This week, we heard the good news that the big phone networks have agreed to automatically block foreign scam calls, and we heard the bad news that an Ofcom survey has revealed that 45 million people in the UK were targeted by scam text messages or phone calls this summer!
The challenge has been that scammers based overseas have been able to use Voice Over Internet Protocol (VoIP) / internet-based calling technology to make it look as though a phone call or text is coming from a real telephone number. A recent ‘Which?’ survey has shown that in the 12 months to March 2021, phone call and text message fraud in England, Wales and Northern Ireland had risen by 83 per cent from the previous year and Action Fraud data confirmed that was the biggest rise across all types of fraudulent attacks.
The reasons why there have been such big and sustained increases in (foreign) scam calls and texts include:
– A telephone identification protocol called SS7, which dates back decades, is still part of the landlines and the 2G and 3G parts of mobile phone networks (even with a 5G-enabled handset). Scammers know how to steal the ‘presentation number’ and link this to their own number, thereby giving them the ability to make it look as though calls and texts are from legitimate UK sources. The presentation number is the number that the telephone network is told that a user is calling or texting from and the usage of the SS7 protocol means that the presentation number can’t be checked against the originating number, thereby enabling the fraud to continue.
– Some critics have suggested that telecoms companies don’t appear to be inspecting the traffic they receive from VoIP providers and just let it through onto the networks, thereby making it easier for scammers.
– There is a low barrier to entry for scammers because the prevalence of (and easy access to) enterprise VoIP telephone systems which means that they can easily (and relatively cheaply) build their own systems to spoof mobile numbers.
– The pandemic fuelled a big rise in online ordering which meant more deliveries, which led to fraudsters finding more success impersonating mail and delivery scams and using fake notifications by text and phone. This led the fraudsters to increase their efforts to capitalise on the opportunity.
Types of Attacks Using Foreign Phone & Text Scams
The types of attack that use scam phone calls and texts that incorporate ‘number spoofing’ (using Internet calling technology to make a phone call or text appear as though it is originating from a genuine number) include:
– Vishing. This combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data. Vishing scams to homes often use recorded voice messages e.g., claiming to be from banks and government agencies to make victims respond in the first instance.
– Smishing. This is where an attacker sends a text/SMS message purporting to be from a reputable company e.g., the Royal Mail or a parcel delivery company/courier service. The idea is that the recipient (who may be expecting a parcel delivery) is fooled into clicking on the link in the text message and this either send sends the attacker personal information (credit card number or password) or downloads a malicious program/malware to the victim’s phone. The malware can be used for snooping on the user’s smartphone data or sending sensitive data silently to an attacker-controlled server.
The Good News From Ofcom
Following recent reports from the Daily Telegraph (and Ofcom’s own survey findings that 45 million people in the UK received scam text messages or phone calls this summer), the communications regulator has been working with the big telecoms companies to implement technical solutions which could lead to a big reduction in these types of scam messages. Ofcom’s Network and Communications Group Director, Lindsey Fussell, says on the Ofcom website “We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number. We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”
Although only one network (TalkTalk) has introduced the blocking measures so far, Ofcom says that it expects the new measures to be rolled out by the phone networks as a priority and that others are looking at how to implement it.
Some critics have already poured cold water on the good news announcement by pointing out that:
– The systemic issue of VoIP providers not checking whether the calls they hand to telecoms networks are actually legitimate needs to be effectively tackled to solve the problem.
– Simply cracking down on “foreign calls” could actually damage legitimate businesses and individual VoIP customers who may still be UK based, even if the traffic appears to be external.
The Bad News – Ofcom Survey Reveals Extent of Scam Calls
As mentioned, an Ofcom survey from September this year revealed that almost 45 million people in the UK were targeted by scam text messages or phone calls over the summer months. A staggering 82 per cent of the 2,000 people surveyed said they had received a suspicious message as a text, recorded message, or live phone call to a landline or mobile. This represents an estimated 44.6 million adults in the UK.
The survey showed that most of these scams use text messages (71 per cent said they’d received a suspicious text). Also, the figures revealed that more than four in 10 people (44 per cent) who reported receiving a suspicious text message said it happened at least once a week.
Those who appear to have been targeted most with the scam calls and messages are:
– Those aged 16-34. Three-quarters of this age group have been targeted.
– 60 per cent of people aged 75 and over reported receiving a potential scam call to their landline.
What To Do?
The advice from Ofcom for those who receive a scam / suspicious text message is:
For Suspicious Texts
– Read any suspicious text carefully and look for any details that don’t seem right.
– Don’t click on any links or give out any personal or bank details.
– Report any suspicious texts to 7726 and make your friends and family aware too. Forwarding the message to 7726 directs the message to the mobile provider. If certain numbers are reported by enough people, these numbers can then be investigated and potentially blocked, thereby helping disrupt or to flush-out fraudsters and prevent more people being exposed to scam attempts.
The Ofcom survey showed that more than half of people who received a suspicious text either deleted the message (53 per cent) or blocked the number (52 per cent). These are, of course, other options but reporting the text can help to get the scam stopped.
For Suspicious Phone Calls
– Do not give out any personal or bank details.
– Hang up and then call the company they claim to be from to check if it is a scam. Use a trusted source (e.g. their official website) as the phone number.
– Report scam calls to Action Fraud (for England, Wales, and Northern Ireland) and make your family aware too. In Scotland, scam calls can be reported to Police Scotland via 101.
In the Ofcom research, almost half (49 per cent) of those who received a suspicious live voice call, and more than four in ten (44 per cent) who received a suspicious recorded message, blocked the number.
What Does This Mean For Your Business?
Scam calls and texts are not just disruptive and costly but are a way in for cyber-criminals and the results of cyber attacks can be devastating to businesses and threaten their very existence. The ability of cyber-criminals to use internet calling technology, seemingly at will, to launch attacks is a loophole that has been open far too long. Some responsibility appears to lie with VoIP providers who may not be checking the calls they hand over, but this action by Ofcom (and hopefully, more big communications companies than just TalkTalk) looks as though it has the potential to dramatically reduce the threat posed by scam calls and texts. The danger is that cracking down too hard on “foreign calls” could actually damage legitimate businesses that may be UK-based; care needs to be taken in implementation. Many UK businesses will benefit from not having to deal with all-too-frequent scam calls, any one of which could prove highly dangerous.