Ofcom UK Propose New Rules to Tackle Mobile Messaging Scams

Ofcom has today announced a “comprehensive package of planned measures” that are designed to improve protection for mobile phone users against messaging scams. According to the regulator, some 50% of UK mobile users said they received a suspicious message between Nov 2024 and Feb 2025 via text or iMessage, but it’s hoped today’s changes may reduce that figure.

Most of the United Kingdom’s major broadband, phone and mobile network operators have already implemented various technical measures to tackle things like Nuisance Calls, Scam Calls and Scam Texts (e.g. mobile operators block an estimated 600 million+ messages each year). But these aren’t always 100% effective, and there are still plenty of operators and device manufacturers that could do more.

In particular, scammers often use mobile messaging services to reach victims at a mass scale and manipulate them into making payments or sharing sensitive information (e.g. pretending to be government services or parcel delivery firms – business messaging scams).

Sometimes they may even impersonate a friend or family member texting from a different number, often asking for money in a fabricated emergency situation (i.e. person-to-person messaging scams). This criminal activity causes significant financial and emotional harm to UK people and businesses and damages their confidence in vital communications services.

The Proposed Rules for Tackling Messaging Scams

Person to Person (P2P) Messaging

In order to tackle person-to-person messaging scams, Ofcom are proposing that mobile providers must: 

• set volume limits for pay-as-you-go SIM cards. This will make it harder for scammers to message large numbers of potential victims at once; 

• block numbers used by scammers. Providers must use scam reports from customers and third parties – such as law enforcement – about phone numbers and web links that are being used to perpetrate scams. They must then prevent scammers from sending messages from these numbers;  

• block scam messages in transit. Providers must identify and block scam messages being carried on their networks by detecting malicious sender IDs, weblinks, and phone numbers.  

Business Messaging

To disrupt business messaging scams, the regulator is proposing that mobile operators and ‘aggregators’ that transmit businesses’ mobile messages must: 

• conduct upfront and ongoing due diligence checks. Effective “Know Your Customer” checks must be carried out on new business message senders to prevent criminals from sending mass texts. Similarly, “Know Your Traffic” checks should be completed, including reviewing account activity and promptly investigating reports of fraud; 

• prevent use of fake sender names (known as Alphanumeric Sender IDs). Providers must corroborate business message senders’ Sender IDs, which show who a business mobile message came from, against information they’ve gathered about the business (to check, for example, that a business that purports to be hairdresser is not sending parcel delivery messages – indicating a scammer). They must also maintain a policy on protected sender ID lists and generic sender IDs (such as ‘customer service’); 

• apply incident management processes. Where scam activity is identified, root out criminals who are using business messaging services and hold companies to account where they have not conducted appropriate checks; and 

• block scam messages in transit. Providers must act on scam reports from users and third parties to detect and block malicious weblinks and phone numbers. 

The measures are designed to “further disrupt scammers, raise the bar across the mobile industry and address current gaps in protection for consumers and businesses“. But some of the proposals, like the idea of putting volume limits on PAYG SIMs, could impact legitimate consumers too if not carefully considered. This is especially relevant given how most PAYG plans are more like normal Pay Monthly services today, albeit often on shorter 30-day terms (i.e. the definition between what is Pay Monthly and PAYG has become somewhat confused).

However, we understand that the volume limits would focus more on how many messages get sent via a SIM over a specific period of time, which we presume would be set to try and separate automated activity from human usage. Most, but not all, mobile operators in the UK already set such limits (varies between 100 per hour to tens of thousands a month), but even when adopted their application and enforcement can vary a lot (e.g. sometimes further texts are blocked, while in other cases accounts get sent for manual review). Ofcom seems to be seeking to standardise a more effective approach.

Ofcom are also proposing new rules for all mobile operators and aggregators to ensure the requirements are effective and to minimise the risk that providers block legitimate messages. These include: a right to challenge where numbers or messages are blocked; and requirements relating to reviewing policies, training staff, record keeping, compliance with data protection legislation and the continued transmission of legitimate messages.

Amy Jordan, Ofcom’s Strategy Delivery Director, said:

“Messaging scams can have a devastating impact on their victims. Our plans will ensure that mobile firms consistently apply proven measures to thwart these crimes. That means locking scammers out of networks and blocking hundreds of millions more scams from getting through to people and businesses each year.”

Ofcom’s related consultation on all this is now open for responses until by 5pm on 28th January 2026 and, after that, they aim to publish their final decision sometime during summer 2026.