Ofcom Tell UK Phone Operators to Block Foreign VoIP Scam Calls UPDATE

The UK telecommunications regulator, Ofcom, has reportedly taken radical action to curb the plague of scam calls, which it is attempting to achieve by “ordering” major phone operators to automatically block any “suspicious” Voice-over-Internet (VoIP) calls that come from abroad if they pretend to come from numbers in the UK.

Most of the major UK broadband, phone and mobile network operators have already implemented technical measures to tackle Nuisance Calls, but these aren’t always 100% effective and there are still plenty of operators – particularly smaller providers and some VoIP firms – that don’t do enough.

Last week, Ofcom reported that an estimated 44.6 million UK people may have received scam calls and text messages during the past three months alone (here). Sadly, around 2% of those who received such a message or call (roughly 1 million people) reported following the scammers’ instructions.

However, stopping such abuses – without a strong degree of international cooperation and coordination – is technically very difficult to achieve and often risks catching masses of legitimate calls. But according to the BBC, the regulator is attempting to block “suspicious international calls” at source, where they are masked by a UK number.

At this point we haven’t seen any useful technical details on the approach being taken here or precisely what Ofcom has requested operators to do, which makes for somewhat of a guessing game. But much may well depend upon how Ofcom and the operators decide that such calls should be deemed “suspicious,” prior to any block being introduced.

Presently, unless a particular number has already been identified as causing abuse (e.g. following consumer complaints and other threat intelligence) or is being monitored for lawful security reasons, then operators tend not to inspect such traffic and will allow it to pass through their networks unabated. Spoofing UK numbers is also fairly easy to achieve, which helps to make scam calls look more credible to consumers.

According to Matthew Gribben, a former consultant to the UK government’s intelligence agency (GCHQ): “It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so [Ofcom’s move] will make a huge dent in this. It doesn’t fix everything, but it’s an excellent step in the right direction.”

One other way of tackling this issue would be a new telephone identification protocol, which can help operators to authenticate that all calls and text messages come from a real number. The Engineering Task Force (IETF) has been attempting to do this via their suit of STIR/SHAKEN protocols (i.e. STIR = Secure Telephony Identity Revisited / SHAKEN = Signature-based Handling of Asserted information using toKENs), but so far it’s been mostly focused upon the USA and Canada.

The EU are also tentatively investigating adoption of STIR/SHAKEN, while Ofcom has already said that this might not be possible in the UK until after December 2025, which is the date by which all of Openreach’s traditional phone (voice) services are supposed to have been migrated over to a modern all-IP (Internet Protocol) based network.

Meanwhile, the biggest question mark over Ofcom’s new approach is currently centred around whether they’ve done enough to avoid the new measure obstructing legitimate voice calls. Easier said than done. Many VoIP networks are international in nature and so it’s not always as simple as highlighting “foreign calls“, since many legitimate businesses and individual VoIP customers may still be UK based, even if the traffic appears to be external.

In short, some degree of overblocking could be inevitable. But once again, we haven’t seen any details of how they’re doing this, yet.

UPDATE 5:06pm

We’ve had a comment from broadband ISP TalkTalk, which confirms that they’re the first provider to implement the aforementioned change.