More than 40 million people have received a suspicious call or text in the last three months alone, and one common tactic is to ring potential targets with a spoof phone number.

This means the number displayed to a call recipient imitates a trusted person or organisation, such as a bank.

The telecoms watchdog, Ofcom, said “where scam calls appear trustworthy, it means victims are more likely to share personal information or make a payment, which can lead to significant financial and emotional harm”.

In a bid to tackle the scourge of these scam calls, it is requiring all phone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls “where technically feasible”.

This rule is expected to come into force on 15 May 2023 “to allow providers sufficient time to make the necessary technical changes” though it expects providers to start work immediately to meet this deadline.

Spoof calls – how do scammers imitate banks?

Ofcom revealed that under current rules, providers are required to make information about the caller available to a recipient, giving them the option of whether to pick up or not.

This is part of Calling Line Identification (CLI) data which includes information that identifies the caller as well as a privacy marking which shows whether the number can be shared with the person receiving the call.

There are two numbers associated with CLI data – the Presentation Number and the Network Number. Call recipients see the Presentation Number when they answer a call. The Network Number is shared with providers to identify the origin of the call.

Source: Ofcom

Unsolicited calls on the rise

Changes in technology have made it easier for scammers to manipulate this data to spoof numbers. This includes scammers who are based abroad using spoofed numbers to make it look like they are calling from the UK.

Ofcom explained that the introduction of VoIP (Voice over Internet Protocol) has made it cheaper to generate calls and has resulted in an increase in the volume of unsolicited calls.

Using VoIP calling, providers (and some callers) can more easily manage and manipulate the CLI data provided with a call.

Ofcom said that while this has created benefits, for example call centres that can make calls on behalf of a number of different businesses, it has also made it easier for other callers to misuse CLI for a variety of malicious reasons, most obviously by ‘spoofing’ the identity of a caller to mislead the recipient of a call.

By hiding their identity and using a false or invalid phone number to be displayed when making calls, this encourages the recipient to believe a call is from a legitimate source and make them more likely to answer it. The use of spoofed numbers has also made it harder to detect and block such calls and to trace perpetrators.

The misuse of CLI data can lead to significant harm for potential victims, for example where it helps scammers mislead the recipient of a call about their identity in order to encourage them to give away sensitive information or money.

Ofcom’s 2022 consumer research found the problem of scam calls (and texts) to be widespread, with attempted scams being experienced by over three quarters of phone users in the UK with fraud now accounting for 41% of all reported crime incidents.

Action to tackle scams

In February 2022, Ofcom consulted on proposals to strengthen its rules and guidance for providers to identify and block calls with ‘spoofed’ numbers to reduce the number of scam calls reaching recipients “and ultimately to reduce the risk of people being scammed”.

And now Ofcom will require providers, where technically feasible (Ofcom said what is technically feasible for different providers may vary, depending on the technology they use for voice calls and the networks that they connect with), to identify and block calls with CLI data that is invalid, doesn’t uniquely identify the caller or doesn’t contain a number that is dialable.

Tell-tale signs include calls originating from abroad that don’t have a valid caller ID, numbers that don’t meet the UK’s 10- or 11-digit format and those that appear from numbers already on its ‘Do Not Originate’ list.

As part of its statement on improving the accuracy of Calling Line Identification data, Ofcom said: “The misuse or spoofing of CLI data can also have wider effects, such as reducing consumer trust in voice calls. Any loss of trust in communications services may mean that legitimate communications from businesses are ignored or not received.”

It added the rule change should help providers to identify and block calls that have inaccurate CLI data.

“We expected that blocking calls that do not comply with our rules for CLI data would mean that calls with the most obviously spoofed CLI data would not reach the intended recipient. This should help reduce the number of scam calls reaching customers and ultimately the number of people being scammed in this way.”

However, it added: “Given the pace at which scammers change their tactics, we understand that it will not be possible to stop all scams reaching consumers. We are working to help consumers avoid scams by raising awareness so consumers can more easily spot and report them.”