Freely subscribe to our NEWSLETTER

Until very recently, one of the dead giveaways for these scam calls was that they came from an unknown number – often from an international number that is immediately suspicious and gives people cause to hesitate before they answer, if they answer at all. However, that is now changing as caller ID spoofing becomes more common. When it comes to caller line identification (CLI), there are two numbers at play – the network number, and the “presentation” number. The latter is what recipients see when their phone rings, whereas the former is what it shared with providers to identify where the call came from.

In the vast majority of cases, these two numbers are the same. However, there are some legitimate reasons they might be different, such as a call center making calls on behalf of a business they represent or distributed public bodies that want to display one common phone number.

Caller ID spoofing is when phone fraudsters exploit this system to disguise their identity and “present” as a legitimate business or contact with which their victims already have a relationship. When a phone number looks legitimate, they are, of course, more likely to answer the call.

The Vulnerability of Voice Services
It wasn’t too long ago that most financial transactions were based on in-person relationships; opening a bank account, buying a new house or car, applying for a business loan, choosing stocks and shares. These decisions and many more were based on trusted relationships that were developed in person. Digital transformation has altered these processes almost beyond recognition. However, even though we can access many services with just a few clicks, voice is still a key go-to service for choosing service providers, resolving customer service issues, checking information, and verifying the legitimacy of businesses.

This, of course, varies through generations. According to eMarketer, 53% of consumers aged 18-44 prefer digital to phone when interacting with a business, whereas only 35% of consumers aged 45-75 prefer it. In both cases voice calls still play a signicant role, but older generations tend to depend on it even more, and as such have become more heavily targeted by fraudsters.

This sheer dependability of voice services makes them vulnerable, a fact that fraudsters have been quick to exploit. Caller ID spoofing doesn’t just result in financial losses, it erodes mobile users’ trust in brands, digital communications and society as a whole.

The Response From Regulators
Fortunately, action can be taken to mitigate the risks around scam calls. As well as advice for consumers and businesses on how to spot and report scam calls, regulators worldwide are considering other ways to reduce this type of fraud. In the UK, all calls offering financial products are banned, which means that if consumers are targeted in this way they can confidently assume it’s a scam. One common tactic is that fraudsters actually pretend to be calling to prevent fraud, pursuading the victim that they must log-in or identify themselves in order to secure their account or prevent fraud from taking place. These types of calls are much harder to prevent.

In Singapore, regulators have proposed a shared responsibility framework for scam emails and calls in which operators will be held accountable and liable to fines. Similarly, regulators in Europe are in discussions with operators to minimize scam calls by improving the way operators identify and handle spoofed numbers, modelled on the approach taken by the Finnish regulator, Traficom, which provides clear technical guidance to operators on how to prevent voice spoofing.

Technical Approaches to Protect Voice Calls
Finland has led the way in demonstrating how spoofed calls can be stopped in their tracks by following a zero-trust model. Each incoming call on the network is treated with the same suspicion which is best summarized as “never trust, always verify”. This approach is rapidly gaining favor and has significant advantages over the trust-based approach known as the STIR/SHAKEN framework.

While STIR/SHAKEN is mandated by the FCC in the US and by the CRTC in Canada for VoIP (internet-based calls), it is seen as a relatively expensive framework to implement and much of the world has opposed to adopt it. Ofcom, the UK communications regulator, has dismissed STIR/SHAKEN altogether in favour of a “zero trust” model, as has much of the EU, which allows operators to implement their checks regardless of the source of the call.
How Zero Trust Signaling Reduces the Threat to Voice Services

Many operators are now embracing the zero-trust approach to mitigate caller ID spoofing as well as other threats to voice services, such as Wangiri calls, flash calls and SIM box fraud. Integrating a zero-trust platform, such as Enea’s voice firewall, within the core network enables operators to verify the authenticity of calls in real-time. It’s a cloud-native system robust enough to authenticate every call while being flexible enough to be able to be customized with additional security features, future enhancements and comply with the evolving regulatory landscape.

What’s Next For Voice Services
MNOs face a growing threat from cybercriminals abusing the oldest and most trusted communications protocol – voice. Many of the top fraud methods are now voice-related and almost all involve caller ID spoofing. Consumers, businesses and operators are suffering losses from this type of fraud running to billions each year, but recent innovations in cloud-based signaling security with a zero-trust model of cybersecurity have helped pioneering operators significantly improve voice security, protect revenues and strengthen their brand.

Nevertheless, operators should remain on high alert. While regulations guiding operators on how to protect against spoofing are coming, meeting these regulatory requirements with a “tick-box” solution is doomed to fail as fraudsters are quick to find their ways around inadequate protection. Instead, a solution that adapts quickly to new and evolving threats as they surface is needed to keep subscribers safe.