Major phone networks have agreed to automatically block almost all internet calls coming from abroad if they pretend to be from UK numbers, Ofcom has confirmed.
Criminals have been using internet-based calling technology to make it look like a phone call or text is coming from a real telephone number.
Almost 45 million consumers were targeted by phone scams this summer.
Ofcom said it expected the measures to be introduced at pace as a “priority”.
So far, only one operator – TalkTalk – has implemented the new plans. Other phone networks are still exploring methods of making it work.
“We’ve been working with telecoms companies to implement technical solutions, including blocking at source, suspicious international calls that are masked by a UK number,” said Lindsey Fussell, Ofcom’s networks and communications group director.
“We expect these measures to be introduced as a priority, and at pace, to ensure customers are better protected.”
She added tackling the phone scams issue was a “complex problem” that required a coordinated effort from the police, government, other regulators and industry.
The move follows months of discussions between Ofcom and the UK telecoms industry.
Will the plans work?
Internet-based calling technology, also known as Voice Over Internet Protcol (VoIP), is used by millions of consumers globally to make phone calls free or cheaply every year.
Popular services that use this technology include WhatsApp, Skype, Zoom and Microsoft Teams.
The Sunday Telegraph, which first reported the story, cited Whitehall sources that have cast doubt on Ofcom’s plans.
They say blocking traffic from foreign VoIP providers will not work to stop scam texts and calls, because much of the UK still relies on old copper-based networks dating back to the 1970s.
But some experts the BBC spoke to disagree.
Apart from consumers, many businesses also use the VoIP technology for internal corporate phone networks.
Whenever a corporate phone network makes a call, a VoIP provider hands over the call from the internet to the phone networks.
Gabriel Cirlig, of US cyber-security company Human, said telecoms companies were not inspecting the traffic they received from VoIP providers, they just let it through on to the network.
“Recently, because of the ease in implementing your own private-enterprise telephone system, everybody can have access to critical telephone infrastructure,” Mr Cirlig said.
“Because of this lower barrier of entry, it is very easy for scammers to build their own systems to spoof mobile numbers – the cyber-criminals are essentially pretending to be legitimate corporate telephone networks in order to have access to legitimate telco infrastructure.”
He adds that right now, it is up to the VoIP provider to check whether the calls it is handing over to telecoms networks are actually legitimate.
“This is not a regional problem or restricted to one type of infrastructure, this is a systemic issue that allows crime to cross any borders,” said Mr Cirlig.
“This feature is enabling the VoIP business model so they don’t want to stop it.”
Matthew Gribben, a former consultant to GCHQ, the UK government intelligence agency, agrees. He used to see many scams while monitoring networks for GCHQ.
“It’s fundamentally the foreign VoIP providers that are technologically enabling these gangs to operate, so it will make a huge dent in this,” he said. “It doesn’t fix everything but it’s an excellent step in the right direction.”
Experts agree that the only way to completely fix the problem is to implement new telephone identification protocols that enable phone networks to authenticate that all calls and text messages actually come a real telephone number.
The new protocols, known as “Stir and Shaken” in a nod to James Bond, were developed by an international standards body, the US-based Internet Engineering Task Force.
US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom told the BBC in August that introducing full authentication in the UK would only be possible when the technology that supports voice services is upgraded, which is due to be completed by 2025.
The Body of European Regulators for Electronic Communications said that it cannot impose Stir and Shaken on EU phone networks.
It is only able to ask mobile operators to block, on a case-by-case basis, access to numbers or services in case of fraud.
However, it said it was now discussing whether to implement the protocols.