Belgium has joined the growing list of countries that mandates the blocking of inbound international calls which misleadingly present domestic numbers. The new law is explicit in stating it follows ECC Recommendation 23(03), the guidance issued on behalf of the regulators of the 46 countries in the European Conference of Postal and Telecommunications Administrations (CEPT). The decree also observed how the new law would further encourage harmonization of spoofing prevention across Europe.
BIPT, the Belgian comms regulator, issued a press release welcoming the new law, and promising to monitor compliance. This Commsrisk article will focus on the content of the new rules, but their effectiveness will be largely determined by how much comms providers seek to profit from unjustified exemptions from blocking, and how tightly this is scrutinized by BIPT in practice.
The rules being applied in Belgium will be familiar to regular readers who know similar blocks have been implemented in two stages elsewhere. Belgian telcos must immediately proceed to implement blocks on inbound international calls that present a Belgian landline number; they have 3 months to comply with this aspect of the new law. More time is needed before the implementation of blocks on inbound calls that present a Belgian mobile number because of the possibility of calls being made by genuine outbound roamers. An additional 3 months was granted to permit the establishment of mechanisms to look-up data about whether a number is associated with a Belgian currently roaming abroad, so it will be 6 months in total before non-roaming mobile numbers will also be blocked.
The final stages of introducing a law in Belgium involves the issuing of a Royal Decree which is signed by the monarch, and which then takes effect when published in the official gazette. This particular decree is translated as “The Royal Decree to combat international voice calls with spoofed Belgian telephone numbers”; it has reference number 2024005253 and was published in the official gazette of June 13. The text is superb, and was obviously written by people with a deep understanding of the topic as well as great respect for ECC Recommendation 23 (03). Per the text of the decree (from the Dutch version, with my translation beneath):
Het besluit dat U ter ondertekening wordt voorgelegd betreft een reeks van technische maatregelen die operatoren van elektronische-communicatiediensten moeten invoeren teneinde de kwalijke praktijk van gespoofde telefoonnummers geassocieerd aan telefoonoproepen die vertrekken uit het buitenland in sterke mate te reduceren.
The decision submitted to you for signature concerns a series of technical measures that operators of electronic communications services must implement in order to significantly reduce the harmful practice of spoofed telephone numbers associated with telephone calls originating abroad.
The third paragraph of the text explicitly links crime to rogue telemarketing, a vital connection which shows the deep understanding of the subject by the authors of this decree. Too many so-called industry experts are squeamish about making the connection between crime and telemarketing because they directly or indirectly make money from telemarketing.
Zo krijgen o.a. burgers de indruk dat ze te maken hebben met betrouwbare partijen (zoals de banken waarvan ze klant zijn) die oproepen maken en worden misleid. Dit is zeer dikwijls een cruciale stap die fraudeurs gebruiken om persoonlijke gegevens te ontfutselen en op basis hiervan bedrog (zoals phishing) te plegen. Deze techniek wordt ook gebruikt door malafide telemarketingbedrijven om de indruk te wekken dat de opgeroepene wordt gecontacteerd door een bedrijf gelokaliseerd in de eigen omgeving.
For example, citizens are misled by receiving the impression that callers they are dealing with are reliable parties (such as banks of which they are customers). This is often a crucial step that fraudsters use to obtain personal data which they can then use to commit fraud (such as phishing). This technique is also used by rogue telemarketing companies to give the impression that the called party is being contacted by a company located in their own area.
As with the majority of countries, most of the bad traffic received from Belgians originated outside of the country. Spoofing of inbound international calls will now only be permitted in specific circumstances.
Het allergrootste deel van oproepen met gespoofde telefoonnummers wordt veroorzaakt door oproepen met Belgische telefoonnummers die worden gemaakt vanuit het buitenland. Daarom worden een aantal maatregelen opgelegd die dit onmogelijk maken of dit toestaan maar dan wel onder strikte voorwaarden.
The largest proportion of calls with spoofed telephone numbers are caused by calls with Belgian telephone numbers made from abroad. That is why a number of measures are imposed that make this impossible or allow it, but under strict conditions.
The law adopts the tougher of the two approaches recommended by ECC Recommendation 23(03) by mandating the blocking of spoofed calls rather than merely removing the CLI and allowing the call to be connected.
Artikel 1 voert het algemene principe in dat voor oproepen die uit het buitenland worden gemaakt geen Belgische nummers als identificatie van de oproepende partij mogen worden getoond, behalve voor gebruikers van Belgische mobiele nummers die aan het roamen zijn in het buitenland en de andere uitzonderingen beschreven in artikel 4.
Operatoren die dergelijke internationale gesprekken ontvangen via hun internationale netwerkinterface met een Belgisch E.164- geografisch of niet-geografisch (voorbeelden van niet geografische nummers zijn 070-, 078, 0800, 090X – nummers) of kort telefoonnummer moeten deze oproepen blokkeren. Deze regel is van toepassing zowel op het presentatie- als netwerknummer. Bijvoorbeeld voor IP- gebaseerde communicatie betekent dit dat zodra in het “display nummer” of het “from/PAI nummer” of het “redirect nummer/history” veld een Belgisch E.164- geografisch of niet-geografisch (voorbeelden van niet geografische nummers zijn 070-, 078, 0800, 090X – nummers) of kort telefoonnummer verschijnt de oproep moet worden geblokkeerd.
Article 1 introduces the general principle that for calls made from abroad, no Belgian numbers may be shown as identification of the calling party, except for users of Belgian mobile numbers who are roaming abroad and other exceptions described in Article 4.
Operators who receive such international calls via their international network interface with a Belgian E.164 geographical or non-geographic (examples of non-geographic numbers are 070-, 078, 0800, 090X – numbers) or short telephone number should block these calls. This rule applies to both the presentation and network numbers. For example, for IP-based communication, this means that as soon as a Belgian E.164 geographical or non-geographic (examples of non-geographic numbers) is entered in the “display number” or the “from/PAI number” or the “redirect number/history” field are 070-, 078, 0800, 090X – numbers) or short telephone number appears, the call must be blocked.
There are limited exceptions to the general requirement to block calls presenting a domestic number. The exceptions also follow the guidance in ECC Recommendation 23(03).
Artikel 3 bevat een aantal oproepscenario’s die eerder zeldzaam voorkomen maar waar als de principes van artikel 1 zouden worden toegepast oproepen onterecht zouden worden geblokkeerd. De uitzonderingen opgesomd in dit artikel vermijden dergelijke situaties. Een voorbeeld hiervan is een hotelbediende in België die een oproep maakt naar een klant met een buitenlands mobiel telefoonnummer terwijl deze aan het roamen is in België (cf. scenario 2 van voornoemde ECC-Aanbeveling nr. 23(03) van 28 november 2023). Dit is ook het geval voor de doorschakeling van een buitenlands nummer naar een Belgisch nummer (cf. scenario 3 van voornoemde ECC-Aanbeveling nr. 23(03) van 28 november 2023). De doorschakelingen in dit artikel zijn enkel mogelijk naar telefoonnummers waarvoor de opgeroepene uitdrukkelijk zijn toestemming heeft gegeven.
Article 3 contains a number of call scenarios that are rather rare but where if the principles of Article 1 were applied, calls would be wrongly blocked. The exceptions listed in this article avoid such situations. An example of this is a hotel clerk in Belgium who makes a call to a customer with a foreign mobile telephone number while roaming in Belgium (cf. scenario 2 of the aforementioned ECC Recommendation No. 23(03) of November 28, 2023). This is also the case for the forwarding of a foreign number to a Belgian number (cf. scenario 3 of the aforementioned ECC Recommendation No. 23(03) of November 28, 2023). The forwardings in this article are only possible to telephone numbers for which the called party has given explicit permission.
The next article describes the exemptions most desired by legitimate multinational businesses like Microsoft, but which also need to be monitored and enforced most diligently because they will inevitably be exploited by criminals.
Artikel 4 § 1 definieert een aantal uitzonderingen op artikel 1. Elke uitzondering op de principes van artikel 1 moet zorgvuldig worden overwogen en gerechtvaardigd aangezien deze gemakkelijk kunnen worden misbruikt door spoofers. Als er uitzonderingen worden toegestaan, moet er een mechanisme komen om de uitzonderingen veilig te beheren.
Meer en meer wordt gebruik gemaakt van toepassingen zoals Teams die Belgische geografische telefoonnummers toelaten om nomadisch te gebruiken. Wel moet worden benadrukt dat dit enkel kan als strikt is voldaan aan de voorwaarde dat “de houder van het nummer, zowel op het ogenblik van de verdere toewijzing aan de abonnee als gedurende de periode dat de abonnee het nummer gebruikt, waarborgt dat de geografische dienstidentiteit van het aan de abonnee toegewezen nationale E.164 nummer correspondeert met het door de abonnee opgegeven adres, waarbij dit adres duidelijk en aan de hand van objectieve gegevens gerelateerd is aan de abonnee” zoals bepaald in artikel 43, lid 4, 1°, van het KB betreffende het beheer van de nationale nummeringsruimte en de toekenning en intrekking van gebruiksrechten voor nummers van 27 april 2007. Eveneens moet het aantal nomadische oproepen zeer beperkt zijn ten opzichte van de niet nomadische oproepen. Een voorbeeld hiervan is een bedrijf dat Teams dagelijks gebruikt in België, maar waarvan een werknemer af en toe voor dienstreden oproepen maakt vanuit het buitenland.
Article 4 § 1 defines a number of exceptions to Article 1. Any exception to the principles of Article 1 must be carefully considered and justified as they can easily be abused by spoofers. If exceptions are allowed, there must be a mechanism to safely manage the exceptions.
More and more use is being made of applications such as Teams that allow Belgian geographical telephone numbers to be used nomadically. However, it must be emphasized that this is only possible if the condition is strictly met that “the holder of the number, both at the time of further assignment to the subscriber and during the period that the subscriber uses the number, guarantees that the geographical service identity of the national E.164 number assigned to the subscriber corresponds to the address provided by the subscriber, whereby this address is clearly related to the subscriber on the basis of objective data” as provided for in Article 43, paragraph 4, 1° of the Royal Decree on the management of the national numbering space and the granting and withdrawal of usage rights for numbers of 27 April 2007. The number of nomadic calls must also be very limited compared to non-nomadic calls. An example of this is a company that uses Teams daily in Belgium, but whose employee occasionally makes calls from abroad for business reasons.
Microsoft is evidently lobbying regulators for special treatment of communications applications like Teams, with the result that their product gets an explicit mention here. The US multinational was outspoken in their criticism of the Irish regulator, ComReg, when they proposed a rule that similarly aligned with the principles of ECC Recommendation 23(03). Microsoft also is one of the leaders of a ‘governance’ organization already created by US companies with the intention of making global decisions about whose international calls should be connected, and whose should be blocked. That there are some legitimate edge cases for permitting the presentation of domestic numbers when a call actually originates overseas should not distract from the fact that pleas for special treatment by companies like Microsoft are void unless they are able to show they can successfully prevent the abuse of their services by scammers. If not, then they will be profiting from the conduit of fraud they have chosen to create by pressuring regulators not to place more emphasis on the need to prioritize consumer safety over corporate profits.
The discussion about the need for exceptions continues with the following.
Een uitzondering is eveneens voorzien voor conferentie uitbeldiensten, klantenondersteuningsdiensten en telefonische direct marketingdiensten, als ze worden aangeboden als cloudtoepassing (cf. scenario 4 van de bovenvermelde EEC-aanbeveling 23(03) van 28 november 2023). De gedematerialiseerde aard van deze diensten betekent dat het verband met de geografische locatie van het oproepende nummer niet langer als een essentieel element wordt beschouwd.
Om misbruik uit te sluiten wordt aan de interconnecterende internationale operatoren opgelegd dat ze de volledige controle over de oproep van de oproeper tot de internationale interface moeten garanderen zodat de CLI niet kan worden gewijzigd. Hoe dit technologisch wordt geïmplementeerd is van geen belang.
Eveneens in het kader van de uitzonderingen voorzien in de eerste paragraaf voorziet § 2 dat de oproepende gebruiker ondubbelzinnig en binnen de 24 uur op eenvoudig verzoek van het BIPT moet worden geïdentificeerd.
An exception is also provided for conference call-out services, customer support services and telephone direct marketing services, if they are offered as a cloud application (cf. scenario 4 of the above-mentioned EEC Recommendation 23(03) of 28 November 2023). The dematerialized nature of these services means that the link with the geographical location of the calling number is no longer considered an essential element.
To prevent abuse, interconnecting international operators are required to guarantee full control over the caller’s call to the international interface so that the CLI cannot be changed. How this is implemented technologically is of no importance.
Also in the context of the exceptions provided for in the first paragraph, § 2 provides that the calling user must be identified unambiguously and within 24 hours upon simple request of BIPT.
This is where I would disagree with the extent to which European authorities are making accommodations for big businesses. It is not sufficient to state there must be ‘full control’. The authorities must prescribe how control should be realized. If they do not, unprincipled companies will say they have full control whilst exerting no real control in practice. Comms providers reliant on thin margins will always be tempted to take more traffic from more customers rather than turn some away to rival comms providers with fewer scruples. Recently it was demonstrated that the expensive investment in STIR/SHAKEN in the USA can be easily undermined by the absence of any rules relating to know-your-customer checks. A comms provider that performed all that was required to deliver STIR/SHAKEN on a technical level was only later found to have applied the highest grade of trust signature to calls despite not bothering to check if the customer was actually trustworthy.
But to be fair, the Belgian authors of this decree also anticipated the central thrust of this criticism!
De uitzonderingen opgesomd in artikel 4 zijn gevoelig voor misbruik en zouden als gevolg kunnen hebben dat de maatregelen om de burger te beschermen worden uitgehold. Daarom wordt in dit artikel uitdrukkelijk voorzien dat van zodra misbruik of fraude wordt gedetecteerd het BIPT opdracht kan geven om de telefoonnummers hierbij betrokken te blokkeren. Fraude en misbruik beperken zich niet alleen tot art. 2, 5/5° en 5/6° zoals gedefinieerd in de WEC, maar kunnen bijvoorbeeld ook slaan op ongewenste marketingoproepen, stille oproepen, oproepen verboden door andere wet- of regelgeving (vb. bel-me-niet lijst). Indien nodig kan hiervoor worden samengewerkt met andere bevoegde Overheden.
The exceptions listed in Article 4 are susceptible to abuse and could undermine measures to protect citizens. That is why this article expressly provides that as soon as abuse or fraud is detected, BIPT can order the telephone numbers involved to be blocked. Fraud and abuse are not limited to art. 2, 5/5° and 5/6° as defined in the WEC, but can also refer, for example, to unwanted marketing calls, silent calls, calls prohibited by other laws or regulations (e.g. do not call list). If necessary, this can be done in collaboration with other competent authorities.
Putting my concerns about the monitoring of exceptions to one side, the adoption of rules like these represents the biggest shift in the balance of the fight against telecoms scams in human history. There has been a stunning reduction in scam and nuisance calls amongst those countries that have already implemented blocks like these. It now seems inevitable that all but a few countries worldwide will adopt blocks in the style of ECC Recommendation 23(03). But criminals will not simply give up. Scammers will attack and work around these controls in one of two ways.
Some criminal enterprises will respond by creating relay stations that operate banks of simboxes within the countries that are being scammed. These will provide the terminating leg of scam calls. The originating leg will still begin with scam compounds based overseas, but this leg will be carried using an encrypted internet channel between the scam compound and the relay station. This international leg will convey voice communications in real time but will not be a phone call in the conventional sense, and so will bypass controls that block conventional calls. We are already seeing signs of criminal enterprises using this two-leg method to circumvent border controls on scam voice traffic in Thailand.
Other criminals will use the method that remains paramount in the USA, and which the US authorities claim to be clamping down on, although their efforts have mostly served to illustrate how much they have underestimated the scale of the problem. If rules are created which allow legitimate businesses to originate traffic that nobody else is allowed to originate, then criminals will create business fronts that look like legitimate businesses. This is why the demand for ‘full control’ does not reflect the reality of how comms providers have ever worked in practice. Even if comms providers apply more stringent checks to customers, it just begs the question of how far criminals will engineer appearances in order to pass those checks.
The good news is that blocks like these will make it harder for criminals to scam ordinary people, and it will make it easier to tell which comms providers have been prostituting themselves to criminals. The sooner other countries follow the lead of Australia, India, Belgium, and the many other countries that are already blocking spoofed international traffic, the sooner we will choke the revenue streams of criminals, denying them the funding they will otherwise invest in finding ways to work around these controls.



