Closing the loopholes on scam callers

Posted on: 15th August 2024, by Magrathea

Plenty has been written, year on year, about the industry efforts to squash scam and nuisance calls. A cynic could suggest that it’s a whole lot of talk and not much action, but that would be unfair.  Lots has been going on, but the nature of the problem means the challenges morph and evolve over time and the rollout of measures to help can often be slow.

The problem of CLI spoofing and the challenges with identifying callers really went to the top of Ofcom’s list back in 2018 when pressure from the Home Office started bearing down on the regulator.  We reported here when Ofcom first updated the rules to ensure that only valid numbers that uniquely identify the caller could be used as Caller ID.  Operators were instructed to block any call where the CLI could not be called back.

By 2019 the industry saw another consultation to promote trust in CLI, the idea of a common database to verify numbers was tested once again as a potential tool to help with CLI validation – this was subsequently quietly dropped from Ofcom’s plans once they decided against a STIR/SHAKEN style intervention.

2022 saw a new swathe of consultations and by that December we had a new statement which set out Ofcom’s approach to fraud and scams and form the basis of future consultations on the topic.  We reported here  and here that Ofcom set out a three-prong approach:

 

  • Disrupt scams by updating rules and guidance and supporting comms providers to do more;
  • Collaborate and share more information between relevant parties;
  • Help consumers avoid scams by increasing reporting and raising awareness.

 

This statement set a deadline of May 2023 to implement some new rules to improve the accuracy of CLI data.  The biggest change was that calls originating from abroad with a UK Network CLI should be blocked (with some strict use case exceptions).  There is no doubt that this was a useful exercise but, as we anticipated, the bad actors simply found a new work around to get their calls through.

The simplest workaround if you are a bad actor looking to get your dodgy calls into the country, is to use a legitimate overseas number to show the true origin so that it passes through the carrier network, but still use a UK caller ID for the presentation number.  The end user will only ever see the presentation number, which could even be the same or similar as a trusted caller, and will most likely answer the call, oblivious to it being generated from somewhere thousands of miles away.

 

Presentation CLI to be used for call blocking

Ofcom very quickly realised that this loophole was enabling millions of scam calls to continue to come into the UK and have now released a statement which aims to shut this route down.  Effective January 2025, the first network that an Internationally originated call touches as it reaches the UK will be responsible for validating that the CLI is allowed and correct.  If it’s not, the call should be blocked.

There are of course some exceptions to ensure people legitimately generating calls from overseas on behalf of UK customers (e.g. a hosted phone service or worker of a UK company living abroad) can continue to get their calls through.  Ofcom do appear to have put suitable effort into creating the exceptions – with the help of the NICC – but we are a little concerned that more use cases will surface that we haven’t yet thought of, which will result in some legitimate calls being blocked.

It’s really important that everyone engages with these changes early on so there are no surprises as the various networks implement the changes.  In fact, some networks have started blocking already, most notably BT.

 

What about CLI spoofing?

We are pleased to see these further steps being taken to help reduce scam calls, and as is often the case we plan to have blocking on our network ready to enforce ahead of the mandated deadline because it’s the right thing to do.   But we continue to be disappointed that Ofcom haven’t taken steps to look at CLI spoofing, something that we feel the pain of directly far too often.

When someone fakes a CLI which happens to be a real one on our network, as the range holder we get the complaints and reputational damage with absolutely no way to prevent calls or detect them happening.  The only way we can stamp out this type of use is to be able to identify the source of a call and get that source blocked.  This means we need to be able to trace calls back up the call path to the originator.

Of course, we appreciate that this is not a straight-forward process, and for some networks it could be a costly exercise to store and manage data in a way that would make tracing viable.  Add to this the need for many networks to collaborate, someone to manage the process and doing all of this whilst remaining secure and not divulging commercially sensitive information, it is a serious ask.

We believe Ofcom agree that this would be a useful development, especially as they claim to be unable to trace calls to source very often due to lack of resource,  and we know the NICC have done some work in this area already.  However, like the common database idea, the chatter around this has gone a bit quiet.

Based on our experience with the USA Traceback system, we think it’s possible to devise something that will work in the UK and help range holders protect their reputation from this common but frustrating practice but we know for this to be adopted by industry it will have to be pushed upon us.  Magrathea will be highlighting this ask as part of the work we are doing with the CCUK Fraud Group and associated Home Office Fraud Charter Review, which we hope will be picked up again by the new Government soon!

 

Mobile CLI spoofing – the next loophole?

Readers of our most recent article on the topic (here) will know that we fear the next loophole to be taken advantage of is calls with a mobile Caller ID.  With so many of us comfortable answering calls from 07xx ranges the chances of us picking up calls appearing to be from UK mobiles are high and therefore the ability for scammers to reach their target increases.

For now, the rules say not to block calls with a mobile CLI even if it comes from outside the UK.  The problem of course is that UK mobile numbers can legitimately be used around the world when roaming so simply asking networks to block these calls when they originate overseas would be dangerously intrusive.

The NICC have been working on this challenge for some time now but haven’t reached a consensus on the best approach. It seems that looking at how other countries tackle this is of little help too, with again no real consensus on what works and what doesn’t.

This leads us to Ofcom’s two new ‘Calls for Input’ that have just been published, asking industry to comment on the potential risks and potential solutions.

The CFI can be found here and is reasonably short so well worth a quick read.

Ofcom admits that they are light on evidence of the problem and the harm caused so will struggle to complete the required proportionality assessment required during the consultation phase.  This is especially difficult as the consultation will come before any knock-on impact will be truly felt from the January changes to fixed numbers, the potential catalyst for more issues with mobile CLI use.

Ofcom looks at two types of solution to this challenge.  The first relies on the International gateway checking that the caller is actually roaming (via their home network) and the second involves the International gateway modifying the signaling of the call and then leaving the home network to complete final checks (and CLI changes if necessary).

They compare the approach to that of Comreg, the Irish regulator, who have recently issued a statement on their approach but there has been enough push back on cost and complexity to make them limit the requirement to operators with a revenue of over €50m.  They’ve also taken a two-phase approach with many thinking the second phase will become unnecessary as telephony technology evolves.

If you have an opinion on this topic we strongly suggest you read and respond to the CFI, it’s a fairly brief document by Ofcom standards and your input will help influence the consultation that they plan to publish early next year.

 

Mobile messaging (SMS and RCS)

The second ‘Call for Input’ document covers mobile messaging, specifically SMS and RCS.  Ofcom claims that mobile network operators are already blocking around 30 million suspicious messages each month, but clearly there is more to do.  Ofcom want to assess the effectiveness of existing measures (e.g. due diligence checks, traffic monitoring and consumer awareness) as well as find areas of improvement.

RCS is still very much the new kid on the block and Ofcom are asking for input on how best to monitor and measure problems.  Without doubt we can be sure that with more sophisticated and innovative tools, the more opportunity there is for sophisticated and innovative scams! For example, RCS has the added benefit of being able to add branding, but with that comes the risk of providing a false sense of safety for consumers receiving the messages.

Once again, the CFI is quite brief so if you want to contribute have a look here and send in your thoughts to Ofcom.

 

Summary

In brief, the latest statement is another positive step towards stamping out scam calls and we are keen to work with our clients to implement the rules whilst ensuring legitimate use cases are not impacted.  If you have any concerns about your traffic and how we will manage it going forward please do get in touch.

But we also think more needs to be done and, on that basis, we continue to support the work of Comms Council UK who are treating Fraud and Scams as top priority this year, plus our own efforts to produce best practice guidance for clients and constantly improving our monitoring, detection and reporting tools.

If you agree more could be done, please do help keep the pressure on.  You can do this by responding to Ofcom CFIs directly or through a trade association such as CCUK or FCS.  You can also be sure to follow current best practice on Know Your Customer checks, making it harder for the bad actors to slip through the net.

With so many knowledgeable people and ever improving technology in our industry, we should be able to come up with some great ideas to help keep us a step ahead of the perpetrators of fraud.

If you would like to discuss any of these challenges, understand how we are playing our part, or share any ideas please do drop us an email and we can set up a call!