Major phone networks have agreed to automatically block almost all internet calls coming from abroad if they pretend to be from UK numbers, Ofcom has confirmed.
Criminals have been using internet-based calling technology to make it look like a phone call or text is coming from a real telephone number.
Almost 45 million consumers were targeted by phone scams this summer.
Ofcom said it expected the measures to be introduced at pace as a “priority”.
So far, one operator has already implemented the new plans, the regulator told the BBC, while other phone networks are still exploring methods of making it work.
“We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number,” said Lindsey Fussell, Ofcom’s networks and communications group director.
“We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”
She added that tackling the phone scams issue was a “complex problem” that requires a coordinated effort from the police, government, other regulators and industry.
The move follows months of discussions between Ofcom and the UK telecoms industry.
Will the plans work?
Internet-based calling technology, also known as Voice Over Internet Protcol (VoIP), is used by millions of consumers globally to make phone calls free or cheaply every year.
Popular services you might recognise that use VoIP include WhatsApp, Skype, Zoom and Microsoft Teams.
The Telegraph, which first reported the story on Sunday, cited Whitehall sources that have cast doubt on Ofcom’s plans.
They say blocking traffic from foreign VoIP providers won’t work to stop scam texts and calls, because much of the UK is still relying on old copper-based ISDN networks dating back to the 1970s.
Security experts the BBC spoke to disagree, however.
Apart from consumers, many businesses also use the VoIP technology for internal corporate phone networks.
Whenever a corporate phone network makes a call, a VoIP provider hands over the call from the internet to the phone networks – a technology called “SIP trunking”.
According to Gabriel Cirlig of US cyber-security firm Human, telcos are not inspecting the traffic they receive from VoIP providers – they just let it through onto the network.
“Recently, because of the ease in implementing your own private enterprise telephone system, everybody can have access to critical telephone infrastructure,” Mr Cirlig told the BBC.
“Because of this lower barrier of entry, it is very easy for scammers to build their own systems to spoof mobile numbers – the cybercriminals are essentially pretending to be legitimate corporate telephone networks in order to have access to legitimate telco infrastructure.”
He adds that right now, it is up to the VoIP provider to check whether the calls it is handing over to telecoms networks are actually legitimate.
“This is not a regional problem or restricted to one type of infrastructure, this is a systemic issue that allows crime to cross any borders,” said Mr Cirlig.
“This feature is enabling the VoIP business model so they don’t want to stop it.”
Matthew Gribben, a former consultant to GCHQ, the UK government intelligence agency, agrees. He used to see ongoing scams while monitoring networks for GCHQ.
“It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so it will make a huge dent in this,” he told the BBC. “It doesn’t fix everything but it’s an excellent step in the right direction.”
What else can be done?
Overall, the experts agree that the only way to completely fix the problem is to implement new telephone identification protocols that enable phone networks to authenticate that all calls and text messages actually come a real telephone number.
The new protocols, known as “Stir and Shaken” in a nod to James Bond, were developed by an international standards body, the US-based Internet Engineering Task Force (IETF).
US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom told the BBC in August that introducing full authentication in the UK will only be possible when the underlying technology that supports voice services is upgraded to become internet protocol-based (IP) networks, which is due to be completed by 2025.
The Body of European Regulators for Electronic Communications (BEREC) told the BBC it can require mobile operators to block, on a case-by-case basis, access to numbers or services in case of fraud. However, it cannot impose Stir and Shaken on EU operators.
“Nevertheless…these protocols are currently [being] discussed at the level of the European Conference of Postal and Telecommunications Administrations,” said a Berec spokesman.
There are also efforts being made by the UK to invest in technologies that improve overall telecoms cyber-security.
Startup Arqit was asked by BT and the government in 2017 to develop quantum encryption for satellites.
The firm, which listed on the Nasdaq in June, has developed a solution that creates “unbreakable” software encryption keys, delivered via satellite, to secure any device or cloud server.
“The encryption keys we create would take even a quantum computer more than the age of the universe to crack,” said Arqit’s founder and chief executive David Williams.
Arqit recently signed agreements with BT, Northrop Grumman, Juniper Networks and Babcock. It merged with US firm Centricus in September, following approval by the US Securities and Exchange Commission, which consulted with quantum scientists as part of its vetting process.