Posted on: 2nd September 2025, by Magrathea
Regular readers will know that we work hard to stamp out fraud, not only within our network at Magrathea, but also at an industry level through our work at Comms Council UK and the NICC. That’s why we are particularly disappointed with Ofcom’s latest consultation on Calling Line Identification (CLI) spoofing.
How we got here
In January 2025, it became mandatory to block calls entering the UK from overseas that presented a UK CLI (with some specific exceptions). This move no doubt stopped a vast number of scam calls before they reached the consumer – a great success.
However, Ofcom’s rules excluded the blocking of calls that were presented with a UK mobile number (+447) as the CLI, on account of there being no way to know if it was a genuine UK mobile user roaming overseas. The risk of blocking genuine calls was simply too great, therefore these calls continue to flow unchecked into the UK. It took no time at all for fraudsters to spot this loophole, and providers reported sharp increases in suspicious traffic – in so far as it’s possible to tell. Ofcom acknowledges this risk in the latest consultation.
Ofcom’s consultation
In the previous statement, Ofcom made it clear that they would address this minefield next and reached out to the NICC to assess how to identify roaming mobiles so that only legitimate calls could pass through.
An NICC sub-group produced a report – though with limited participation from key parties – that assumed as the UK migrates to VoLTE and 5G that all roaming calls would eventually be Home Network Routed (HNR). On that basis they framed any near-term fix as temporary. This is mirrored by Ofcom’s consultation too.
This framing is problematic. Mobile CLI spoofing is not exclusively a mobile-core issue; it also occurs through non-mobile and cloud-based origination paths. Treating this as a short-lived challenge risks missing the bigger picture.
The NICC task group did acknowledge that not all calls originate on a SIM and were not in scope of their review and went on to show that the majority of those in the task group were keen on the CAMEL (Customised Applications for Mobile network Enhanced Logic) home routing approach.
This report, alongside a ‘call for inputs’ that Ofcom carried out in 2024, has shaped the consultation published this summer.
From the document, and our subsequent conversations with them, it is clear that Ofcom are attempting to find a solution that has minimal impact on UK providers whilst resulting in positive improvements for consumers. Aware that a number of the NICC suggestions would require a major overhaul in how the UK network functions, combined with the fact that Ofcom believe that the problem of CLI spoofing will decline in line with more services migrating to 4G and 5G, which are more secure by design, they are proposing what they feel is the most pragmatic and simple solution to implement.
Of course, we welcome Ofcom’s intervention in this tricky area and wholeheartedly support the attempt to tackle this blight on the UK consumer, but we feel the proposed approach fails to address the problem, and would go so far as to say it could make it worse. Not least because any assumption that this problem goes away with 5G is foolhardy at best.
What Ofcom are proposing
Ofcom’s consultation proposes the ‘withheld and restored’ model. Put simply, the ‘International Gateway’ or carrier bringing traffic into the UK (the first network in the UK to handle the call) must apply the ‘withheld cli’ flag.
The call must then be routed back to the UK home network hosting that number, likely using CAMEL. The home network can check that the subscriber is genuinely roaming, and if so, can restore the original CLI before passing the call through to the called party. If they cannot confirm this to be true, the CLI remains withheld.
Where the plan falls short
To Ofcom’s credit, they have accommodated providers who cannot use the proposed model by allowing them to continue to terminate calls with the withheld lag, this prevents immediate blocking of legitimate traffic.
However, the approach makes two questionable assumptions:
- That all +447 calls originate on mobile networks. In reality, many scam calls present a mobile CLI but do not originate from a handset. Non-mobile networks cannot easily implement CAMEL-based routing, leaving them little choice but to deliver calls permanently withheld.
- That app-based and cloud voice services can adapt. These services were designed to avoid traditional home-routing, and the added complexity and cost could stifle innovation in this fast-growing sector.
Why this might be worse than doing nothing
If implemented as written, UK consumers may begin to interpret ‘withheld’ as a signal of risk and visible CLI as validated and therefore safe. Yet we believe many scam calls are unlikely to follow a mobile-core path, and some unscrupulous networks may fail to add the withheld flag at all.
The result? More scam calls arriving with what looks to be a valid mobile CLI, potentially enjoying more consumer trust than they do today.
So what else can we do?
Other measures, such as enhanced traceback systems are being explored. These would help law enforcement and telcos to track the source of scam calls more easily, but these are reactive and can be slow. They cannot solve this challenge alone.
Ofcom has also considered other solutions such as proxy servers and APIs. Whilst these come with pros and cons, as well as costs and complexities, but for all the reasons given we some investment now is worthwhile if it means we have a solution that will work now and into the future.
Our preferred model is the one recently mandated by Comreg in Ireland. Recognising that SIP is common across networks, Comreg required mobile operators to develop a single proxy server which can be queried by all international gateways, real time, to check if a mobile is roaming. If it isn’t, the call is blocked.
Whilst of course this can still lead to in-country spoofing and termination of scam calls, it does at least give all carriers with a desire to do the right thing a means to do the basic validation. Moreover, once this solution is adopted, a natural step to validate ‘number in use’ becomes viable, another valuable check.
Conclusion
This is a genuinely difficult challenge that – for perhaps for the first time -requires mobile operators and other providers to work hand-in-hand for the good of stamping out fraud. Costs will rise across the supply chain, and benefits are hard to quantify.
We are ready to support Ofcom’s proposal if that is the collective decision, but before the ink dries, we urge Ofcom and industry colleagues to explore whether a more forward-looking approach, one that works for all kinds of services, could deliver greater long-term protection against scam calls.