EE Blocks up to a Million International Calls with Spoofed CLIs Each Day

Is EE the ‘safest network’ in the UK? That is the claim made in a press release which says they have blocked 11 million inbound international phone calls with spoofed UK CLIs since the adoption of their new firewall. Perhaps they are mildly boasting because they also used two words which have become an infamous signifier of misleading telecoms advertising – ‘up to’ – when describing how many calls they block on a daily basis. Presumably they mean that there have been days when the number of blocked calls has approached one million rather than suggesting that all spoofed calls above a one-million-per-day limit will still be connected!

The wording is somewhat conceited, but EE’s press release is still welcome because it reinforces an important change in how telcos address the legitimate concerns of customers. It used to be normal for telcos to shy away from discussing measures to protect customers from crime because of the belief that anything said about that topic would make customers fearful. Of the UK operators, Vodafone has been most overt in switching to a policy of openly discussing their investments in new security technology and the methods used to counteract criminals that target consumers. EE now appears to be following Vodafone’s lead, though other operators lag behind.

It is also good that the public is finally being given some sense of the extent to which communications networks are abused. There have often been situations where the press has sought a professional opinion on the scale of fraud but then repeated some nonsense by a jackass who was clearly unfamiliar with the real numbers. It may seem shocking, but some individuals who present themselves as expert in the field of telecoms fraud have literally no idea about the scale of scam and nuisance calls. One recent social media post from an employee of the Communications Fraud Control Association (CFCA) repeated a story about a Philippine telco being accused of passing one thousand spoofed calls every day. As the figures from EE illustrate, anybody with a grounded perspective on the extent of telecoms crime would have laughed at the comically small number of spoofed calls mentioned in that story.

EE does not have a spotless record when it comes to informing the public about crime. In September 2019, EE responded to a massive wangiri attack by spouting a lot of nonsense about how the telecoms industry was tackling scammers. This is what EE’s media handlers told the Daily Mail newspaper:

This is an industry-wide issue and as these calls come from outside the UK it makes tracing them extremely difficult – and is why Ofcom is working with the GSMA and The (sic) Internet Engineering Task Force to try to address this globally.

Regular readers of Commsrisk will appreciate this was an oblique reference to STIR/SHAKEN, the combination of the STIR protocol from the Internet Engineering Task Force (IETF) with the SHAKEN framework created by the Alliance for Telecommunications Industry Solutions (ATIS). In 2019 there was a common belief that STIR/SHAKEN would soon reduce the spoofing of calls in the USA, though delays meant it only became mandatory for larger US telcos last year. The hope that STIR/SHAKEN would lead to fewer spoofed calls has not been realized so far. But irrespective of what was happening in the USA during 2019, there is no evidence that EE was the slightest bit involved in progressing the development of STIR/SHAKEN, or ever had any serious intention to implement it. Nor has EE engaged with the homegrown alternative to STIR/SHAKEN proposed by British academics.

EE’s media representatives implied the UK regulator was working with others on a global solution for scam calls in 2019 although Ofcom has always been a bystander when it comes to STIR/SHAKEN, which was the only anti-scam method that had serious pretensions to global adoption at that time. The UK regulator’s participation in the development of a supposedly global approach to authenticating the origin of phone calls has been limited to simply observing what has been happening in the USA, and latterly proposing a consultation about the adoption of STIR/SHAKEN in the UK which will be held later this year. Name-dropping the GSMA was even more egregious; the GSMA had no input into STIR/SHAKEN. Whilst the GSMA has often vaguely talked about addressing the issue of spoofed calls, none of their proposals have obtained any serious momentum. So EE’s guff about Ofcom, GSMA and the IETF was just a crude way of bamboozling some ill-informed journalists by making it seem like EE wanted to do something to protect consumers when they were merely stalling.

The irony here is that the firewall implemented by EE during July demonstrates why telcos did not have to wait for STIR/SHAKEN, or any global collaboration, just to protect phone users from scammers. If a major UK telecoms network receives an inbound international call that presents a UK CLI it can already tell the number has been spoofed without needing any help from anyone else. So they can block those calls in the sure knowledge that the CLIs are dishonest. The same philosophy can also work for other countries, and has already delivered tremendous results in Australia. Whilst we can be glad that EE is now using this approach to block a very large number of nuisance calls targeting UK phone users, we can also observe that Australia’s biggest telco has been using the same method to protect customers since 2019.

It pains me to make this admission, but some telcos will only take action to protect customers when they have to, and will then seek praise for starting to do what they should have been doing for years already. That is why I believe the focus on STIR/SHAKEN to the exclusion of all serious alternatives became a monstrous distraction that is indirectly to blame for billions of scam calls received by phone users in recent years. Waiting for others to develop STIR/SHAKEN became an excuse for many telcos to ignore the potential of simpler and cheaper controls that could have been effected sooner. Those telcos did nothing because they calculated they would eventually be forced to pay a heavy cost for STIR/SHAKEN. Now there are signs that UK telcos realize they may be able to avoid those costs by voluntarily making progress with improved blocking of scam calls. They could have acted sooner, but at least the threat of being forced to implement STIR/SHAKEN is prompting them to act now.

The US has seen a poor return from its investment in STIR/SHAKEN so far. Some argue the investment will pay off eventually but that is no comfort to ordinary people deluged by nuisance calls in the meantime. The Australian experience sharply contrasts with that in the USA. Australia has halved the number of scam calls since last year, without adopting STIR/SHAKEN. Results like these should rightly impress telcos in other countries too. Publicizing the number of calls blocked by EE’s firewall will be part of a strategy to curry favor in advance of the Ofcom consultation expected later this year. If they can emulate the results in Australia by enormously reducing the number of scam calls received by British consumers they will fatally undermine the cost-benefit argument for mandating STIR/SHAKEN. I would not be surprised if we are seeing the development of an Anglo-Australian axis which focuses on individual countries taking independent steps to block obviously fraudulent inbound international calls instead of pursuing the grand US-Canadian-French vision of a global program to authenticate the origin of every call.

The motives for telcos copying the Australian approach may not be selfless, but an impartial analysis of publicly available data strongly suggests it is the best and most immediate way to deliver a good result for phone users. The public are rightly impatient for a reduction in the number of scam and spam calls they receive. They have been repeatedly misled about how soon they will witness the benefits promised by some of the more elaborate solutions that have been proposed. It is time to stop indulging grandiose schemes backed by individuals who, for biased political or commercial reasons, are willfully blinding themselves to filtering controls that will greatly reduce spam immediately, and not just at some hypothetical point in the future. We must insist on the adoption of methods that deliver measurable improvements today.

You can read EE’s press release here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.