processes in place to receive scam reports from customers and third parties such as anti- fraud organisations about telephone numbers and web links (URLs12) that are being used for scams.

• Blocking scam messages in transit: identifying and blocking scam messages in transit on their networks by detecting scam URLs and telephone numbers, based on scam reports from customers and third parties.

For A2P messaging, we are introducing new GCs to require mobile operators and aggregators to prevent scam messages from being sent or received on their networks, by:

• Conducting due diligence: preventing criminals from using A2P services to contact potential victims by ensuring that effective Know Your Customer (KYC) checks are made at the onboarding stage.

• Preventing the use of fake alphanumeric sender IDs, including by corroborating Sender IDs against information gathered through KYC checks and maintaining a policy on restricting the use of protected sender IDs and generic sender IDs.

• Conducting ongoing Know Your Traffic checks, including reviewing account activity and promptly investigating reports of fraud.

• Applying incident management processes where scam activity is identified, to block message senders and address any compliance failures by other providers.

• Blocking scam messages in transit: identifying and blocking scam messages in transit on their networks by detecting scam URLs and telephone numbers, based on scam reports from customers and third parties (as we are requiring for P2P messaging).

We are also introducing new GCs for mobile operators and aggregators to ensure the requirements are effective and to minimise the risk that providers block legitimate messages. These include: a right for mobile users to challenge a decision to block a number or message; and requirements relating to reviewing policies, training staff, record keeping and compliance with data protection legislation.

We have published guidance on how providers can meet these requirements.

We have amended the proposal in our 2025 consultation13 to require mobile operators and aggregators to ensure the transmission of legitimate messages. Instead, we will require providers to identify, monitor and address instances where messages are blocked in error.

We also consulted on a requirement for providers to notify message senders when certain messages are blocked. In the light of new evidence, we have decided not to implement this proposal. We have made further amendments to the rules and guidance we proposed in our 2025 consultation, taking into account respondents’ feedback.

Additionally, Ofcom have today introduced strengthened guidance to set out how telecoms companies should protect people in the UK from international calls that imitate – or “spoof” – UK mobile numbers. Criminal gangs based abroad often prey on victims by imitating UK phone numbers which people are more likely to trust and therefore answer than calls from an unknown international number.

Under the new guidance, telecoms companies should now withhold the Caller ID (CID) of calls that appear to come from a UK mobile roaming abroad, unless they can verify its validity. Customers in the UK should continue to exercise caution in deciding whether to accept calls from withheld numbers, which can include legitimate and important calls, or from numbers that they don’t recognise.

Amy Jordan, Ofcom’s Strategy Delivery Director, said:

“Mobile messaging scams can have devastating consequences for victims, with criminal gangs using ever more sophisticated techniques to dupe their victims. Our new protections for consumers and businesses announced today will help ensure we remain one step ahead by disrupting and blocking this criminal activity at source. Working closely with Government, other regulators, law enforcement and industry we are confident that our collective efforts will make a significant difference in thwarting these predatory fraudsters.”

The new rules and new guidance that apply to P2P messaging will come into effect on 18th January 2027. Those that apply to A2P messaging will come into effect on 15th July 2027. However, some of the proposals, like the idea of putting volume limits on PAYG SIMs, could impact legitimate consumers too if not carefully introduced. This is especially relevant given how most PAYG plans are more like normal Pay Monthly services today, albeit often on shorter 30-day terms (i.e. the definition between what is Pay Monthly and PAYG has become somewhat confused).

Despite this risk, we understand that the volume limits would focus more on how many messages get sent via a SIM over a specific period of time, which we presume would be set to try and separate automated activity from human usage. Most, but not all, mobile operators in the UK already set such limits (varies between 100 per hour to tens of thousands a month), but even when adopted their application and enforcement can vary a lot (e.g. sometimes further texts are blocked, while in other cases accounts get sent for manual review). Ofcom are clearly seeking to standardise a more effective approach.

Advertisement

As usual consumers are encouraged to help combat scam messages and mobile calls by reporting them to 7726. Mobile providers use these reports to monitor scam activity and update their network protections.

UPDATE 16th July 2026 @ 11:51am

We’ve had a response from the Comms Council UK, which represents IP phone providers.

Tracey Wright, Chair, Comms Council UK

“Ofcom’s new plan for spoofed UK mobile numbers is a welcome step toward tackling the issue of mobile messaging fraud and number spoofing, but may have unintended consequences. The decision to drop the ‘restore’ step from Ofcom’s original two-step model means any +447 call not already home routed, including genuine roaming customers on older networks and legitimate VoIP or cloud-based services, will now be permanently marked withheld with no way back. This raises serious questions about false positives, and re-allocated numbers that have previously been marked for malicious activity.

Ofcom has rejected using a model similar to Ireland’s ComReg, where a real-time proxy check verifies roaming status before a call is blocked. Setting that model aside now makes it harder to argue for later, especially as 2G and 3G networks, which Ofcom itself expects to persist for years, will keep giving scammers a route that these new measures obscure rather than close. We’d ask Ofcom to keep this under active review well before 2027, rather than waiting for the next consultation to revisit it.”

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
7 Responses

Advertisement

  1. Avatar photo john_r says:

    All calls and text messages from a number that is not in your contact list is a scam – do not respond. Simple. Any genuine caller will leave a voice mail with a verifiable way to get back to them.

  2. Avatar photo MilesT says:

    “Existing systems aren’t alwasy 100% effective”, and I would not expect the technical responses prompted by this Ofcom ruling to be 100% effective either.

    This court case (last year, widely reported) shows that there has been smishing performed in ways that I think are invisible to operators and are largely unaddressable by OfCom rulings. (Fake cell transmitter mounted in a vehicle)

    https://www.ukfinance.org.uk/news-and-insight/press-release/police-warn-sms-scams-following-prison-sentence-criminal-who

    I think the only way to mitigate this (to some extent) is a SMS spam message sweeper operating on the phone itself (like a spam email sweeper that most companies operate on their inbound email traffic).

    1. Avatar photo BenInLondon says:

      Ss I understand the attack, it is designed to push phones onto 2G by transmitting a strong 2G signal and suppressing the other bands. GSM had very weak protections against impersonating towers. The solution there is already in the pipeline – turn off 2G.

      Android has performed spam detection for years, on device and in conjunction with Google’s servers. I believe iOS has similar features. But as with any spam detection, it is never perfect.

    2. Avatar photo MilesT says:

      Yes, removal of 2G could block this type of smishing, although that might need a mass reconfiguration of SIM cards to turn off the ability of the phone to connect to UK networks using 2G (which I think can be done).

      One hopes new SIMs will be sensibly configured (post final 2G switch off, maybe from now), but I suspect the operators won’t send out reconfiguration messages (SMS text or otherwise) for millions of existing phones unless OfCom forces them to (noting these reconfigurations may be customer visible and quite confusing)

  3. Avatar photo Jazzy says:

    Ten Years ago we got a Giffgaff sim card and put £10 on it and used this number every time either myself or my partner signed up to something online – Anything that required a number got that one and if we took the service or subscription, we would change it to our proper number afterwards. We have that number on silent (switched on) in a cheap £12 burner phone and it gets about 20 spam calls and texts a week. Our personal phones only get about 1 or 2 calls a month. We send a text to ourselves once every 6 months to keep it active and we’re still using up that £10 credit

    Most of the issues, I think are caused by the selling of telephone numbers used in enquiries online. This isea has totally eradicated most of the problems

    1. Avatar photo Stewie says:

      This is exactly what happens, with so many data breaches, and then companies selling personal information to data brokers, it makes your number more visible.

      For email addresses, you can add a + in before the @ symbol and then add a keyword such as the name of the company you are signing up for so it will look like (name + ispreview @gmail .com) then you can find which services you have signed up to has either had a data breach or sold your email

    2. Mark-Jackson Mark Jackson says:

      The email idea won’t always work because some bots will also try masses of random combinations of words and characters in order to find an address that actually exists, so they’ll sometimes find ones that you might have only ever used once or with one service. Other bots may also cross-reference data breaches to find such patterns and then try to replicate them for other services. The systems that exist today are highly complex, so finding working email addresses is fairly easy and doesn’t require a direct data breach.

Leave a Reply

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear instantly (it may take several hours) due to static caching and moderation checks by the anti-spam system. Please be patient. We will reject comments that spam, troll, post via known fake IP/proxy servers or fall foul of our Online Safety and Content Policy.
Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £22.99
145Mbps
Gift: £155 Reward Card
Sky UK ISP Logo
Sky £23.00
100Mbps
Gift: None
NOW UK ISP Logo
NOW £23.00
100Mbps
Gift: None
BT UK ISP Logo
BT £23.99
150Mbps
Gift: £100 BT Reward Card
Large Availability | View All
Promotion
Cheap Unlimited Mobile SIMs
giffgaff UK ISP Logo
giffgaff £14.00
Contract: 18 Months
Data: Unlimited
iD Mobile UK ISP Logo
iD Mobile £16.00
Contract: 1 Month
Data: Unlimited
Talkmobile UK ISP Logo
Talkmobile £16.95
Contract: 1 Month
Data: Unlimited
Smarty UK ISP Logo
Smarty £17.00
Contract: 1 Month
Data: Unlimited
Sky UK ISP Logo
Sky £20.00
Contract: 12 Months
Data: Unlimited
Cheapest ISPs for 100Mbps+
Community Fibre UK ISP Logo
100Mbps
Gift: None
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
toob UK ISP Logo
toob £19.50
150Mbps
Gift: None
Grain Connect UK ISP Logo
250Mbps
Gift: None
Zzoomm UK ISP Logo
Zzoomm £21.00
200Mbps
Gift: None
Large Availability | View All
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact