24.2k unique visitors in the last 3 days

The Commsrisk Review of 2023

Time has run out for 2023. This turbulent year saw some choosing to persist with failure despite others demonstrating how to succeed.

The hands of time keep turning, but how much do things really change? Businesspeople who work with technology like to talk about change, often to the point where they exaggerate how much change has already occurred and the extent to which further change is imminent. In 2023 they did not need to exaggerate. 5G has proven to be a flop because nobody knows how to make much money from it, but there were many other changes dramatically reshaping the landscape for electronic communications. Some involved an acceleration of trends that had already been established, such as the systematic theft of customer identities and the worsening of tensions between Western countries and their autocratic rivals. Some change was largely unexpected, such as the speed with which artificial intelligence has shaken up perceptions about business models and moral hazards. And some of the consequences of change received minimal attention because they are unpalatable to large sections of the populous. The latter includes the barely-disguised intention to decimate the number of employees at telcos and other businesses.

Whether you consider such changes to be good or bad, they should provide fertile terrain for the work of risk managers. However, some of the worst risks faced by the comms industry and its customers are exacerbated by the lack interest in managing risk using the science, data and technology that is so unhesitatingly exploited for other purposes. Many years ago I wrote an essay about the need for the business of technology to be managed using a conceptual zoom, by which I mean an ability to discern and focus upon specific details, then to step back and see their significance within a much wider context, only to then zoom into another part of the picture, and hence to fully understand all the consequences of decisions and mistakes we make. This notion has come to define my work. Each year I pick through many individual stories, some of which require excruciatingly meticulous attention, to then observe how they contribute to a more general pattern. This keeps me grounded in facts, and helps me to resist narratives pushed by biased commentators. Such serious analysis can only be tolerated for extended periods if leavened with plenty of wry humor. Please keep this in mind as I share the review of the year.

January to March

Elon Musk is such a disruptive force that he cannot always be aware of the turmoil he causes others. This proved to be the case when a short aside during a long interview he gave at the tail end of 2022 snowballed into the biggest SMS story of 2023. The Commsrisk headline spoke for itself.

Elon Musk Says Twitter Lost $60mn a Year Because 390 Telcos Used Bot Accounts to Pump A2P SMS

The reaction was extraordinary, with some disputing Musk’s reasoning about who was to blame, others thanking him for drawing attention to the scale of artificially generated SMS traffic, and Commsrisk’s web servers being overwhelmed by the number of hits for this article. Musk took radical action to stem his fraud losses in February by switching off two-factor authentication by SMS for non-paying Twitter users. This prompted an hysterical reaction from many sections of the media. They eagerly quoted Musk-hating psuedo-experts who claimed the new policy had put Twitter users in grave danger (less than 2 percent of users had set up any kind of second authentication factor and other authentication methods remained available) in order to increase revenues (because they would not accept that halting USD60mn of fraud per year would be sufficient financial incentive). Real experts in the comms industry also reacted with alarm, but for much more rational reasons: they worried that Musk had set a precedent that would be devastating for A2P SMS revenues if other big businesses followed his lead. As if to prove the point, Facebook began experimenting with flash calls soon afterwards.

A different crime whose consequences spilled over from 2022 highlighted the extent to which public perceptions of risk depend on decisions made by the police and news media. Some East Asian countries are sadly familiar with the problem of SMS-blasting IMSI-catchers being transported around urban areas in order to send large volumes of smishing messages that contain links to scam websites. However, nobody had warned French gendarmes who stopped a car in a Paris suburb late on December 30, 2022. They thought the back of the car contained a bomb, but the radio device was actually used to send SMS messages which encouraged victims to type their details into a bogus health insurance website. Further investigation concluded 400,000 Parisians had received the phishing messages, either from the device found in December or from a second device which the same gang had driven around in the back of an old ambulance. Six gang members were arrested and the story received considerable attention across French society, so that ‘IMSI-Catcher’ later became the title of a song released by a Marseille-based rapper. In contrast, other European countries did not publicly acknowledge that their inhabitants were at risk of falling victim to the same methods, or that these scams are difficult to detect because none of the messages are carried by a comms provider’s network.

Another story that melted Commsrisk’s servers during January was the sudden and unexpected announcement that Twilio might be imminently disconnected from the US comms ecosystem because it had been carrying illegal robocalls. The US Federal Communications Commission (FCC) gave Twilio 48 hours to halt robocalls from a specific robocall campaign and 2 weeks to implement controls to inhibit other illegal robocalls in future. Twilio responded well enough to appease the FCC, and the regulator’s threat was likely exaggerated because shutting down Twilio would have had disastrous consequences. However, it signaled that the FCC is willing to engage in brinkmanship in order to force telcos to become more proactive about screening customers and calls.

The war between Ukraine and Russia continued to spill across comms networks. Ukrainian police responded by raiding simbox farms that spread Russian propaganda through 1.5 million fake internet accounts. With international attention focused elsewhere, there were plenty of reasons to suspect China was practicing for an invasion by cutting Taiwan’s internet cables.

Singapore sent its own signal by establishing itself as a world leader in tackling fraudulent SMS messages. They announced that all A2P SMS messages from unregistered senders would be marked as ‘likely spam’ on the display of receiving handsets. Australia also showed they were no slouches at tackling SMS frauds, naming the first telco to breach their new anti-scam rules. Four telcos in Malaysia decided they would go further by simply blocking any SMS that includes a URL. Malaysia’s banks did not want to be outdone, so they stopped sending SMS one-time passwords and switched to token-based authentication for all transactions.

Sometimes educating consumers about comms crimes leads them to prematurely fear the worst. Numerous customers of T-Mobile US thought they had been fallen victim to a SIM swap on the same day but their service had actually been migrated to eSIMs in new Samsung handsets they had ordered, prior to the phones being delivered.

Netflix decided they needed to tackle a hole in their accounts by eliminating users who freeride using logon credentials belonging to others. A limited trial that used location analytics to terminate services to non-paying users in Latin America was extended worldwide, potentially impacting 100 million users in total.

The fraud intelligence gatherers at Symmetry Solutions identified an extraordinary new fraud trend in North America. Their data showed there had been a 43,835 percent increase in US phone numbers offered for sale to fraudsters since 2020. The figures for Canadian numbers were even more shocking, with a 69,340 percent increase in Canadian numbers offered to fraudsters over the same period.

Some criminals concentrate on cheating advertisers who are too trusting of statistics reported by the firms that serve their adverts to electronic devices. Human, a business that focuses on digital advert security, reported that the Vastflux ad scam used malicious code on handsets to repeatedly request ads that nobody saw, resulting in 12 billion fake transactions per day.

Brazilians receive more unwanted calls than any other nationality. One of the steps to mitigate this problem taken by Anatel, the Brazilian comms regulator, was to implement Qual Empresa Me Ligou (Which Company Called Me), a website where consumers enter phone numbers to determine who is annoying them with unwanted calls.

Telcos need to be just as vigilant of criminals in their employ as threats from outside the company. State-owned Zimbabwean comms provider NetOne was rocked by a string of insider frauds.

It is not just criminals and foreign governments that break laws concerning comms devices and privacy. Some of the most important US security agencies were found to have broken laws limiting the use of ISMI-catchers.

Having previously come clean about past corruption, Ericsson decided to come clean a second time, agreeing to pay a civil penalty of USD206mn to the US Department of Justice in March. Ericsson loudly proclaimed they had not been charged with any new criminal misconduct but admitted they had somehow failed to disclose all of their past misconduct. Lawsuits from various disgruntled stakeholders might well result in Ericsson needing to come clean a third time and a fourth time.

Mobile World Congress demonstrated that the GSMA is still able to make vast amounts of money by persuading people to fly to Barcelona to speak to one another instead of using a phone to do the same thing. Anyone reading the platitudes they write on walls might think the GSMA is serious about promoting equal opportunities for women; anyone willing to look in other directions could see how superficial the communications industry’s commitment to equality really is.

Some people thought I might be sexist because I observed that the people who steal data, take over accounts and perform SIM swaps are mostly boys and young men. A 20 year old male was arrested for running a forum for data breaches and hackers. Astute readers will already be able to speculate about the sexes and ages of other criminals who will be mentioned in this review.

April to June

In case people were not paying attention, the downsides to AI became more apparent when a mother received a bogus ransom call from scammers who had cloned the voice of her daughter. The mother thankfully had the presence of mind not to be panicked by the simulated cries for help and she independently verified her daughter was safe.

If ever there was a break in the stream of news about AI then it usually seemed to involve news about AIT. This suggests a new universal law: any network that carries traffic will soon carry artificially inflated traffic. Supporting evidence was provided by Spotify, who had to remove thousands of AI-generated songs because they acted as revenue-generating magnets for bots that repeatedly visited their platform.

One of the concerns surrounding AI is that very large amounts of data are being accumulated and fed into models without the permission of the people who own that data. But nobody in the USA seems to be worried about companies souping up huge amounts of data about foreign phone numbers just so algorithms can decide which phone calls will be trusted. Some determined privacy activists in Europe showed their interest in the topic by instigating a legal complaint about BICS, Proximus and Telesign supplying data about European phone numbers for analysis in the USA. The same group has previously won the two most important cases about the transfer of personal data from Europe to the USA, so their case would be important if the USA had not adopted an unspoken policy of ignoring European data protection law and the European Union had not adopted an unspoken policy of ignoring US violations of European data protection law.

The dangers of lax supply chain security were highlighted by hackers who inserted data-stealing malware into 3CX VoIP phone systems used by 600,000 organizations. The hack also showed that too much confidence can be placed in technological methods of establishing trust; the compromised apps had been signed using a valid digital certificate.

The communications industry is rich in data but poor in reliable statistics. New depths were plumbed when it became necessary to observe that STIR/SHAKEN had not reduced year-on-year growth in North American fraud losses by 85 percent, and M-PESA had not caused half of all Kenyans to suffer SIM swap fraud. We finally got to the point where the US telecoms industry stopped pretending the number of robocalls was going down, but some of them began pretending this was because many good robocalls had taken the place of bad robocalls. Perhaps you are the kind of person who believes there was a massive coincident rise in automated calls that people wanted at exactly the time required to maintain an oft-repeated but totally unsubstantiated belief that the US strategy for reducing unwanted calls is succeeding. If you are, then please allow me to share your phone number with some nice people who will help you pay off your college loans.

Back in the real world, a top lawyer observed that the emperor has no clothes and that STIR/SHAKEN is full of holes. The US Federal Trade Commission (FTC) must not have received the FCC’s memo about illegal calls being reduced because they decided to ‘ramp up’ the fight by naming and shaming comms providers.

Undeterred by the complete lack of success for STIR/SHAKEN in North America, UK regulator Ofcom finally unveiled a public consultation on whether to copy the North American plan for implementing STIR/SHAKEN. Their rationale for wanting to adopt STIR/SHAKEN was bolstered by a two-year old report which they purchased from an outspoken US lobbyist who was previously employed by one of the leading suppliers of STIR/SHAKEN. Nevertheless, Ofcom’s consultation must have come as a shock to all those people who believed the UK had already decided to implement STIR/SHAKEN. The source of those false rumors has never been pinpointed but there may be a link to a group of people who continually buzz around the world telling regulators that they had better get STIR/SHAKEN because every other country intends to get STIR/SHAKEN.

The consultation itself generated a lot of praise for STIR/SHAKEN from people who sell STIR/SHAKEN and quite a bit of diplomatically-expressed resistance from UK telcos that would have to pay for STIR/SHAKEN. I also submitted a few simple observations about the way Ofcom had decided to ignore what STIR/SHAKEN actually does in order to grossly inflate estimates of the economic benefits it might deliver. The regulator has since gone mysteriously quiet about this consultation, which is barely mentioned in its plan of work for next year, despite STIR/SHAKEN requiring a massive overhaul of how networks talk to each other. If Ofcom’s goal is to avoid scrutiny then the outcome of the consultation will be announced in the week between Christmas Day and the end of the year. Reasons to be optimistic about the decision include recent silence from the lobbyist about whether he still thinks Ofcom will do everything he told them to.

Academics at a British university demonstrated a significantly easier method of preventing CLI spoofing that they have named Caller ID Verification (CIV). However, nobody in Britain seems to know why British taxpayers are expected to fund academic research just so it can be comprehensively ignored by British regulators who prefer the advice of American salesmen.

French President Emmanuel Macron promised to implement national filters to stop the spread of malicious links in SMS messages and emails. He is French, he is the President, and he is Macron, so probably nobody told him how difficult it would be to actually accomplish this in practice. But if we assume politicians do not care about keeping promises, it was at least interesting to observe a trend where politicians in various countries started making these kinds of promises, probably because ordinary people are upset that they have been so poorly protected thus far.

When Sarah Delphey appears on The Communications Risk Show we joke about her being the monarch of Delpheyvania, a little island in the middle of the ocean. However, Sarah is nothing like most rulers. During 2023 she saw a widespread need for somebody to do something, so she decided to do it herself, without any fuss and without expecting any praise. Sarah took the lead with writing the first model standard for know your customer (KYC) checks for comms providers in the USA. Then she gave it away for free, so anybody can use it or copy it. Perhaps we like to imagine Sarah as the queen of her own country because sane rulers would insist that telcos check who their customers are before anyone starts fantasizing about wonder technologies which can differentiate between good traffic and bad traffic.

Meanwhile, in India, which is not a little country, they began indulging in fantasies about AI-powered spam filters. But then they showed how simple it can be to implement effective controls if there is the will to impose them consistently across an entire country. India’s unified consumer consent system is designed to give customers the absolute right to specify which telemarketing businesses can call or message them.

It must be tempting to be a bad regulator because being a good regulator is such hard work. Just ask the Australian Communications and Media Authority, who needed to learn Mandarin Chinese just to discover that scammers were impersonating them in that language. But then they turned around and scored some significant victories by shaming Infobip and Sinch for failing to stop scam SMS messages.

Ireland’s Commission for Communications Regulation (ComReg) further restored my faith in regulators by:

  • performing a comprehensive survey of anti-scam methods being used around the world;
  • choosing to implement all of the good, cheap methods that actually work; and
  • politely explaining why STIR/SHAKEN would be a waste of money.

If the comms regulator of a small country like Ireland can do such a good job, then share their findings in a beautifully-explained report, why are there larger countries that have still not devised a coherent plan to protect consumers from scams? Even if they lack the competence to do their own jobs, they can now copy the Irish.

The European Union’s cybersecurity agency, ENISA, released its first-ever security guide for eSIMs. It highlights vulnerabilities that would be deeply troubling if anyone chose to pay attention to them.

Noticing that law enforcement bodies never get punished when they break laws designed to protect the privacy of ordinary members of the public, two police forces in the UK gave their staff the tools to unlawfully record 200,000 phone calls. The UK’s data protection agency responded in a fashion that is sadly typical for them, rationalizing that it was not worth fining the police because that would just mean siphoning money from one publicly-funded body to another publicly-funded body. Taxpayers were not asked if they could cope with fewer publicly-funded bodies that had somehow failed to obey the laws they were meant to enforce in general, or to enforce the laws they were supposed to enforce specifically.

If that appeared to be evidence of wastefulness, the UK then showed how much worse things can be. Soon afterwards the UK Supreme Court reached a decision that upheld a lower court’s decision which overturned an even lower court’s decision which had originally said the government was not entitled to instruct a regulator to not make a decision it was required to make for the sake of consistency with a decision made by the European Union. (I was careful about where I placed both ‘nots’ in that sentence, so do not try to be clever by reasoning from first principles that I must have meant something else.) This decision was ultimately justified on national security grounds even though it took 18 years to be finalized, and could have been solved in no time at all if somebody had simply written a law that prohibited the use of simboxes, like so many other countries did long ago.

But then UK law enforcement managed to do something right by rediscovering some long-forgotten wisdom of the ancients. Instead of drafting a new policy about such-and-such, or creating a public-private task force for this-and-that, or issuing guidance about what-not, or warning the public to protect themselves from etcetera, or demanding businesses implement an automated system to classify everything under the sun, the London Metropolitan Police did some investigative work, and then they went to the home of a criminal who ran a highly lucrative service which spoofed the numbers of phone calls, and then they arrested him, and then he was prosecuted, and then he was put in prison for 13 years. Might other law enforcement bodies around the world be influenced by this precedent?

There are some countries that just talk about enforcing data protection rules and then there is Spain. The Spanish data protection agency fined Orange Spain EUR42,000 (USD46,000) because they asked somebody two identification questions instead of three. This instance helps to illustrate why the four leading Spanish operators receive almost as many GDPR fines as all the telecoms, media and broadcasting organizations in all the 30 other countries that also adopted GDPR.

Russia turned the tables on their critics by accusing the USA of putting spyware on iPhones used by diplomats. Taiwan planned to become less dependent on submarine cables by building 700 satellite receivers.

Global Voice Group (GVG) spent the year repositioning itself from a business which makes money by collecting taxes on voice calls (the clue is in the name) to a business which makes money by collecting taxes on everything. This is euphemistically described as ‘regtech’ and supposedly has something to do with reducing corruption. The anti-corruption angle in their marketing was not helped when one of the founders of GVG was deemed so corrupt that he was barred entry to the USA after he left his home in Miami for a business trip to West Africa. In other news, GVG is hoping to increase sales to West African governments.

There was a changing of the guard at leading RAFM vendor Subex. Vinod Kumar reflected on two decades in executive roles at the trail-blazing Indian firm as he stepped down as CEO. He was replaced by Nisha Dutt, an independent board member who had previously run a business that utilizes artificial intelligence for marketing.

A British man was sentenced to 5 years in a US prison for multiple crimes including SIM swaps to steal cryptocurrency and swatting a girl who had rejected him. He was 24 years old when sentenced but his crimes occurred when he was significantly younger.

The good news is that you are not just getting old. There is a genuine technical reason for why you cannot hear what is said on television any more. The short explanation is that technologists working for big streaming businesses are better at cutting costs and standardizing systems than considering the needs of human beings.

July to September

Politicians like to remind us that they will protect our personal data from immoral corporations. They also strive to ensure our free speech is not censored by overly moral corporations. In unrelated news, the former Deputy Prime Minister of the UK, who now works for Facebook, asked his colleagues why they were not expediting US government demands for more censorship in order to get looser data protection rules. The moral mandate of governments sometimes extends to spying on people to identify naughtiness but various companies threatened to quit the country and 68 academics rebuked the UK government for wanting to interfere with end-to-end comms encryption. Trust in governments is so low that one business tried to persuade lawyers to purchase devices that would detect IMSI-catchers to protect their phones and their clients’ phones from snooping. But then one government devised a fiendishly simple way to reduce the harm done using networks. The US state of Maine will not prevent spammers from acquiring phone numbers but they will charge them more for each number.

Birds do it to each other, bees do it to each other, and governments cannot help but stick their noses into each other’s orifices at every opportunity. A former minister in the British government revealed that the Prime Minister’s car had to be debugged when it was discovered the Chinese were tracking its location using ‘little SIMs’.

France adopted a badly-worded law several years ago that was later interpreted as an instruction to implement STIR/SHAKEN. However, when the deadline for compliance finally arrived, everyone conveniently chose not to notice the reasons why telcos were still not able to comply with the law.

Sometimes governments screw up because they are given bad advice. The US government often turns to the National Consumer Law Center (NCLC) for advice on how to tackle robocalls, but even the most basic scrutiny of robocall statistics published by the NCLC reveals they are terribly wrong. The FTC heralded Operation Press Release Operation Stop Scam Calls, a program of action which continued all of the things they had already been doing, except with more press releases. They even issued a press release which bragged about a business getting a USD125,000 penalty for making illegal telemarketing calls. The press release did not mention this fine was worth less than USD0.0125 per each call.

The FCC then bested the FTC by issuing an even worse press release to trumpet their entirely hypothetical USD299,997,000 fine for the Sumco Panama robocall gang. Nobody in the US media asked why the FCC considered it ‘groundbreaking’ to catch a criminal gang that had previously been caught doing the same thing before, and why they expected to collect such a large fine when nobody in the US government collected the USD1.1mn civil penalty the same crooks were given in 2013. But this year’s prize for the most flatulent anti-robocall press release came from Indiana Attorney General Todd Rokita. He sought to emphasize the ‘strong action’ he had taken as part of Operation Stop Scam Calls although the most significant achievement was prosecuting an old woman who probably did not know she had been a front for a crooked comms business run by people outside of the country. For her crimes, this woman will be forced to pay a penalty of USD5,000… spread over 10 installments of USD500 at the rate of one payment per year. Rokita also neglected to mention that when he initiated this prosecution he had bragged of “potential fines in the billions”.

Ghana has at least one journalist who asks pertinent questions of people in positions of responsibility. Such questions were necessary after Ghana’s tax authority appointed a specialist revenue assurance auditor who decided MTN had underpaid their taxes by 30 percent over a 4-year period, then mysteriously disappeared when his conclusions were found to be total nonsense.

The most peculiar telecoms fraud punishment of the year was given to Thomas Dorsher, also known as ScammerBlaster on YouTube. The FCC gave Dorsher a USD116mn fine for pumping traffic to toll-free numbers. Dorsher has at different times offered a string of unconvincing defenses for his actions, including:

  • He did not do it. Nobody can prove he did it. It must have been somebody else who did it.
  • His robocalls were only intended to play recordings that warned recipients about robocalls.
  • He deserves government funding for using robocalls to perform denial-of-service attacks.
  • There is a massive conspiracy and he will reveal all soon… but not yet.

But as bizarre as Dorsher’s behavior is, there is also plenty that is bizarre about the people who sought his punishment. For example:

  • What is the purpose of calculating a USD116mn fine for a pissant who clearly cannot afford it and who shows signs of being mentally ill?
  • Why did the FCC suggest to the public that prosecuting Dorsher was necessary to protect ordinary citizens from annoying calls when their legal argument was that Dorsher pumped calls towards un-ordinary numbers that would generate revenue for the caller?
  • If anyone else made two phone calls to AT&T’s fraud hotline would their Global Director of Fraud Management produce an affidavit arguing they had also made it ‘impossible’ for the rest of the world to report frauds?

Not many regulators are so bad that they have to publicly deny they are selling the contact data of ordinary people to telemarketers. The Nigerian Communications Commission (NCC) issued just such a denial, then clarified that they would punish any telemarketers who obtained personal data from the NCC without permission… which implies that some of the telemarketers have obtained this data with the NCC’s permission.

It is generally agreed that increases in unwanted and illegal international phone calls will only be reversed through extensive international cooperation. Unfortunately, that is about the only thing that national regulators can agree upon, and they tend to do it right before they each select separate and incompatible methods of solving the problem within their own country. i3forum, a club for international wholesale carriers, decided they could no longer sit back and wait for coordination to occur. They proposed the creation of a new nonprofit association that would recommend harmonized ways of validating calls across borders. Work has already begun and the nonprofit, which will be named the One Consortium, will be formally launched in early 2024.

The abuse of global title leasing leads to privacy abuses and spam. The GSMA announced tentative steps towards tackling those abuses including due diligence checks on lessees. In other words, it is not just ordinary people who should be subjected to KYC checks.

The economic importance of mobile money was emphasized by statistics which showed Kenyans borrow KES702bn (USD5bn) a year via mobile money overdrafts. Meanwhile, an analysis of AT&T’s accounts showed they had found ways to borrow USD10bn from vendors without reporting it as debt.

You cannot escape a war by moving operations to the cloud, as was demonstrated when a Russian satellite comms provider was disrupted by cloud hackers.

CodeB said out loud what others have been thinking when they ruminated if some anti-fraud systems are just a ‘smokescreen’ for profits generated from unlawful traffic. In contrast, the sophistication of criminal technologies can sometimes put honest businesses to shame. Koreans were hit by an elaborate Android malware vishing scam where victims who called the correct number for their bank were connected to the scammers’ call center instead. Google deserves credit for enhancing the security of Android phones by giving enterprise users the option to disable downgrades to 2G connections. They cited Commsrisk’s coverage of the Paris IMSI-catcher smishing gang when explaining the risk posed by downgrades to 2G.

Big US analytics firms TNS and Hiya make money by analytically deciding which calls should be labelled as spam, and also by charging companies for help with ensuring their calls are not labelled as spam. Another US firm, Numeracle, observed that this blatant conflict of interest might help to explain why the spam labels applied by TNS and Hiya are often wrong.

One of the most popular and most positive stories of the year featured a bank that authenticates its identity when calling customers. An app on the customer’s phone not only tells them if they are being called by the bank, but also informs them of the name of the person on the other end.

I mentioned above that ComReg, the Irish comms regulator, had used a lot of common sense when choosing how they would tackle scams. This includes the decision to block calls which originate overseas but which present an Irish phone number. Twilio, being an American business that had seemingly forgotten they had been threatened with disconnection because they carry too many illegal calls, then asked ComReg if the new Irish rules also applied to innocent homeworkers. Twilio’s reasoning was that homeworkers might only technically be in a country such as the United States of America, whilst their corporate hearts could be found in a business park on the outskirts of Limerick, and hence the homeworker should be allowed to use an Irish CLI when making outbound calls. ComReg gave them an answer which was equally as sensible as everything else they had said about stopping scam calls, and which was much more polite than Twilio deserved.

Brazil’s Anatel showed their methods had been successful when they reported an impressive 41 percent reduction in short calls received by phone users between May 2022 and July 2023. But there was far more forceful action being taken to tackle unwanted calls which originated in Myanmar. Fighting in Myanmar’s border regions and encouragement from Chinese authorities resulted in the capture and closure of scam compounds by warring militias. 1,207 Chinese citizens who had been working in the scam compounds were deported in a single day.

Several thousand pseudo-experts who had previously gnashed their teeth and pulled out their hair because Elon Musk switched off authentication by SMS seemingly had nothing to say when the real experts on the US Cyber Safety Review Board recommended that everybody should ‘urgently’ transition away from sending authentication passwords by SMS or voice. The Board also advocated for whole-of-society programs to address the surge in juvenile cybercrime.

Nobody had warned French gendarmes about SMS-blasting IMSI-catchers being driven around cities, and 8 months later it appeared that Norway’s secret services were equally unaware that this scam technique had been imported into Europe. They charged a 25-year old Malaysian student with espionage because his radio device had been detected when he drove near to government offices in Oslo. It was only weeks later that the authorities realized he had been sending messages, not listening to them, as he drove around Oslo and Bergen. Subsequent analysis concluded that ‘thousands’ remained at risk because they had typed their banking details into the fraudsters’ phishing website.

Sometimes I think the only people equipped to protect us from bad governments and bad businesses are the gamers who spend all day honing their skills by fighting orcs and demons. So it proved when a group of gamers found a clever way to humiliate a magazine that published articles which were AI-rewrites of their social media posts. A short while later I realized that Commsrisk now has competition from AI-powered spamsites.

A jury decided that two British boys, aged 17 and 18 at the date of their trial, had been leading members of the LAPSUS$ gang which gained unauthorized access to systems belonging to a string of companies including BT and T-Mobile US. One of the boys had acquired such substantial wealth from his crimes that he offered USD20,000 bribes to any employee of AT&T, T-Mobile or Verizon who was willing to work for him. Meanwhile, a US court handed out a 3-year prison sentence to a SIM swapper who stole cryptocurrency worth USD20mn and whose 20-month crime spree began when he was 20 years old.

October to December

It is widely agreed that mobile money is good and microlending is good. However, a string of disturbing stories drew attention to lenders who force customers to download apps with excessive permissions before they will issue a loan, and who later seek to humiliate anyone who does not repay on time by contacting the borrower’s friends and family to shame them.

Ukrainian telcos remained at the sharp end of hostilities. The Ukraine CERT reported that 11 telcos had been affected by hackers sponsored by the Russian state. A SIM card belonging to Ukraine’s biggest mobile operator, Kyivstar, was discovered in a Russian munitions drone, presumably to aid its guidance systems or to send instructions mid-flight. Hackers knocked the whole of Kyivstar offline. But Ukrainians fought to preserve order, and this included the arrest of scammers who targeted victims in the Czech Republic from a call center in the Ukrainian city of Dnipro.

Brown trousers are becoming fashionable amongst many people whose careers depend on the popularity of A2P SMS. Artificial inflation of SMS traffic was blamed for dismal revenue forecasts from both Juniper Research and Mobilesquared. In contrast, Optus CEO Kelly Bayer Rosmarin was in bullish mood after weathering the storm caused by a massive data breach last year. Rosmarin had been rubbished by politicians and sections of the media but fewer Australians lodged official complaints about the breach than you might expect. Then there was another massive screw-up at Optus, resulting in a nationwide network outage and Rosmarin being forced to resign after all.

The uniquely American approach to protecting consumers from bad calls grew even weirder with the publication of a ‘transparency report’ that was clearly designed not to be read or understood by outsiders. The report listed all the bad calls traced by the US Traceback Group between April and June. There should also have been some seriously transparent analysis of the reasons why more calls were traced to Deutsche Telekom than to Twilio, despite the latter business being threatened with disconnection earlier in the year. Nobody in the US industry or media acted like anything was wrong, even though far more calls were traced to Deutsche Telekom than to any other major foreign telco. Remember the golden rule: two phone calls to AT&T’s fraud hotline is evidence of the systematic destabilization of the US phone system when the calls were made by an idiot in North Dakota with a YouTube channel; 33 calls that impersonate Amazon, Verizon and utility companies can be disregarded as a statistical anomaly if they come from a telco that controls T-Mobile US and is partly owned by the German government. It is no wonder so many Americans believe in conspiracy theories when actual facts are so peculiar.

The money that can be made by scamming China’s enormous population has resulted in a string of scam call centers being situated around Southeast Asia. Crackdowns by China’s authorities in cooperation with other governments has resulted in a game of cat-and-mouse where organized criminals relocate scam operations to places where laws are less likely to be enforced, including certain parts of Myanmar and Cambodia. But then gangsters can find it difficult to staff their call centers so they resort to other kinds of crime to solve the problem: human trafficking and modern slavery. And if they are going to abduct and imprison Chinese-speakers, it occurred to them that they could abduct speakers of other languages and increase their revenues from victims in a wider range of countries. The final quarter of 2023 saw military activity by armies which are not controlled by Myanmar’s central government, who were encouraged by China to fight and defeat rivals who had sheltered scam compounds. But the signs are that scam compounds will just keep moving around, whilst targeting an even wider range of victims, prompting INTERPOL to run their first ever operation that tackled human trafficking for scam call centers.

In contrast to the wild eccentricities of US consumer protection, and the violence exercised in the protection of China, it comes as a relief to report that the Telecom Regulatory Authority of India kept making mundane but sensible decisions. This includes their reasoning that slightly delaying the porting of numbers would help to reduce SIM swap fraud. They then showed an increasing interest in stopping frauds that target victims in other countries, with raids on 24 locations with suspected connections to cross-border scamming operations and the attempted confiscation of USD8mn of assets belonging to people accused of running a scam call center.

The FCC proposed to cut off Saudi Arabia’s second mobile operator. Eventually insanity reaches a point where you can only point at the aberrant behavior and trust the lunacy does not spread to onlookers. I would prefer not to devote half of this year’s review to the madness that is consuming the USA, but how can I not?

Thankfully, the European Union rebalanced the global insanity scales by doing something utterly stupid and deplorable then acting like nothing strange had occurred. EU Home Affairs Commissioner Ylva Johansson broke European data protection law. She did this by using the European Commission’s budget to pay for microtargeted ads that were designed to put pressure on specific national governments that had raised objections to her plans. The purpose of her plans is to increase corporate surveillance of electronic communications, ostensibly to protect children. So she sought public support for her plans by only showing the ads to people whose political sympathies show them to be more trusting of the EU, and not to people who are less trusting of the EU. This presumably means that she does not trust Christians to support the EU, because they were excluded from seeing her adverts too. But as European data protection law is hardly ever enforced*, do not hold your breath whilst waiting to see how Johansson will be punished.

*Except for those Spanish telcos. Pity poor DIGI, who received a EUR200,000 (USD220,000) fine just because they were tricked by a fraudster into issuing a SIM replacement instead of insisting on the presentation of identification documents, in person, at a store on Christmas Day two years ago. Consider the health of justice systems that can impose a EUR200,000 penalty for being tricked by a criminal who pretended to urgently need a SIM replacement because their bank account was being raided versus imposing zero penalty for micro-targeting the most easily-manipulated people with panic-inducing messages to undermine democratically-elected governments that voiced doubts about a controversial increase in surveillance powers. We need new laws to protect us from the people passing new laws to protect us.

Not all Europeans are daft. Commsrisk readers were drawn to stories about Denmark introducing an SMS SenderID registry and Sweden instantly reducing inbound international calls by 20 percent as a result of blocking foreign calls that present a Swedish landline number.

AT&T makes money by storing a trillion CDRs, even though they are not legally required to do so, and then selling the data to US law enforcement. US Senator Ron Wyden complained that the program would ‘outrage’ many Americans. Wyden also observed that the White House had sidestepped rules designed to prevent unauthorized surveillance of Americans by providing financial support for this nationwide intelligence program via a circuitous route involving grants that are ostensibly meant to tackle drug crimes in Texas. Given the fuss that is made about the legal rights of Americans being violated, and the likelihood that calls involving Europeans are also being captured in AT&T’s database, it is difficult to understand why any rational person chooses to believe European privacy laws are being respected by the US government.

All should hail the mighty Australian regulator. The ACMA’s annual report cited a 72 percent drop in complaints about scam calls in the two years since they implemented their plan to reduce scam calls, and an 86 percent drop in complaints about scam SMS messages in the year since they implemented their plan to reduce scam SMS messages. This demonstrates how much can be accomplished by adopting straightforward controls like checking the identity of who sends a message and blocking foreign-originated calls that pretend to be domestic in origin. It also demonstrates that it is possible to write a sentence about successfully tackling unwanted robocalls and robotexts without repeating platitudes about ‘no silver bullets’ or ‘taking a step in the right direction’ or ‘playing whac-a-mole with fraudsters’. The world is being divided into two camps: the countries which use effective techniques to secure significant reductions in nuisance calls and messages and the countries that habitually copy the same empty phrases because they stubbornly refuse to copy methods that have proven to work elsewhere.

I always seem to have productive and pleasant conversations with employees of Twilio. But that will not stop me mentioning the company’s name yet again, this time because Twilio was blasted by the ACMA for ‘unacceptable’ failures to comply with anti-scam regulations for SMS messages. Only modest relief will be afforded by the observation that Vonage was slammed by the ACMA at the same time, for the same reason.

I also had a pleasant, but short interaction with somebody who works for a PR business employed by Mobileum, a market-leading provider of risk, assurance, analytics and security products and services. This person contacted me to imply I had made a mistake in writing up the story of Mobileum’s new owners suing Mobileum’s old owners. The new owners say the value of the company had been massively inflated by issuing bogus sales invoices and recognizing revenues well ahead of when they were earned. The old owners say that is just sour grapes because the new owners do not understand how to run the company. It was smart of the PR guy to only imply I had made a mistake. If he had stated I had made a mistake then I would have written an article about him being a liar who tried to trick me into changing my article. He implied there was a mistake in the article when there was no mistake. So I politely asked him to provide the information needed to correct the implied mistake and he went away and never contacted me again. The current situation with Mobileum can be summarized as:

  • The two squabbling private equity firms who bought and sold their stakes in Mobileum will probably negotiate a settlement. It was highly unusual for a private equity firm to instigate a lawsuit over how much they had paid to acquire a business but neither firm would benefit from yet more embarrassing revelations.
  • Mobileum employees will be having some interesting water cooler conversations about who will be able to continue in their jobs and exactly how far accounting trickery can be pushed before it falls over the edge of a cliff.
  • I hope Mobileum still takes out an advert on the new-look Commsrisk being launched in January because I could really do with the money.
  • I check my facts, so anyone trying to mislead me is risking becoming the subject of my next story.

That nicely brings me to the CISO of Orange Poland. He can sod right off. It is not my fault if one of his employees writes a blog about old Android phones being infected by malware that turns them into IRSF fraud call generators. If a telco does not want to invite commentary then it should behave like most other telcos, by choosing to say nothing in the first place. The CISO took to social media to complain that I should have approached him for his comment before publishing my article. This suggests he is not familiar with the way most telcos insist that every public statement made by one of their employees be approved by a corporate communications department, with the result that almost no public statement about fraud ever receives approval. Anybody else who believes I should waste weeks waiting for input that hardly ever materializes is welcome to find another website that does not simply copy from press releases, social media and blogs, assuming they can tell the difference now that 99 percent of websites are written by AI.

Lycamobile’s French business was fined EUR10mn (USD11mn) for tax fraud and money laundering. So here you can see that I am capable of reproducing the facts without adding lots of commentary, because it should hardly need stating that tax fraud and money laundering is wrong. And if you think the problems of this industry will be addressed by hassling me about the accuracy of my work then perhaps you did not understand the reasons I have been listing stories concerning Lycamobile, and Mobileum, and Ericsson, and Hiya, and the FCC, and… need I go on?

There are some professionals who just read what I write and learn something from it. For example, the UK Cyber Security Center kindly cited my article about Elon Musk and artificially generated SMS messages when introducing their new guidance on how to tackle artificial inflation of SMS.

Almost a whole year went by with nobody having anything new to say about revenue assurance. So I suggested RA teams might want to help with finding ways to reduce the cost of running telcos. The alternative is to sit back and to watch executives make scything cuts to their company’s workforce, including the number of employees paid to assure revenue streams that are in permanent decline.

The IoT Security Foundation issued their annual research into vulnerability disclosure policies for networked consumer devices. On the one hand, businesses that had been reviewed were, overall, doing a slightly better job than previously. On the other hand, the review covered many businesses that had not been reviewed before, and they brought the averages well down.

Singapore kept setting the pace for new consumer protection measures, announcing a plan where telcos could be held liable for financial losses that resulted from a smishing message. The plan was often misinterpreted by commentators in other countries because telcos will only need to make restitution if they have not complied with rules requiring the filtering of risky messages, and only if the customer’s bank was in complete compliance with many other obligations designed to prevent fraud.

The FCC expressed a desire to use AI to filter bad calls. If you lack the intelligence to simply copy methods that have worked elsewhere then it is easy to see why you might want machines to do your thinking for you.

But there is still room for some old school crime prevention methods in the USA. A SIM swapper who stole money and sexually abused female targets was sentenced to 8 years in prison. He was 25 when sentenced, and his crimes began 4 years earlier. A little while later, a British court hearing determined the sentences of the first two members of LAPSUS$ to be convicted. 18 year old Arion Kurtaj was deemed mentally unfit so could potentially spend the rest of his life in a psychiatric institution because of the risk that he will commit more crimes. A 17 year old accomplice was too young to be named but received an 18-month supervision order. The unnamed boy’s sentence covered the assistance he gave to Kurtaj and other members of LAPSUS$ when they stole information from BT and unsuccessfully attempted to ransom it for USD4mn. The judge said the sentence also related to the unnamed boy’s “unpleasant and frightening pattern of stalking and harassment” of two young women.

Tracfone Wireless agreed to a USD23.5mn settlement with the FCC because they had taken lots of government subsidies for low-income customers who were not entitled to a subsidized phone service. I suppose American bureaucrats consider the failure to safeguard taxpayers’ money to be only a minor infraction compared to the devastation caused by somebody calling AT&T’s fraud hotline twice.

4.8 million British phone users may receive an unexpected gift if a former executive at a leading consumer affairs charity succeeds with a class action lawsuit against the country’s four main mobile operators. He wants the telcos to reimburse fees that were charged because customers on contracts covering both handsets and airtime were not switched to cheaper tariffs when their handsets were paid off. The lawsuit will likely take years to reach a conclusion, if it ever succeeds. But given the unnecessary complexity of many pricing schemes, telcos in the UK and elsewhere may want to start using data and AI to help customers obtain the right price and the right plan for their needs. This shows I can be as guilty of wishful thinking as anyone.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email