33.3k unique visitors in the last 3 days

Europol’s New Paper on Caller ID Spoofing Is Better than Anything Else You Will Read on This Subject

The police can be impartial about the methods needed to tackle crime when businesses are letting the rest of society down.

I inevitably become jaded after devoting much of each week to reading the self-promoting crap produced by the comms industry on the topic of crime. Even regulators sometimes fall into the trap of repeating marketing slogans when they should strive to maintain objectivity. For example, comparing the fight against crime to a game of whac‑a‑mole probably sounds both clever and safe to the speaker’s own ear when it is still only the twentieth time they have used the phrase in public. They know the vast majority of their audience will reflexively agree with them. The analogy emphasizes the adaptability of criminals. But when you hear the phrase being used for the 2,000th time you may start to appreciate how empty it is. The analogy suggests we should fight crime by being moronic brutes that are incapable of anything but reacting to events. There is no strategizing to increase the chances of victory in whac‑a‑mole. There is no anticipation of the opponent’s next move in whac‑a‑mole. A chess player would not devote time to analyzing how to improve their whac‑a‑mole score. It is no wonder that criminals are always one step ahead if whac‑a‑mole is our only paradigm for fighting crime.

The lack of strategic forethought in the comms industry is painfully clear to anyone who understands why phone users choose not to pick up calls they previously answered. Transnational networked crime has evolved to the stage where we need breadth of vision and strategies that are not just deployed across the whole of society, but across multiple societies. However, much of this crime is difficult to understand because the comms industry is difficult for an outsider to understand, and this allows the blinkered perspectives of industry insiders to influence the opinions of people who should otherwise be more skeptical. Journalists, regulators and governments have been too trusting of some of the comms industry’s disinformation about crime. But perhaps, at long last, there are now some police with such a clear understanding of networked crime that they will force a paradigm shift in how societies respond to crime, and anticipate potential crimes. Europol has published a position paper on CLI spoofing whose brevity belies the outstanding quality of the research that must have gone into it. This paper may represent a transition towards police driving strategies for how to fight networked crime according to their impartial assessment of what is needed by society as a whole.

The opening sentence of Europol’s press release establishes the tone of their new paper.

Europol is calling for a coordinated European response to tackle caller ID spoofing, an increasingly common tool, used for online fraud and social engineering scams.

Three priorities are identified. Many of us will agree with them, but I have never seen them more adroitly stated. Those priorities are:

  • Harmonised technical standards: develop EU-wide mechanisms to trace fraudulent calls, verify legitimate caller IDs, and block deceptive traffic.
  • Enhanced cross-border collaboration: strengthen cooperation between law enforcement, regulators, and industry to share intelligence and evidence efficiently.
  • Regulatory convergence: align national rules to enable lawful traceback, clarify legitimate uses of caller ID masking, and promote proven anti-fraud tools.

However, the true worth of Europol’s paper is not exhibited in high-level statements like these. There are many stooges who will copy and hijack these principles, only to twist them into serving selfish objectives that fall short of the ideals being expressed. I expect American STIR/SHAKEN lobbyists will cherrypick parts of Europol’s paper and present it as proof that Europe needs STIR/SHAKEN, despite repeated evidence that STIR/SHAKEN has failed to protect Americans from spoofed calls. One of the most impressive aspects of Europol’s paper is that the authors clearly understand the downsides to STIR/SHAKEN, the importance of the governance framework surrounding call validation, the range of methods that can be used to tackle crime, and the importance of staying true to European sensibilities. Those latter sensibilities differ from the cruder profit-based motives that limit the current US strategy. To fully appreciate Europol’s position requires a nuanced reading that pays attention to all the details. That comes with a close reading of the entire paper, not the reduction of transnational anti-crime strategies to a few glib slogans.

One of the most obvious flaws with the US strategy is that it never bothered to impose any meaningful know-your-customer (KYC) obligations on businesses. Instead of dealing with this omission, the American convention is to pretend the gap does not exist by never speaking of it. The American public has been encouraged to believe a call can be ‘authenticated’ by technology even if nobody has checked who was actually responsible for making that call. This is a not a mistake made in Europol’s paper.

While robust anti-spoofing measures are crucial, and have proven to reduce fraudulent caller ID spoofing traffic in core networks, it is imperative to acknowledge and prepare for new and evolving trends in online crime that will continue to pose significant challenges.

These threats include already existing SIM-based scams that leverage fake or stolen identities, indicating a need for enhanced identity verification processes in the telecommunications
industry (KYC).

Anti-regulatory subleasing, where telecommunication resources are exploited outside regulatory frameworks, will require vigilant monitoring and stricter enforcement (KYT). The existence of anonymous prepaid services also presents a persistent challenge for tracing illicit activities.

STIR/SHAKEN’s particular combination of technology and governance protocols — often wrongly described as purely a technological solution by people with no interest in how to correctly govern the technology’s use after they have profited from its sale — has proven to be as effective a barrier to spoofing as using a sieve to catch water. Much of this is due to its supporters comprehensively lying that STIR/SHAKEN mandates KYC (it does not) or that comms providers can be trusted to implement robust KYC in the absence of any compulsion (they cannot). But even if the US had imposed robust KYC obligations at the same time as STIR/SHAKEN was mandated, there are other holes that criminals can send bad traffic through. For example, TransNexus publishes monthly statistics on the proportion of US calls that arrive at their destination without an intact SHAKEN signature and these statistics are reproduced as a rolling graph on Commsrisk’s own fraud dashboard because success would require the USA to have attained 100% coverage. I suppose some naive Americans actually believed they would attain 100% coverage amidst all the marketing hype about STIR/SHAKEN. However, there has never been a month with more than 50% coverage of the calls monitored by TransNexus. The coverage figures for the most recent months have slumped below 40% again. Europol’s paper is wisely circumspect about the range of call validation methods currently available, all of which deserve further examination before deciding how to harmonize technology across Europe. There is no benefit to Europeans in rushing to copy American methods that have delivered woeful results so far just because salesmen and politicians keep exaggerating how well they have worked.

One important sign that Europol has not been fooled by the exaggerated promises of some technology vendors comes from how their paper places as much emphasis on governance as technological solutions. For example, the paper’s section on regulatory convergence asks for the following:

Provide regulatory clarity on acceptable spoofing use cases and mandate service providers to implement validation mechanisms, defining responsibilities for blocking illegitimate traffic, such as reverse onus clauses (burden of proof).

The significance of the governance demands built into SHAKEN, and the extent to which these clash with European norms is explicitly referenced when the paper discusses “policy implications for global collaboration”.

Drive harmonisation of regulatory approaches and promote international cooperation among telecommunications authorities, recognising the need for multi-stakeholder engagement.

This includes evaluating the suitability of diverse authentication frameworks, thus recognising that a one-size-fits-all approach (like STIR/SHAKEN) may be at odds with national laws or EU-privacy norms.

Europol’s position paper sets up the prospect of a head-on clash between Europe and the USA over the methods used for collaborating in law enforcement. The US position remains fixated on bullying foreign countries into adopting STIR/SHAKEN so it can be used as a universal governance mechanism for all traffic everywhere. Meanwhile, Europol astutely summarizes the technology options available.

Implement mechanisms to validate inbound international calls with national CLIs (e.g. home network verification for roaming). This may include leveraging solutions like API-based caller ID verification as an out-of-band method, or considering in-band solutions which directly inspect and block calls from identified spoofed caller IDs within their network’s primary communication path, thus avoiding latency issues.

It is impressive that employees of Europol can pithily summarize technical methods to obstruct calls with spoofed CLIs when many people employed by the comms sector who claim to be technical experts refuse to acknowledge some of the choices outlined in the two sentences copied above. My jaw dropped when I went through the footnotes and realized that Europol’s prime example of “API-based caller ID verification” was GSMA Call Check.

7 GSMA, 2024, Call Check, source: https://www.gsma.com/solutions-and-impact/industry-services/call-check/

Perhaps the biggest single problem with GSMA Call Check has been the GSMA’s utter incompetence at marketing it. The marketing of STIR/SHAKEN has been far superior to the product. The marketeers of STIR/SHAKEN may have been cynical but they did their job well. In contrast, the GSMA’s marketeers are so useless that they are turning a good product into a dud. Reading through the GSMA’s webpage for Call Check suggests it was created by people who have no comprehension of why a body like Europol would be interested in an API-based service of this type. Based on my experience, the few GSMA employees that know what GSMA Call Check actually is learned about it from Commsrisk, not from the dire output of the GSMA. That Europol has identified Call Check as a potentially valuable consumer protection solution is testament to the quality of their market research. If this is going to be representative of how the police will research potential mitigations of crime in future then we should welcome the police exerting greater influence over the comms industry. The police might actually be better at understanding how systems can be devised to reduce crime than most communications industry insiders.

The Europol paper is short, being a mere six pages in length after ignoring the front cover image and a single page of legalese at the back. Do not let its brevity fool you. It is the best paper ever published on the strategic challenge of how to validate communications to reduce crime, if we measure quality by dividing the quantity of insights by the number of words used to express them. It is so succinct that some of its genius may not be apparent on the first reading. Reading, re-reading and contemplating the contents of this Europol paper is a far better use of time than listening to yet another repetitive speech about whac‑a‑mole. If Europe’s strategy for tackling scam communications is led by the people who wrote this paper, and by the people who advised them, then there is good reason to be optimistic about the future.

Europol’s position paper on caller ID spoofing is here and the associated press release is here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email