Ofcom Crackdown on Number Spoofing to Tackle UK SPAM Calls
Last year the national telecoms regulator, Ofcom, estimated that 44.6 million UK people may have received scam calls and text messages during just the three months of summer (here), with 2% of recipients being duped by them. In response, the regulator has today proposed changes to tackle the use of fake phone numbers.
Most of the major UK broadband ISP, phone and mobile network operators have already implemented technical measures to tackle Nuisance Calls, but these aren’t always 100% effective and there are still plenty of operators – particularly smaller providers and some VoIP firms – that could do more.
In terms of scam calls, the tactics used by fraudsters have become increasingly sophisticated, which include using multiple communication channels and spoofing well-known companies and organisations. However, stopping such abuses – without a strong degree of international cooperation and coordination – is technically very difficult to achieve and often risks catching masses of legitimate calls.
Advertisement
Nevertheless, Ofcom believes they may have found a viable approach to help reduce the problem, which will require all telephone networks involved in the transmission of a call to “block numbers that are clearly spoofed“.
The regulator will also make it harder for scammers to access valid phone numbers by requiring phone companies to run “know your customer” checks on business customers (i.e. verifying them via details on Companies House, fraud risk databases and the FCA’s Financial Services Register to test whether a “high risk of misuse” exists).
In addition, the national transition to IP-based phone services, which is due to complete by the end of 2025 (Openreach’s platform), also gives Ofcom a new technological tool. For calls originating in the UK, this would involve the network from which the call is being made “authenticating” the Caller’s ID (CLI – Calling Line Identification) information before connecting them.
Ofcom’s Anti-SCAM Call Proposals
We are consulting on two proposals to strengthen our rules and guidance on what providers should do to make it harder for scammers to use communications services to reach consumers:
➤ Strengthening our rules and guidance for providers to detect and block ‘spoofed’ numbers.
Spoofing is a tactic commonly used by scammers and involves callers hiding their identity by causing a false or invalid phone number to be displayed when making calls. Those making such calls may create a phone number that appears like or mimics the number of a real company, suchas a bank. Our rules require providers to prevent these calls, where possible.
While not all spoofed numbers can be detected, some are easier to spot. This might be because they are numbers that have not been allocated for use to anyone or where a UK number has been used in a call which originated abroad. We are proposing to strengthen our rules and guidance so that providers do more to detect and block the most obviously spoofed numbers.
➤ A good practice guide to help prevent scammers accessing valid phone numbers.
Providers allocated numbers by Ofcom may transfer those numbers to other providers or resellers or to customers for their day-to-day use. There is currently considerable variation in the checks that providers do both before and after transferring numbers to prevent misuse. In this guide we set out what we expect providers to do to ensure they know their business customers and how numbers will be used by them.
The guide contains processes that should be in place to check customers are using numbers in compliance with our rules, and for responding to reports of misuse. Where these measures are in place, it will be more difficult for scammers to access legitimate telephone numbers to make potentially harmful scam calls.
We are also working on other measures to help tackle scams:
➤ Updating our scheme to protect legitimate numbers that are most likely to be spoofed by scammers.
People may be more likely to trust a call coming from a number associated with a known organisation, such as a bank. We worked with UK Finance on a ‘Do Not Originate‘ (DNO) list to record numbers used by these organisations, including banks and government agencies, to receive calls but never to make calls. The list allows providers to check incoming calls against the numbers on the DNO list and block the call. We have updated our guidance for using the list and will consider whether it can be expanded to include numbers from a wider range of organisations.
➤ Over the longer term, having processes that detect and block spoofed numbers more comprehensively will be important to help tackle scam calls.
We are exploring the introduction of technical standards that make it possible for the network originating the call to confirm the caller’s authenticity before passing it to the network of the person receiving the call, referred to as ‘CLI authentication.’ We plan to issue a call for inputs in Q4 2022 seeking views on the role of CLI authentication and what would be required to implement the technology across industry.
Presently, unless a particular number has already been identified as causing abuse (e.g. following complaints and other threat intelligence) or is being monitored for lawful security reasons, then operators tend not to inspect such traffic and will allow it to pass through their networks unabated. Spoofing UK numbers is also fairly easy to achieve. Ofcom’s new measures are clearly intended to go much further.
Advertisement
Huw Saunders, Ofcom’s Director of Network Infrastructure and Resilience, said:
“The threat posed by scammers has grown significantly in recent years, and the sophisticated tactics used by these criminals can have devastating consequences for victims.
We’re taking action so phone companies have stronger systems in place to disrupt scams. While there is no silver bullet that will end the scourge of scam calls completely, we’re working with industry on how we can use technology to make it as difficult as possible to reach people.”
In terms of that proposal for CLI authentication, Ofcom’s consultation document, which is open for responses until 20th April 2022, makes reference to the use of a new telephone identification protocol (see below), which can help operators to authenticate that all calls and text messages come from a real number.
The Engineering Task Force (IETF) has been attempting to do this via their suit of STIR/SHAKEN protocols (i.e. STIR = Secure Telephony Identity Revisited / SHAKEN = Signature-based Handling of Asserted information using TOKENs), but initially that was only focused upon North America (USA, Canada) and won’t really be viable in the UK until after the transition to all-IP services.
We should point out that one broadband ISP, TalkTalk, implemented technology to block suspicious international calls masked by a UK number in 2019, and they claim to have immediately seen a 65% decrease in the number of complaints about scam calls.
The challenge of all this is with the inherent difficulty of implementing such changes, without also obstructing legitimate voice calls, which is easier said than done. At the same time, Ofcom acknowledges that “scammers will find other ways to reach consumers and no single organisation can solve the problem alone.”
Advertisement
In the meantime, if you’ve received a scam call, you can report it to Action Fraud, which is the reporting centre for fraud and cybercrime in England, Wales and Northern Ireland. Reports of fraud and any other financial crime in Scotland should be made to Police Scotland via 101. Meanwhile, anyone who receives a suspicious text message should report it by forwarding the message to 7726, which directs the message to your mobile operator.
Hopefully it goes without saying that you should never give out any personal or financial details to a suspicious caller. Instead, it’s wiser to just hang up the phone, wait a few minutes and then contact the relevant company (bank, internet provider etc.) on an official number to check if it’s a scam. As for suspicious text messages, NEVER click on any links or give out personal data.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« CityFibre Confirm GBP27m Gigabit Broadband Build in Wakefield
In 2019/ 2020 mum was getting calls from Amazon every other day & calls from HMRC. Complete spam calls!
She eventually let me disconnect the home phone. I’ve not missed it at all. They started on my mob number for a few months & I blocked & reported them all. [Thru Google dialer] don’t know if it helps but I don’t get anymore now.
Ofcom & government do need to do more.
Most of us know a spam call, but an elderly person might not.
This is very overdue, and should have been required in primary legislation (to require regulation) years ago.
But that would require politicians to be responsive and helpful to the public, to improve citizens lives in small ways as well as better.
Ans also require Ofcom to be more compentent and less captured by industry (as is currently evident in mandatory VoIP switchover not properly delivering an equivalent “always on” service to the customer if there is a power cut of modest duration).
What is wrong with solution from Sky “Talk Shield”?
https://www.sky.com/help/articles/sky-talk-shield-getting-started
How it works
Someone tries to call you
Talk Shield intercepts and blocks calls from ‘robots’ and automated callers.
If it’s a person, your phone rings and you’ll hear a recording of the caller’s name.
Choose to answer the call, block it or send it to Voicemail (if you have Voicemail).
You can add the number to your Star or Block list.
I agree action to try to block calls with spoofed CLI’s, or at very least replace the CLI if suspect, is long overdue. The number of calls we have got with a spoofed CLI is ridiculous, most of them international calls, many initiated by an autodialer, and frequently with a local phone number that changes each time they call back.
Some years back I was even getting lots of scam/spam/marketing calls from my own number, hard to believe that at least some of them couldn’t have been easily detected and kept off the UK phone network.
Just allow people to opt in to blocking all inbound calls that don’t originate from the UK. I would take this up in an instant. It would also stop banks and the like outsourcing their customer support to India. Double win scenario. For those than want calls from outside of the UK they don’t have to opt in to it.
Would not stop banks etc. moving call centres abroad. Call would be routed via bank’s switchboard in UK (very simple telephonic config, would be legal under Ofcoms new proposed rules
The advice in the last paragraph should include ” Make sure you have a dial tone”. We have all heard of the scammers who invite you to call your bank or whoever they are claiming to be then they do not clear down and, if you do not check for dial tone, you think you have called the bank but end up speaking to the scammer again.
In reply to Anthony Goodman, that is already an option with many providers. I would suggest you contact yours and ask if they offer it.
They can fake a dial tone as well using a recording, the way round that is to always return the call using another phone, so landline incoming is returned by mobile and vica versa.
44.6 million recipients in three months? That’s not even one each, I used to get four or five a day until I dispensed with my landline service since the only people it seemed to be benefitting was Indian scammers.
This shows you the extent of the work already done to clamp down on fraudulent/unsolicited calling.
It would be even less if some UK telcos didn’t transit some of these calls to make money.
I just use Flextel with auto attendant. Automated diallers and robots usually don’t press a certain number, which ultimately means they enver get through to me. If they happen to get through however then I just instruct Flextel to block the number on my account, even a withheld number can be done (assuming the nubmer Flextel sees is valid) Of course I won’t see the full phone number if it was withheld though, the last three digits are masked.
Anyone could also do this auto attendant setup (press 5 if you’re not an automated caller) of thing with Asterisk/FreePBX or w/e though, if you have enough experience and use VoIP/SIP.