It is good to see Ofcom, the UK’s communications regulator, has further strengthened its guidance on how telecoms companies should protect people in the UK from fraud and scams via international calls. Their latest consultation, “Tackling scam calls from abroad — Updating our Calling Line Identification Guidance to prevent scammers abroad from spoofing UK mobile numbers” is on international calls that imitate UK mobile numbers after having already implemented a set of measures to protect UK citizens and businesses against scams and spams with spoofed UK landline numbers.
However, Ofcom’s request for protection against this hostile abuse via spoofed UK mobile numbers suggests only a partial solution. In this regard, Ofcom is far less ambitious and demanding than regulators in many other countries and what is possible with an active call blocking mechanism, as recommended by standards bodies such as i3Forum and GSMA.
Background
Ofcom is correct that based on social learning techniques, criminal gangs like to spoof numbers that their innocent victims might trust, so their calls are more likely to be answered. In the previous years Ofcom regulated that providers should block calls from abroad that use a UK landline number in the CLI data for presentation to the callee, except in some legitimate use cases. This all works fine for UK landline numbers, because Ofcom shares with communications providers:
- The number resources never intended to make outbound calls in the Do Not Originate list, and consequently, calls should be blocked with CLI data from these number resources.
- The rules to follow by UK providers for the sub-allocation of numbers to other providers, to enhance both the liability of third parties and the controllability of such number resources.
- The steps providers should take to identify international incoming calls with spoofed UK landline numbers, and to block such calls.
Current exemption for UK mobile numbers
In this regard, there were obvious reasons for Ofcom to include in their current CLI guidelines an exemption from blocking for calls made from abroad using a UK mobile CLI, so that UK mobile users abroad can display their number or name to friends and family in the UK when they call them.
Fixed line numbers are less used between social contacts while mobile numbers are very effective for attacks because these numbers are more person oriented and still have a relative high trust level. And when the callee is a mobile number too, the terminating device will present a name instead of a number based on the stored entries in the address book. This further attributes to a greater acceptance of incoming calls when the spoofed number is a mobile number.
These facts are acknowledged by Ofcom research that reveals, in February 2025, two in five phone users (42%) said they received a suspicious call in the last three months and people are more trusting calls coming from UK mobile numbers (+447) than calls from withheld or international numbers. In addition, a quarter (26%) said they were likely or very likely to pick up a call from an unrecognised UK mobile number, compared to just one in ten (9%) who would answer a call showing an international number with an unrecognised country code.
Why fraudsters love this exemption
Fraudsters are aware that calls with spoofed mobile numbers more likely bypass defences when the manipulated calls are generated abroad. For this purpose, they imitate calls made by roaming users when they are travelling abroad. This is a very popular use case considering that mobile operators frequently offer roaming packages including a certain bundle of minutes of voice calling included, so mimicking the voice calling bundles in the home country.
These manipulated calls with spoofed mobile numbers are difficult to detect by foreign operators and intermediate transit carriers. This is because the mobile number of a roaming user refers to a number in a foreign numbering plan and so the details of a number (such as the assignment/activity status and operator portability status) are only known by the operators in the home country of the roaming user.
Technical roaming improvements
The mobile industry already recognised this security risk long ago and first introduced home routing with VoLTE Roaming in 4G and with VoNR Roaming in 5G, whereby outgoing calls by roaming users have become data sessions. These data sessions are selectively forwarded to the IP Multimedia Subsystem (IMS) in the home 4G/5G mobile network. First in the IMS in the subscriber’s home country, the data sessions become voice calls, thus no longer routed as international calls via international carriers, and so mitigating the risk that the CLI data is manipulated. And as a retrofit to 2G/3G networks with CAMEL support in SS7 signalling, calls of roaming users can be home routed as well.
Bypasses allow fraudsters to continue their practices
However, these protections are not implemented overnight and more problematic, legacy 2G/3G and other services — many of them are beyond the control of mobile operators — offer long-term bypass techniques to hackers. Both will continue the risk of international calls with spoofed mobile numbers. For an in-depth explanation of this long-term bypass risk, please refer to my previous CommsRisk article “Urgent Security Advances Needed to Trust Mobile Caller IDs”.
Recurring new discoveries of attack tactics, show that fraudsters are very well educated about the vulnerabilities in the international telecom ecosystem. The complexity of the global roaming infrastructure, in particular, has repeatedly proven to be an inexhaustible source of innovation for violent manipulation.
Why Ofcom’s request is unambitious and undemanding
The protection solution that Ofcom considers for mitigating this bypass risk, is that the presentation number of these incoming international calls should be marked as ‘withheld’. This allows these calls still to proceed. The absence of presented CLI data is then an implicit warning to the customer that this incoming call may be a spam/scam call.
While this is a definite improvement, it requires both general awareness and continuous alertness of this risk among UK consumers. But even being aware and alert, this still does not mitigate the full issue. Ofcom recognizes this incompleteness with the following remark in their consultation:
We expect the effect of this measure to be that UK people and businesses receive significantly fewer calls from scammers that appear to come from UK mobile users, although scammers may still be able to send messages from UK SIMs which they manage to source and use from overseas destinations. In turn, this will reduce the likelihood that people engage with scam calls and lose money.
There are several reasons why this assumption is doubtful. Grounds to believe this approach will not adequately addressing the problem include the following.
- It is a well-known practice in the industry that putting actions on presentation indicators and parameters in CLI data is not flowless. This is caused by the many signalling variants and their interworking differences. Particularly the ISUP to SIP and SIP to ISUP mappings are not that straight and evident to ensure always the right action to withheld restricted CLI data being presented.
- Even if customers are alert on incoming calls with anonymous CLI data, there are many practical circumstances that customers will answer such calls. A typical example is where a customer is awaiting a call from a doctor, and the doctor uses its private mobile phone and is not willing to share its number with its patients. In such a situation, and likely the customer is nervous and emotionally sensitive, then receiving a scam call will be very annoying.
Need for a better and recommended solution
While the Ofcom consultation neglects active blocking solutions to protect UK consumer against this bypass risk, regulators in many other countries already instructed their operators to implement what is now known as an ‘Is Roaming’ check. These checks support the active call blocking of international calls with mobile numbers as CLI data. The first deployments were put into service around 2020 in Middle Eastern countries. Although the methods of implementation vary from country to country, ‘Is Roaming’ checks are now in use or are in the process of being implemented in many other countries — especially in Western Europe. Given the accuracy and effectiveness achieved by ‘Is Roaming’ checks in operational networks, it should be considered a realistic ambition for those networks where it has not been implemented yet.
The GSMA published for mobile operators the technical implementation guidelines in their technical standard “FS.21 Interconnect Signalling Security Recommendations”. Additionally, the i3Forum Technology Work Group published open papers with complementary guidelines for the attention of international IPX providers and national transit operators. The i3Forum documents “CLI consistency checks v1.0” and “Solutions for Restoring Trust with Mobile Roamer Identification Verification v1.0” elaborate the implementation variants and their evolution.
The working principle behind the ‘Is Roaming’ check
The ‘Is Roaming’ check solution is based on the simple principle that an international incoming call with a national mobile number in the CLI data refers to a call made from a SIM by a customer roaming abroad. Since the mobile network serving the roaming customer — the home mobile network — is located in the destination country and constantly updated on the roaming status of the UK SIM, by querying the home network, it can be determined whether this incoming international call is legitimate or not.
Since most of the time customers are not roaming, blocking falsified calls referring to a CLI of a user that is not roaming provides an effective protection against this type of fraud. If the user is roaming, further checks may validate the trustworthy of the call and the CLI content like whether the CLI is part of a Do Not Originate (DNO) list to allow legitimate calls to proceed with an anonymized CLI content to alarm subscribers that the CLI may be false.
Technical solutions for the ‘Is Roaming’ check
Given the lack of standardised implementation guidelines, initial network implementation solutions for ‘Is Roaming’ were based on the reuse of SS7 MAP messages. Later implementations are based on an API solution like the GSMA Open Gateway framework with the CAMARA standardised Device Status primitive. But this depends on the per country agreed implementation method between mobile operators and transit operators with International Gateways. Whether it should be based on a proxy/hub solution or a distributed solution depends on the present number portability handling in a country.
While this entails costs for UK operators but remains limited by the limited number of players and the availability of standard products and with the reduction of customer complaints, Ofcom should offset these costs for the telecoms sector with the savings for society by limiting fraud losses. This investment in restoring trust should be outweighed against the increasing importance of securing our public ICT infrastructure due to ongoing digital transformation.
Conclusion
Although in support of Ofcom’s request for protection against this hostile abuse via spoofed UK mobile numbers, the outstanding consultation suggests only a partial solution. Based on the above explanation, it is proposed that Ofcom aligns its policy with the present views in other countries with the addition of an ‘Is Roaming’ check solution including active call blocking for illegitimate calls. If not, fraudsters will be facilitated to continue their fraudulent actions via bypass techniques.



