According to GASA, 61% of the world’s population has received scam calls in the last 12 months. Telecoms fraud, and in particular caller ID spoofing, is a rapidly rising problem for both mobile users and telecommunications companies alike. Many of these attempts to defraud are uncannily convincing and vast numbers of people, especially more vulnerable members of society, fall prey to the tactics: last year mobile users worldwide lost an eye-opening $58 billion to scam calls. It’s costing operators dearly too. 2023 saw a 12% increase in fraud loss reported, equating to an estimated $38.95 billion lost in 2023 and representing 2.5% of telecommunications revenues according to the Communication Fraud Control Association.
Until recently, one of the giveaways for these scam calls was that they came from an unknown number – often from an international number that is immediately suspicious and gives people cause to hesitate before they answer, if they answer at all. However, that is now changing as caller ID spoofing becomes more common. When it comes to caller line identification (CLI), there are two numbers at play – the network number, and the “presentation” number. The latter is what recipients see when their phone rings, whereas the former is what it shared with providers to identify where the call came from.
In many cases, these two numbers are the same. However, there are some legitimate reasons they might be different, such as a call center making calls on behalf of a business they represent or distributing public bodies that want to display one common phone number.
Caller ID spoofing is when phone fraudsters exploit this system to disguise their identity and “present” as a legitimate business or contact with which their victims already have a relationship. When a phone number looks legitimate, they are, of course, more likely to answer the call.
The Vulnerability of Voice Services
It wasn’t long ago that most financial transactions were based on in-person relationships, opening a bank account, buying a new house or car, applying for a business loan, and choosing stocks and shares. These decisions and many more were based on trusted relationships that were developed in person. Digital transformation has altered these processes beyond recognition. However, even though we can access many services with just a few clicks, voice is still a key go-to service for choosing service providers, resolving customer service issues, checking information, and verifying the legitimacy of businesses.
This sheer dependability of voice services makes them vulnerable, a fact that fraudsters have been quick to exploit. Caller ID spoofing doesn’t just result in financial losses, it erodes mobile users’ trust in brands, digital communications and society.
The Response from Regulators
Fortunately, action can be taken to mitigate the risks around scam calls. As well as advice for consumers and businesses on how to spot and report scam calls, regulators worldwide are considering other ways to reduce this type of fraud. In the UK, all calls offering financial products are banned, which means that if consumers are targeted in this way, they can confidently assume it’s a scam. One common tactic is that fraudsters pretend to be calling to prevent fraud, persuading the victim that they must log in or identify themselves to secure their account or prevent fraud from taking place. These types of calls are much harder to prevent.
In Singapore, regulators have proposed a shared responsibility framework for scam emails and calls in which operators will be held accountable and liable to fines. Similarly, regulators in Europe are in discussions with operators to minimize scam calls by improving the way operators identify and handle spoofed numbers, modeled on the approach taken by the Finnish regulator, Traficom, which provides clear technical guidance to operators on how to prevent voice spoofing.
Technical Approaches to Protect Voice Calls
Finland has led the way in demonstrating how spoofed calls can be stopped in their tracks by following a zero-trust model. Each incoming call on the network is treated with the same suspicion which is best summarized as “never trust, always verify.” This approach is rapidly gaining favor and has significant advantages over the trust-based approach known as the STIR/SHAKEN framework.
While STIR/SHAKEN is mandated by the FCC in the U.S. and by the CRTC in Canada for VoIP (internet-based calls), it is seen as a relatively expensive framework to implement and much of the world has opposed adopting it. Ofcom, the UK communications regulator, has dismissed STIR/SHAKEN altogether in favor of a “zero trust” model, as has much of the EU, which allows operators to implement their checks regardless of the source of the call.
How Zero Trust Signaling Reduces the Threat to Voice Services
Many operators are now embracing the zero-trust approach to mitigate caller ID spoofing as well as other threats to voice services, such as Wangiri calls, flash calls and SIM box fraud. Integrating a zero-trust platform, such as Enea’s voice firewall, within the core network enables operators to verify the authenticity of calls in real-time. It’s a cloud-native system robust enough to authenticate every call while being flexible enough to be able to be customized with additional security features and future enhancements and comply with the evolving regulatory landscape.
What’s Next for Voice Services
MNOs face a growing threat from cybercriminals abusing the oldest and most trusted communications protocol – voice. Many of the top fraud methods are now voice-related and almost all involve caller ID spoofing. Consumers, businesses and operators are suffering losses from this type of fraud running to billions each year, but recent innovations in cloud-based signaling security with a zero-trust model of cybersecurity have helped pioneering operators significantly improve voice security, protect revenues and strengthen their brand.
Nevertheless, operators should remain on high alert. While regulations guiding operators on how to protect against spoofing are coming, meeting these regulatory requirements with a “tick-box” solution is doomed to fail as fraudsters are quick to find their way around inadequate protection. Instead, a solution that adapts quickly to new and evolving threats as they surface is needed to keep subscribers safe.
To learn more about combating voice service threats, click here.
