Telephony fraud is not something new, and new scams appear to crop up on a regular basis. It is therefore the responsibility of our industry to remain ahead of the curve by addressing some of the ongoing issues. This includes number spoofing, which is seen as a bugbear for many.
Ofcom documented that, in 2019, the Information Commissioner’s Office (ICO) received almost 130,000 complaints about nuisance calls (including number spoofing), which was a year-on-year increase of just shy of 5,000 since 2018. Number spoofing is something that everybody within the industry agrees needs to be tackled, and it has become particularly prominent in the news agenda throughout the Covid-19 pandemic. The solution is complex.
In June 2021, a suite of protocols and procedures known as ‘STIR/SHAKEN’ became a legal requirement in the United States, after many years of campaigning for tighter regulations to combat caller ID spoofing on public telephone networks. The main purpose of STIR/SHAKEN is to return trust to customers, so they have confidence in the phone numbers that appear when they receive calls. With STIR/SHAKEN now in place in the US, it’s worth taking a look at what the UK is trying to do to prevent number spoofing – will it be a simple ‘copy and paste’ job, or something entirely different?
The UK’s Options
Ofcom has clearly stated its intention to protect consumers from nuisance calls and scams in its 2021 action plan document, laying bare its commitment to telephone safety, especially considering that it will soon be publishing a consultation around CLI authentication. It is working with the international regulators – as well as the telecoms industry in general – to find potential solutions to the issue.
For example, Ofcom documented in its ICO-Ofcom joint action plan that the Internet Engineering Task Force (IETF) created a new technical standard to support CLI authentication, so that valid numbers can be identified and marked from the beginning of a call and passed along the ‘call chain’ to the recipient.
“Enforcing traceability, blocking non-compliant signalling, and taking faster action, is undoubtedly the best way to go. However, enforcement will undoubtedly be key. For example, the proper enforcement of existing rules could have a faster difference and, even if the UK implemented its own version of STIR, it would make no difference without effective enforcement. It will be very interesting to see what way Ofcom decides to go”
So, what else can we be doing? The first port of call is to help address awareness around some of the Covid-related scam calls and tackle the way we communicate about future scams. Throughout the pandemic, scammers have taken advantage of most of the population staying at home for longer periods of time than beforehand. A case can be made to suggest that there has been unclear messaging about the reliability of numbers from the public sector. For example, the NHS website states that, if you have received a letter or text message but have not booked your coronavirus vaccination appointment, you will receive a call from the NHS Immunisation Management Service on an 0300 number. This does not necessarily mean the NHS has called you, and it could still be a spoof.
Incomplete information can allow scams to succeed, and more needs to be done to ensure the public remains vigilant and understands the dangers posed by spoof calls. At a network level, The National Cyber Security Centre (NCSC) has taken substantial action to block numbers that have not come from authorised call centres. This is the perfect example of something that should be happening all the time, to protect vulnerable people.
