Ofcom issues stern warning over fake caller number ID scam
Chances are it's not Aunt Sally phoning you to talk about your mother's maiden name
Telecoms regulator Ofcom is warning customers of the dangers of CLI spoofing – the process which allows incoming calls to display fake originating numbers on recipients' phones.
The organisation has pointed out that there are valid reasons for spoofing – “for example, a caller who wishes to leave an 0800 number for you to call back if you want” – but warns against scams.
Identity thieves who want to steal sensitive information such as your bank account or login details, sometimes use spoofing to pretend they're calling from your bank or credit card company.
Ofcom says that the rise of VoIP has increased the problem, and that it is working with other regulators, the telecoms industry and the Internet Engineering Task Force (IETF), which has created a group specifically to tackle this issue.
In June 2014, Ofcom reported to the International Telecommunications Union (ITU) that it envisaged up to two billion spoofing attempts per year in the UK and was stopping nuisance calls at source through an agreed call-tracing process. Ofcom said it was “using of clear regulatory guidelines on CLI to identify problematic calls including VoIP and VoIP to SS7 transition, to allow national regulatory, commercial interconnect and network based mitigation actions.” It also outlined the need for a long-term – as in five-year – plan to build rules for CLI spoofing into the regulations.
It’s not clear if CLI spoofing is illegal, Alistair Kelman – the barrister who was counsel for Gold and Schifreen in the Prestel case and who won their appeals in the Court of Appeal and the House of Lords, subsequently leading to the creation of the Computer Misuse Act – told The Register.
“That is a tricky issue. It turns on the meaning of unauthorised and I could see there being some difficulties here. You might therefore look at the Forgery Act 1981,” he said. “The definition of forgery is to create a false instrument which tells a lie about itself. It could be argued that a false CLI is an instrument which tells a lie about the originator – i.e. it is a forgery. This is intellectually far more in keeping with the underlying harm which the crime is trying to address than to use the Computer Misuse Act.”
CLI spoofing is the mechanism The Register used to hack EE and Three voicemail and has become increasingly simple for non-technical users with the launch of Bitphone which allows people to log in untraceably with TOR and pay anonymously with Bitcoin.
Ofcom gives some guidelines:
Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences.
However, the organisation doesn’t ask people to get in touch to report CLI spoofing, saying instead that if it’s been used to facilitate a scam they should tell Action Fraud and Trading Standards. ®