Home
 » ISP News, Key Developments » 
Sponsored Links

Ofcom Tell UK Phone Operators to Block Foreign VoIP Scam Calls UPDATE

Monday, Oct 25th, 2021 (7:45 am) - Score 5,024
telephone_restriction_image

The UK telecommunications regulator, Ofcom, has reportedly taken radical action to curb the plague of scam calls, which it is attempting to achieve by “ordering” major phone operators to automatically block any “suspicious” Voice-over-Internet (VoIP) calls that come from abroad if they pretend to come from numbers in the UK.

Most of the major UK broadband, phone and mobile network operators have already implemented technical measures to tackle Nuisance Calls, but these aren’t always 100% effective and there are still plenty of operators – particularly smaller providers and some VoIP firms – that don’t do enough.

NOTE: Nuisance calls include marketing calls (live and recorded), silent calls and abandoned calls. Scam calls also come in all sorts of different shapes and sizes, from people claiming that your computer has been infected with viruses, to those pretending to represent your bank, car insurance companies, HMRC, NHS etc.

Last week, Ofcom reported that an estimated 44.6 million UK people may have received scam calls and text messages during the past three months alone (here). Sadly, around 2% of those who received such a message or call (roughly 1 million people) reported following the scammers’ instructions.

However, stopping such abuses – without a strong degree of international cooperation and coordination – is technically very difficult to achieve and often risks catching masses of legitimate calls. But according to the BBC, the regulator is attempting to block “suspicious international calls” at source, where they are masked by a UK number.

Lindsey Fussell, Ofcom’s Networks and Comms Group Director, said:

“We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number. We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”

At this point we haven’t seen any useful technical details on the approach being taken here or precisely what Ofcom has requested operators to do, which makes for somewhat of a guessing game. But much may well depend upon how Ofcom and the operators decide that such calls should be deemed “suspicious,” prior to any block being introduced.

Presently, unless a particular number has already been identified as causing abuse (e.g. following consumer complaints and other threat intelligence) or is being monitored for lawful security reasons, then operators tend not to inspect such traffic and will allow it to pass through their networks unabated. Spoofing UK numbers is also fairly easy to achieve, which helps to make scam calls look more credible to consumers.

According to Matthew Gribben, a former consultant to the UK government’s intelligence agency (GCHQ): “It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so [Ofcom’s move] will make a huge dent in this. It doesn’t fix everything, but it’s an excellent step in the right direction.”

One other way of tackling this issue would be a new telephone identification protocol, which can help operators to authenticate that all calls and text messages come from a real number. The Engineering Task Force (IETF) has been attempting to do this via their suit of STIR/SHAKEN protocols (i.e. STIR = Secure Telephony Identity Revisited / SHAKEN = Signature-based Handling of Asserted information using toKENs), but so far it’s been mostly focused upon the USA and Canada.

The EU are also tentatively investigating adoption of STIR/SHAKEN, while Ofcom has already said that this might not be possible in the UK until after December 2025, which is the date by which all of Openreach’s traditional phone (voice) services are supposed to have been migrated over to a modern all-IP (Internet Protocol) based network.

Meanwhile, the biggest question mark over Ofcom’s new approach is currently centred around whether they’ve done enough to avoid the new measure obstructing legitimate voice calls. Easier said than done. Many VoIP networks are international in nature and so it’s not always as simple as highlighting “foreign calls“, since many legitimate businesses and individual VoIP customers may still be UK based, even if the traffic appears to be external.

In short, some degree of overblocking could be inevitable. But once again, we haven’t seen any details of how they’re doing this, yet.

UPDATE 5:06pm

We’ve had a comment from broadband ISP TalkTalk, which confirms that they’re the first provider to implement the aforementioned change.

Mark Johnson, Head of Customer Security at TalkTalk, said:

“This is a major step towards protecting UK consumers from foreign fraud and scams. TalkTalk implemented technology to block suspicious international calls masked by a UK number in 2019 and we immediately saw a 65% decrease in the number of complaints about scam calls.

In early 2020 we began discussions with Ofcom for this to become a requirement in the industry, so we are delighted to see the regulator encouraging providers to follow our lead and implement more effective blocking solutions. Keeping our customers safe is our number one priority at TalkTalk and we’re proud to be the first communications provider to implement these measures.”

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
23 Responses
  1. Avatar photo Anthony Goodman says:

    The most obvious thing to have done in the last 20 years but its unbelievable its took 20 years to do it. But why do this “block any “suspicious” Voice-over-Internet (VoIP) calls that come from abroad if they pretend to come from numbers in the UK.”

    Why not just block all VOIP from outside of Europe? And you can manually enable it on your line if you want to. Everytime it will be a scammer.

    1. Avatar photo Norma Bates says:

      “Why not just block all VOIP from outside of Europe?”

      So you’d want to ban legitimate Skype, Microsoft Teams etc calls from overseas?

    2. Mark-Jackson Mark Jackson says:

      Why not just block all VOIP from outside of Europe? And you can manually enable it on your line if you want to. Everytime it will be a scammer.

      Precisely because such statements are completely wrong. Why do you think all non EU/UK calls will be from scammers? How about holidaymakers trying to contact families, UK outsourced call centres, all sorts of international SIP trunking / VoIP setups for normal calling and the list goes on… and on..

    3. Avatar photo Norma Bates says:

      *block

    4. Avatar photo Phil says:

      Unfortunately it is not that simple. For example Sipgate have servers abroad, so if I make a call from my home phone in the UK and that ends up routed via Sipgate services outside of the UK, when the call comes back into the UK PSTN network, it will immediately look suspicious. This is true of many VoIP suppliers, calls get routed via the Internet and can leave the UK then arrive back in the UK from almost anywhere, and so will be a UK caller ID that appears to have arrived from a foreign destination.

    5. Avatar photo Rich says:

      If I had the option I’d happily bar all incoming calls from non-uk numbers, no matter if they were VoIP or fixed, CLI of a UK number or not.

      I have nobody abroad I want to talk to, and if companies want to call me I guess they will have to use their UK staff. I can’t think of many scenarios I *want* to talk to foreign call centres that call me, it’s generally for their benefit not mine.

    6. Avatar photo Anthony Goodman says:

      My thoughts are exactly the same as Richs. And the claim of what about outside UK call centres. How many times do they call you legitimately? It is a never for me. My two Banks no longer want to call landlines now and wants to only deal with you though your mobile.

      The only inbound calls I get are from relatives, GPs/Dentists/DWP when out of work and scammers. If I was allowed an option to block incoming calls from abroad I would be happy. But I have a Truecall call blocker that I needed to pay £100 and £20 a year subscription to do it.

  2. Avatar photo Scott says:

    Stir/Shaken offers Europe a chance to learn and implement from the US networks. I think a variation of that model will be implemented with “validation” services becoming a new product in the Wholesale market.

    Unless fines are handed out we’ll see some UK smaller carriers continue to pass calls on (into the PSTN) because it makes them some money. It’s (in theory) the last days (Ok maybe not days but 2-3yrs) of unchecked calls so they will just milk that final opportunity.

  3. Avatar photo William Wilkinson says:

    It’s ridiculous how many scam calls and e-mails you get in this country.

  4. Avatar photo Meadmodj says:

    This relates to VoIP but again this morning received a Hermes scam on my mobile using the +44 7305 range originally allocated to Vodafone (now dispersed due to number mobility) despite all the assumed mobile authentication. CLI is clearly useless and VoIP can only get worse as as a good percentage of people (9m?) transfer from PSTN or VoBB (fixed location VoIP) to other voice options.

    Surely it is technically possible to verify using the same verification for the outgoing routing of calls to identify the current owning network of the number and display or filter if the originating provider/country of origin on an incoming call is different. In addition customer controlled blanket filters that inhibit calls say from outside the UK, outside Europe with specific allow lists. e.g I go on holiday to Greece , enable roaming and calls to and from Greece.

    My view is that initiatives need to be technology independent whether GSM, VoLTE, VoIP, VoBB and better “Truecall” etc is required on PSTN whilst it remains.

    1. Avatar photo Steve says:

      “Surely it is technically possible to verify using the same verification for the outgoing routing of calls to identify the current owning network of the number and display or filter if the originating provider/country of origin on an incoming call is different.”

      Nope. We’re a carrier and have interconnects with 3 other carriers (lets call them A B and C). We get an inbound call from carrier Z. It could arrive via A B or C, and outbound we could send via A B or C. There is nothing useful here to validate with. We can validate the customer’s CLI (as we have direct connections to them) but that’s it.

    2. Avatar photo Meadmodj says:

      Thanks I’ll bow to your expertise but I was not referring to what is there in the current international signalling and CLI standards but rather what could be and that we need a number of innovative steps taken to minimise the issue.

      As an example my understanding is that if you have an outgoing call from your network to say +44 7305297500 you have to determine the outgoing routing either direct to say Vodafone, Sky or possibly to BT IP exchange or equivalent. You will determine the CLI to apply which will include the Network Number segment of the CLI.

      As a customer I would like “the systems” to check the Network Number on the CLI and if it is invalid against +44 or coming in from an inappropriate network (say abroad) to be blocked. Now that may catch the guy in a Motorhome touring Europe etc but my view is that I as a customer should determine whether I want to receive a +44 call that is not originating from it’s home provider servers (VoIP or VoLTE), those missing a CLI altogether or re-written to 08979 but allow specific numbers through on an exception lists.

      This should go into the too hard box.

    3. Avatar photo Meadmodj says:

      This should NOT go into the too hard box

    4. Avatar photo Ferrocene Cloud says:

      I think we need a system of authentication and white listing. An analogy would be HTTP/HTTPS, where HTTP is now untrusted and a massive red flag.

      For instance, let’s say all calls within the UK from authenticated providers (who can be legally obligated to do this under the laws here) are permitted, and everything else would be dropped by default. Now let’s say HSBC wants to call their customers from India, which is entirely legitimate. HSBC can be authenticated and whitelisted, effectively digitally signing the call as a legitimate HSBC call.

      Some random Indian scammer pretending to be HSBC wouldn’t pass the checks, so the call would be automatically rejected.

      Obviously the exact implementation would be far more complicated, but for someone like me I should have the option of blocking any call not originating from the UK, except for a small handful of organisations where it would legitimately originate elsewhere.

  5. Avatar photo Billy Nomates says:

    Good. 100% of them come from India. The Indian cyberpolice don’t give two hoots in fact I think they’re probably complicit in it.

    Instantly ban Indian VOIP numbers presenting as real UK numbers.

    1. Avatar photo Matt says:

      Not quite true. Indian police are and have been taking an aggressive stance on scammers.

      Also, VoIP in India is fairly regulated and strict. Most use VPNs to use US/Canadian services like “Text Now”, Twilio etc. Worth watching some of the scam baiter videos to get a deeper insight.

      Blocking VoIP that comes from India wouldn’t have the greatest impact, if any at all which is why blocking all non-UK transits from presenting a UK number would help massively but then also capture legitimate traffic too.

    2. Avatar photo Anthony Goodman says:

      I have read stories that the same call centres in India that offer support for your bank and mobile company are the exact same centres/buildings also hiring staff to pretend to be Microsoft and BT saying you have a virus. It just shows you how much banks/phone providers could care less about data protection if they know they are paying criminals.

  6. Avatar photo Gerhard says:

    The proposal to block all calls coming in to the UK from abroad that have a UK CLI sends the shivers down my spine.

    I am using FreeVoipDeal for all my outbound calls, at a fraction of the price what I would pay if they went out on my Plusnet landline. The called party can see my genuine UK landline number, so they can see who’s calling and ring back if desired. On signing up with FreeVoipDeal, the CLI gets verified through an automated return call to the number you supply. So, no chance to spoof a number.

    Now, FreeVoipDeal SIP servers are located abroad (Netherlands, Switzerland etc.), so if these measures are implemented, I fear that I will no longer be able to make VoIP calls to UK numbers. Even switching to Sipgate won’t help – their servers are in Germany.

    If one believed in conspiracy theories, then one would think that blocking scams is just being used as an excuse to cut cheap VoIP providers out and get people to use UK based Telcos (and pay through the nose).

    VoIP spam is not a new problem, RFC5039 was published in January 2008 and discusses different approaches to tackling the problem. Have those who are calling for these draconian measures done their homework and researched alternatives?

  7. Avatar photo NeverCloseCase says:

    There is nothing stoping someone using AWS ie(eu-west-2) set up server as an outpoint VPN. There you are it looks like your now in UK. Then connect to an VoIP provider, to that VoIP provider you seam to them making connection to them within UK.

  8. Avatar photo Mr D M says:

    Signing the SIP call setup is the only way to verify authenticity of its origin.

    Knowing what to do is the easy part.

    The issue is the geopolitical management of the trust mechanism to verify it and the administration and costs to operate it.

    Much like SSL certificates in browsers were originally envisaged that you pay a fee to undergoe a vetting process (know your customer, identity check) to be issued a certificate for a year for your website. The issuing Certificate Authority was meant to act as a trusted middleman.

    The problem with then web browser model is that all CAs were created equal and have equal trust. Which is a problem when a nation state can force a CA inside their jurisdiction to issue an arbitrary certificate to fake an identity. This was done for Gmail.com during the middle east unrest, google has since taken action to protect chrome.

    However there needs to be a trust anchor per country, one that falls inside the jurisdiction of the appropriate telecoms regulation entity for that country.

    I believe the once up on a time functional NominetUK maybe have once been considered an authority upto such a job. Indeed they have an ENUM initiative from almost 20y ago that might be helpful to update to modern time, that could use the existing DNS systems to map E.164 telephone numbers to domain names.

    I assume having a reverse registry is a small step, their have identity management processes already, most transactions and management done online, call centre, etc…

    Given we have DNSSEC now operational to secure data distributed via DNS.
    Given it maybe a small step for a SIP handset to support all that is needed on the device, the verification and lookup process are relatively lightweight and use protocols already implemented on device.

    The only thing that is missing would be some kind of downvote button. That is the ability of a call receiver to mark that call just received as SPAM with an interested overwatch system.
    Which would then lead into multiple trust bureau’s popping up that attempt to manage the grey area, trustworthiness of calls originating from other counties.
    The receiver can describe their own personal policy.
    In this day and age it maybe most people will have a simple policy to only trust identity verification from the body responsible for it within their own respective country issued to an entity within their own respective country.

    The problem as always is there is a vested interest in getting as many billable call minutes as possible. That is how telecoms money is made. So don’t expect telecoms operators to solve this concern.

  9. Avatar photo Gerhard says:

    Looks as if BT/Plusnet have implemented something already:
    Calls from my foreign hosted VoIP account now show up as INTERNATIONAL 01268xxxxxx, rather than 01268xxxxxx.
    On my mobile (1p/EE), the number still shows correctly in national number format.

  10. Avatar photo Jonas Lundberg says:

    I just had one now, claiming to be from BT OpenReach and that ‘they have noticed problems on my ADSL line’.
    They seem to be calling from witheld numbers now. Is this a workaround?

  11. Avatar photo ed says:

    1. instead of spying on our own citizens, gchq prioritises tracing scam call centres.
    2. sign agreement with india that unless the sas have freedom to raid scam call centres, NO indian call centres will be allowed to do outsourcing from uk companies.
    3. sas breach, bang, and bag the scammers.
    4. if india does not cooperate, we stop all commercial relations and cut internet and telecoms connections to them completely. we also repatriate our indian guests.
    5. either way, we profit

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5472)
  2. BT (3505)
  3. Politics (2524)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1778)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon