By Mary-Ann Russon, Business reporter, BBC News
IMAGE SOURCE, GETTY IMAGESMajor phone networks have agreed to automatically block almost all internet calls coming from abroad if they pretend to be from UK numbers, Ofcom has confirmed.
Criminals have been using internet-based calling technology to make it look like a phone call or text is coming from a real telephone number. Almost 45 million consumers were targeted by phone scams this summer. Ofcom said it expected the measures to be introduced at pace as a “priority”.
So far, one operator has already implemented the new plans, the regulator told the BBC, while other phone networks are still exploring methods of making it work.
“We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number,” said Lindsey Fussell, Ofcom’s networks and communications group director.
“We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”
She added that tackling the phone scams issue was a “complex problem” that requires a coordinated effort from the police, government, other regulators and industry. The move follows months of discussions between Ofcom and the UK telecoms industry.
Will the plans work?
Internet-based calling technology, also known as Voice Over Internet Protcol (VoIP), is used by millions of consumers globally to make phone calls free or cheaply every year. Popular services that use this technology include WhatsApp, Skype, Zoom and Microsoft Teams.
The Sunday Telegraph, which first reported the story, cited Whitehall sources that have cast doubt on Ofcom’s plans.
They say blocking traffic from foreign VoIP providers will not work to stop scam texts and calls, because much of the UK still relies on old copper-based networks dating back to the 1970s.
But some experts the BBC spoke to disagree. Apart from consumers, many businesses also use the VoIP technology for internal corporate phone networks.
Whenever a corporate phone network makes a call, a VoIP provider hands over the call from the internet to the phone networks.
Gabriel Cirlig of US cyber-security firm Human, telecoms companies are not inspecting the traffic they receive from VoIP providers, they just let it through onto the network.
“Recently, because of the ease in implementing your own private enterprise telephone system, everybody can have access to critical telephone infrastructure,” Mr Cirlig
“Because of this lower barrier of entry, it is very easy for scammers to build their own systems to spoof mobile numbers – the cybercriminals are essentially pretending to be legitimate corporate telephone networks in order to have access to legitimate telco infrastructure.”
IMAGE SOURCE, GETTY IMAGESHe adds that right now, it is up to the VoIP provider to check whether the calls it is handing over to telecoms networks are actually legitimate.
“This is not a regional problem or restricted to one type of infrastructure, this is a systemic issue that allows crime to cross any borders,” said Mr Cirlig.
“This feature is enabling the VoIP business model so they don’t want to stop it.” Matthew Gribben, a former consultant to GCHQ, the UK government intelligence agency, agrees. He used to see many scams while monitoring networks for GCHQ.
“It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so it will make a huge dent in this,” he said. “It doesn’t fix everything but it’s an excellent step in the right direction.”
Experts agree that the only way to completely fix the problem is to implement new telephone identification protocols that enable phone networks to authenticate that all calls and text messages actually come a real telephone number.
The new protocols, known as “Stir and Shaken” in a nod to James Bond, were developed by an international standards body, the US-based Internet Engineering Task Force.
US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom told the BBC in August that introducing full authentication in the UK would only be possible when the technology that supports voice services is upgraded, which is due to be completed by 2025.
