20.5k unique visitors in the last 3 days

Thoughts about the UK Regulatory Consultation on Mobile Messaging Scams

The work done by institutions can be dominated by silos and categories; criminals exploit the cracks between them.

The first thought on seeing Ofcom’s current call for information about how to tackle SMS and RCS scam messages is that it is long. The questions they asked were not long, but they were open-ended. That means they will get long answers, especially from me. There is no justification for this industry’s overuse of the cliché that fighting fraud is a game of whac-a-mole unless we are also prepared to point out every single molehill that we already know about. The meaning behind the cliché is that we know criminals will exploit very many different attack vectors. Examining a lone molehill in isolation is pointless, as you know the fraudsters will often choose to pop up somewhere else. We either seek to protect the entire terrain or we admit that whac-a-mole is an appropriate metaphor because we never expect to accomplish anything.

The second thought is that the wording of the consultation illustrates the siloed thinking demanded by institutions and the way their work is defined. Criminals endlessly exploit the divisions created by these silos. It is not Ofcom’s fault that the UK has a bunch of rules relating to messaging services that involve phone numbers — SMS and RCS — and a different bunch of rules relating to messaging services that do not involve phone numbers — Whatsapp, Facebook Messenger, and all the rest. That forced Ofcom to state at the outset of their consultation that it excludes ‘online communications services’ — Whatsapp and the others — because their consultation is about the services where a message is routed to a phone number. The routing to a phone number is not even entirely true of this consultation, because the consultation also asks about SMS blasters, and those devices only know your number because they have already connected to your phone and to every other phone within range of the radio signal. So even when an intelligent regulator tries to draw a sensible line between different kinds of fraud, it finds the real behavior of criminals is always pushing the limits of those definitions. And when I assert that Ofcom is intelligent, it is with reference to the fact that Ofcom is still a few months’ shy of its 21st birthday, having being created at the end of 2003 by a merger of regulators because of the need for a single body to oversee the whole of the communications landscape at once.

Criminals keep defying the boundaries applied to anti-scam work because they have no reason to care about categories. We care about categorizing the work we do; criminals do not. A scammer in a compound may first connect with you because you responded to their robocall, or to their A2P SMS, or to their P2P SMS, or to their Skype message, or to their advert on Craigslist, or you fancied somebody you saw on a dating app and did not realize the image was copy-pasted from a fashion catalogue. The scammer lures you into typing your details into a phishing website, or encourages you to switch to a communications channel they prefer because it is encrypted, such as Whatsapp. Maybe the goal is to get enough information so they can make a withdrawal from your bank account, or maybe they will sweet talk you into sending them the money yourself. They do not care about enumerating the thousands of variations upon the scams they devise. But we lose sight of the big picture concerning which controls would be most effective at tackling scams in the round because we keep trying to break down our work into manageable chunks. And that is why we end up in a situation where many clever people are talking about how to use registries and auditors to validate the identity of a logo of a business presented to us via an RCS message, and different clever people talk about mitigating scam and spam robocalls by having the logo of the same business presented to us via Rich Call Data (RCD), but there are not enough clever people talking about how the checking of the business and its logo has a lot in common, so we should find ways to protect RCS messages and RCD calls at the same time. Failing to see the bigger picture may lead to the unnecessary duplication of effort by businesses which want to use both RCS and RCD to share their logo when sending messages and making calls. And if we do not notice how much is in common, then the fraudster will just direct their efforts to the avenue where our work has left the largest loopholes, because criminals do not care if Ofcom runs a consultation that ultimately leads to a cost-benefit calculation for tackling scam messages, but without factoring in the costs and benefits of tackling scam calls at the same time.

The third thought was that the examples of anti-scam controls that Ofcom listed in their own consultation document were drawn from a particular range of countries even though the world is big and round and consists of more than just Europe and North America. Indians, Kenyans and Thais receive scam messages too. In some cases, their experience is worse, because they receive more scam messages, and that means their experience is superior, because their methods of tackling scam messages have had to evolve more rapidly. For example, if I want to know about techniques used to identify SMS blasters, I should speak to people in Thailand who have identified a lot of SMS blasters, and not to people in countries where the authorities (wrongly) believe there are no SMS blasters. Kenyans have some special insights into using mobile messages to trick people into transferring money because so many Kenyans use mobile phones to access their mobile money. India has reduced the number of nuisance messages with distributed ledger technology (DLT), which you may remember was the overhyped technology before AI became the overhyped technology. But India’s case shows the hype about DLT was not just hype, because they are actually using it to do things other countries are not attempting to do. Perhaps the conclusion will be that implementing a messaging allow-list by a DLT is the wrong approach for the UK, but it should be considered as an option. Which leads to a banal but fundamental observation about another kind of silo affecting our ability to learn from experience: timezones. One reason why Singaporeans and Australians have anti-scam policies that are so far ahead of other countries may be that other nationalities are not prepared to get out of bed at a peculiar hour just to listen to the experience that Singaporeans and Australians can share.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email