Ofcom Tells UK Phone Providers to Identify and Block Spoofed Calls
The UK telecoms regulator, Ofcom, has today introduced new rules that will require phone providers to crackdown on “fake phone numbers” by identifying and blocking “spoofed calls“, where feasible. The move aims to tackle a problem that, during the summer, resulted in 40.8 million people being targeted by suspicious calls and texts.
Most of the major broadband ISP, phone and mobile network operators have already implemented technical measures to tackle Nuisance Calls, but these aren’t always 100% effective and there are still plenty of operators – particularly smaller providers and some Voice-over-Internet-Protocol (VoIP) firms – that could do more.
In terms of scam calls, the tactics used by fraudsters have become increasingly sophisticated, which include using multiple communication channels and spoofing (imitating) the numbers of well-known companies and organisations. If a call to a mobile or landline phone appears trustworthy, people are more likely to answer it and follow the scammers’ instructions.
Advertisement
Ofcom estimates that around 700,000 UK people have fallen into such a trap in the 3 months up to August 2022 alone, risking financial loss and emotional distress. However, stopping such abuses – without a strong degree of international cooperation and coordination – is technically difficult to achieve and often risks catching legitimate calls too.
The New Rules
Despite the challenges, the regulator said they will now require all telephone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls, albeit only “where technically feasible” to do so. The move should improve the accuracy of Calling Line Identification (CLI) data.
Presently, unless a particular number has already been identified as causing abuse (e.g. following complaints and other threat intelligence) or is being monitored for lawful security reasons, then operators tend not to inspect such traffic and will allow it to pass through their networks unabated. But that’s about to change.
What we have decided (improving CLI accuracy)
The data that is attached to a call is called Calling Line Identification (CLI) data. It includes information that identifies the caller and a privacy marking, which indicates whether the number can be shared with the person receiving the call. Ensuring that the CLI data includes a valid, dialable number, and that the caller has authority to use the number, is important so that people have accurate information about who is making a call when they receive it. This can help them decide whether or not to answer the call.
We have decided to modify one of our rules (General Condition C6) to require providers, where technically feasible, to identify and block calls with CLI data that is invalid, does not uniquely identify the caller, or does not contain a number that is dialable.
We have decided to make a number of changes to our guidance for providers on what we expect them to do to comply with the rules in GC C6.2 This includes:
• clarifying that the format of a CLI should be a 10- or 11-digit number;
• making use of information that identifies numbers which should not be used as CLI, such as Ofcom’s numbering allocation information and the Do Not Originate (DNO) list;
• identifying calls originating abroad that do not have valid CLI and blocking them;
• identifying and blocking calls from abroad spoofing UK CLI; and
• prohibiting the use of 09 non-geographic numbers as CLI.
The regulator has given providers 6 months to implement their changes to General Condition C6 and the CLI guidance (until 15th May 2023), which they believe should be “sufficient time to make the necessary technical changes.” Some ISPs, such as TalkTalk, have already implemented this voluntarily (the provider said it had seen a 65% reduction in complaints about scam calls since it introduced this measure).
Advertisement
As well as strengthening the aforementioned rules, Ofcom has also issued new guidance to phone companies on how they can prevent scammers from accessing valid phone numbers. The regulator typically allocates telephone numbers, usually in large blocks, to telecoms firms. They can then transfer the numbers to individuals or other businesses. All phone companies are expected to take reasonable steps to stop their numbers being misused, but these efforts can vary.
Providers will now need to run additional checks on their business customers, such as checking against the Companies House register, fraud risk databases and the Financial Conduct Authority’s Warning List to uncover information that “may indicate a high risk of misuse by the customer seeking to use phone numbers.” Doing this will of course take more time and money, which usually ends up being passed on to consumers at some point.
What we have decided (preventing valid numbers being misused)
We have decided to introduce the good practice guide, which sets out steps we expect providers to take to help prevent valid numbers being misused. In particular, we expect providers to:
• carry out a robust set of due diligence checks before sub-allocating or assigning numbers;
• have an approach for identifying where the risks of number misuse are higher;
• put in place contractual controls that enable the provider to meet their regulatory obligations;
• keep the level of risk posed by a business customer under review by monitoring for the potential misuse of numbers; and
• have an appropriate process for responding to reports of potential misuse.
The Guide is intended to help providers ensure they comply with their existing obligations under our rules (General Condition B1). We have made some minor amendments to the Guide to reflect suggestions made in response to our consultation. As the Guide relates to General Conditions that are already in place, it applies immediately.
The challenge of all this is with the inherent difficulty of implementing such changes, without also obstructing legitimate voice calls, which is easier said than done. Ofcom has previously acknowledged that “scammers will find other ways to reach consumers and no single organisation can solve the problem alone,” so it’s probably wise to maintain a healthy distrust of those claiming to call from companies you know.
Lindsey Fussell, Ofcom’s Group Director for Networks and Comms, said:
“Scam calls and texts are a major source of fraud, and they represent a clear and present danger to every phone user. Criminals are becoming increasingly sophisticated, and it’s easy to be caught out by a scam.
We’re constantly working with phone companies and other organisations on new ways to combat these scams. Blocking fake numbers can have a significant impact, so we’re making sure all phone companies apply this protection for their customers.”
Finally, on the risk of these changes leading to a rise in over-blocking of legitimate calls, Ofcom said this: “Since implementing the blocking, BT said it has received very few complaints of calls from abroad with UK CLI that have been blocked in error, and TalkTalk said there have been limited instances of over-blocking and these can be rectified.” But no solid statistics were shared.
Advertisement
In the meantime, if you’ve received a scam call, you can report it to Action Fraud, which is the reporting centre for fraud and cybercrime in England, Wales and Northern Ireland. Reports of fraud and any other financial crime in Scotland should be made to Police Scotland via 101. Meanwhile, anyone who receives a suspicious text message should report it by forwarding the message to 7726, which directs the message to your mobile operator.
Hopefully it goes without saying that you should never give out any personal or financial details to a suspicious caller. Instead, it’s wiser to just hang up the phone, wait a few minutes and then contact the relevant company (bank, internet provider etc.) on an official number to check if it’s a scam. As for suspicious text messages, NEVER click on any links, reply to them or give out personal data.
Improving the accuracy of Calling Line Identification (CLI) data
https://www.ofcom.org.uk/../improving-cli-data-accuracyGood practice guide to help prevent misuse of sub-allocated and assigned numbers
https://www.ofcom.org.uk/../good-practice-guide-on-sub-allocated-assigned-numbers
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Broadband ISP File Sanctuary Cut UK FTTP Prices for Black Friday
About time too that Ofcom decides to act, I’ve had a number of scam calls from Europe and the UK regarding Bitcoin so I now don’t pick up the phone if I don’t know the number.
Not acting on this is just telcos hastening the demise of PSTN calling – if the only calls you get are scam calls, why pick up the phone at all?
I don’t bother picking up the landline anymore because of the scams or other nonsense callers, which interestingly only seem to call between 9-5. If I ever do get a call outside of that time-frame then the chance of it being a scam is more or less 0. However, nobody ever rings the landline as all the people in the house have their own mobile.
Personally if I were to guess, the ratio of scam calls vs legitimate calls on the landline must be something stupid like 200:1.
Cut off the VoIP providers scam calls are coming from especially those who allow spoofing. Pretty much the same with text messages. Why specific alphanumeric strings can’t be restricted to particular sender like Barclays, HSBC, HSBCUK, etc. I don’t know.
By nature of VoIP all CLID is spoofed.
I use VoIP on home and mobile both so these changes, if they look for generic CLID, could hit regular people like me.
A good solution would be to make it so the CLID has to match the telco exit node – forgive my lack of technical terms here.
I have never had a “spoofed” number from a valid uk number, I get plenty of scam “UK” calls though, and often it’s the same bulk VoIP provider who deals with those.
TTB Hello, Toytown Bank here.
Prove it
TTB What do you mean?
Phone numbers can be spoofed, Tell me my date of birth/postcode/pet name
TTB Due to Data Protection we cannot do that
Fine, send me letter or secure email
Just who is the Data Protection meant to protect, Toy Town Bank or Me?
Authentication Works both ways (or not in the case of the credit card company where a reverse authenticator was setup, but they challenge me with it, duh)
I’ve never understood why Mobile Telcos allow anonymous supermarket SIM’s to be activated and then within hours of initial registration they start sending 1,000,000 scam SMS.
Just limit sending SMS to about 25 DIFFERENT contacts each month (unless customer is willing to provide ID to the provider or until 6 months clean usage has been seen)
That would stop the SMS abuse in its tracks but somehow this is just so impossible or just networks are totally unwilling to help consumers?
It would also stop any business porting their number to a new provider to take advantage of competition.
If you think you have a simple answer to an entrenched problem You have probably misunderstood.
money.
Oh Jerry…
Do you really think these scammers are using supermarket pre paid SIMs to send millions of spam SMS?
My sides are hurting from laughing.
Most of the spam SMS you receive doesn’t come from a SIM card at all, most doesn’t even originate in the UK.
They spoof numbers. The SMS come from bulk SMS mailers running on computers, taking advantage of the same loopholes that allow spoofing UK numbers from abroad.
You don’t even need to be out of the country, but most of the spam does come from offshore.
It makes me laugh that you think spammers are topping up handsets to send millions of SMS though.
Come back tomorrow Jerry, that was funny.
Maybe @Mark you should take a leaf out of their book and stop Mr Coventry spoofing on this website.
Did the details of the communication from Ofcom say anything about implementation of Shaken/stirred protocols to better authenticate the CLI?
If not, is there any legislative or technical reason why not? (Or have I misunderstood the details?)
OFCOM have published the results of the industry consultation here
https://www.ofcom.org.uk/consultations-and-statements/category-2/improving-cli-data-accuracy?showall=1
The first pdf document in the list (Statement: Improving…) quotes several suggestions from telcos about STIR, but as a result, only one statement that
“4.76
We are also undertaking longer-term work on CLI authentication. To inform our work, we
have been engaging with relevant industry bodies, as well as overseas regulators with
experience of STIR.”