
The UK internet content, telecoms and media regulator, Ofcom, has this morning published a “comprehensive package of practical measures” to help UK mobile network operators “block, limit and disrupt scammers” from sending messaging scams. In addition, they’ve strengthened rules to help protect people from international calls that imitate – or “spoof” – UK mobile numbers.
Most of the United Kingdom’s major broadband, phone and mobile network operators have already implemented various technical measures to tackle things like Nuisance Calls, Scam Calls and Scam Texts (e.g. mobile operators block an estimated 600 million+ messages each year).
However, existing systems aren’t always 100% effective and there are still plenty of operators and device manufacturers that could do more. For example, scammers often still use mobile messaging services to reach victims at a mass scale and manipulate them into making payments or sharing sensitive information (e.g. pretending to be government services or parcel delivery firms – business messaging scams).
Advertisement
Sometimes scammers may even impersonate a friend or family member texting from a different number, often asking for money as part of a fabricated emergency situation (i.e. person-to-person messaging scams). This criminal activity causes significant financial and emotional harm to UK people and businesses and damages their confidence in vital communications services.

Ofcom has this today confirmed the range of measures they intend to introduce to help combat this, which seems to be primarily focused on SMS/MMS messaging and not OTT services like WhatsApp, RCS or iMessage etc. This is because the latter uses functionality that is not dependent on telephone numbers and they are thus not regulated under the Communications Act.
“Services such as RCS share characteristics of the traditional messaging services like SMS and MMS but also share characteristics of online messaging apps. Whether such a service is now, or could in the future be, regulated under the Communications Act will depend on how it is implemented in the UK. It is for operators to determine in the first instance whether their current implementation of RCS constitutes a service that is regulated under the Communications Act or the Online Services Act,” said Ofcom.
Advertisement
Ofcom’s Changes to Tackle Messaging Scams
We are implementing new rules and guidance to significantly reduce the risk that people and businesses receive P2P and A2P scam messages.
This package of measures is intended to stop scammers from accessing mobile messaging services in the first place and also to stop their activities where they have gained access.
For P2P messaging, we are introducing new General Conditions (GCs) to require mobile operators to prevent scam messages from being sent or received on their networks, by:
• Setting volume limits for pay-as-you-go (PAYG) SIMs, to make it harder for scammers to message large numbers of potential victims.
• Blocking numbers used by scammers: preventing scammers from sending messages from numbers that have been identified as responsible for scams. This includes having processes in place to receive scam reports from customers and third parties such as anti- fraud organisations about telephone numbers and web links (URLs12) that are being used for scams.
• Blocking scam messages in transit: identifying and blocking scam messages in transit on their networks by detecting scam URLs and telephone numbers, based on scam reports from customers and third parties.
For A2P messaging, we are introducing new GCs to require mobile operators and aggregators to prevent scam messages from being sent or received on their networks, by:
• Conducting due diligence: preventing criminals from using A2P services to contact potential victims by ensuring that effective Know Your Customer (KYC) checks are made at the onboarding stage.
• Preventing the use of fake alphanumeric sender IDs, including by corroborating Sender IDs against information gathered through KYC checks and maintaining a policy on restricting the use of protected sender IDs and generic sender IDs.
• Conducting ongoing Know Your Traffic checks, including reviewing account activity and promptly investigating reports of fraud.
• Applying incident management processes where scam activity is identified, to block message senders and address any compliance failures by other providers.
• Blocking scam messages in transit: identifying and blocking scam messages in transit on their networks by detecting scam URLs and telephone numbers, based on scam reports from customers and third parties (as we are requiring for P2P messaging).
We are also introducing new GCs for mobile operators and aggregators to ensure the requirements are effective and to minimise the risk that providers block legitimate messages. These include: a right for mobile users to challenge a decision to block a number or message; and requirements relating to reviewing policies, training staff, record keeping and compliance with data protection legislation.
We have published guidance on how providers can meet these requirements.
We have amended the proposal in our 2025 consultation13 to require mobile operators and aggregators to ensure the transmission of legitimate messages. Instead, we will require providers to identify, monitor and address instances where messages are blocked in error.
We also consulted on a requirement for providers to notify message senders when certain messages are blocked. In the light of new evidence, we have decided not to implement this proposal. We have made further amendments to the rules and guidance we proposed in our 2025 consultation, taking into account respondents’ feedback.
Additionally, Ofcom have today introduced strengthened guidance to set out how telecoms companies should protect people in the UK from international calls that imitate – or “spoof” – UK mobile numbers. Criminal gangs based abroad often prey on victims by imitating UK phone numbers which people are more likely to trust and therefore answer than calls from an unknown international number.
Under the new guidance, telecoms companies should now withhold the Caller ID (CID) of calls that appear to come from a UK mobile roaming abroad, unless they can verify its validity. Customers in the UK should continue to exercise caution in deciding whether to accept calls from withheld numbers, which can include legitimate and important calls, or from numbers that they don’t recognise.
Amy Jordan, Ofcom’s Strategy Delivery Director, said:
“Mobile messaging scams can have devastating consequences for victims, with criminal gangs using ever more sophisticated techniques to dupe their victims. Our new protections for consumers and businesses announced today will help ensure we remain one step ahead by disrupting and blocking this criminal activity at source. Working closely with Government, other regulators, law enforcement and industry we are confident that our collective efforts will make a significant difference in thwarting these predatory fraudsters.”
The new rules and new guidance that apply to P2P messaging will come into effect on 18th January 2027. Those that apply to A2P messaging will come into effect on 15th July 2027. However, some of the proposals, like the idea of putting volume limits on PAYG SIMs, could impact legitimate consumers too if not carefully introduced. This is especially relevant given how most PAYG plans are more like normal Pay Monthly services today, albeit often on shorter 30-day terms (i.e. the definition between what is Pay Monthly and PAYG has become somewhat confused).
Despite this risk, we understand that the volume limits would focus more on how many messages get sent via a SIM over a specific period of time, which we presume would be set to try and separate automated activity from human usage. Most, but not all, mobile operators in the UK already set such limits (varies between 100 per hour to tens of thousands a month), but even when adopted their application and enforcement can vary a lot (e.g. sometimes further texts are blocked, while in other cases accounts get sent for manual review). Ofcom are clearly seeking to standardise a more effective approach.
Advertisement
As usual consumers are encouraged to help combat scam messages and mobile calls by reporting them to 7726. Mobile providers use these reports to monitor scam activity and update their network protections.
Advertisement
All calls and text messages from a number that is not in your contact list is a scam – do not respond. Simple. Any genuine caller will leave a voice mail with a verifiable way to get back to them.
“Existing systems aren’t alwasy 100% effective”, and I would not expect the technical responses prompted by this Ofcom ruling to be 100% effective either.
This court case (last year, widely reported) shows that there has been smishing performed in ways that I think are invisible to operators and are largely unaddressable by OfCom rulings. (Fake cell transmitter mounted in a vehicle)
https://www.ukfinance.org.uk/news-and-insight/press-release/police-warn-sms-scams-following-prison-sentence-criminal-who
I think the only way to mitigate this (to some extent) is a SMS spam message sweeper operating on the phone itself (like a spam email sweeper that most companies operate on their inbound email traffic).