26.1k unique visitors in the last 3 days

How Can We Regain Trust in Accepting Calls from Unknown Mobile Numbers?

An examination of how the comms sector is responding to the spoofing of caller IDs.

In recent years, consumer trust in calling line identifiers (CLIs) has significantly diminished, particularly with international calls. This is mainly due to the misuse and spoofing of CLIs by call originators, such as scammers and predatory sales callers, who exploit the ability to manipulate CLIs, compounded by a lack of global administrative control. The communications sector has searched for ways to regain the trust of customers but without much success so far. How might the industry progress towards a solution?

Abuse and Spoofing of Mobile Numbers

The most problematic scenario involves the abuse and spoofing of mobile numbers. This tactic is commonly used by bad actors, by spoofing mobile numbers from overseas to appear as roaming subscribers. The root causes of this issue include:

  • Mobile operators in the visited country, along with intermediate transit carriers, are unable to verify the authenticity of the mobile number. This is because the CLI belongs to a foreign numbering plan, the details of which are often unknown to these networks.
  • It is legitimate for an inbound international call to present a domestic mobile number if it comes from a user who is roaming abroad. These calls are fundamental to mobile services, as they typically involve individuals calling family members, friends, or business contacts in their home country.

Forward-Looking Solutions

The abuse and spoofing of mobile numbers is fundamentally addressed by the home routing scenarios in 4G and 5G networks whereby calls made by roamers in foreign networks are routed back to their home network, bypassing international voice networks. So, the attack surface is significantly reduced, as the home mobile network — holding the user’s profile — originates the call and includes the correct CLI.

Likewise, older 2G and 3G networks may support a similar home routing capability through CAMEL control commands in SS7 signalling. However, it offers only partial coverage, as global support for CAMEL is limited. Implementing CAMEL in legacy 2G/3G networks is complex, incurs licensing and capacity costs, and may face resistance from visited network operators who are reluctant to lose lucrative revenue from call charges for outgoing international calls.

Challenges in 2G and 3G Networks

Calls made by users roaming on 2G and 3G networks without CAMEL will not be routed to their home network but by the visited mobile network. Consequently, such calls will arrive in the home country as international calls with a domestic mobile number in the CLI.

The shutdown of 2G/3G networks in the US sparked the migration from the vulnerable SS7 roaming links to Diameter roaming links between 4G networks. However, developing countries in particular are not prepared for this migration since it needs a 4G core with an IMS service platform. Loosely specified interworking solutions leave room for abusive manipulation of the CLI.

And SS7 is still popular because of the roaming support needed for 2G and 3G devices. Though most handhelds are at least 4G enabled, limited radio coverage will force handhelds to fallback to 2G/3G working. In addition, many M2M and IoT devices in automotive, metering, logistics, healthcare, etc. are still based on SS7 because of the lower cost of 2G/3G chipsets. This situation will not change very soon as M2M and IoT devices have long lifespans. Replacing them all would involve huge cost and effort.

The SMS service is another roadblock for operators to completely disable their legacy SS7 roaming connections as there is no support for the SMS service for all scenarios with Diameter and IP. This means that even if an operator has completely disabled its 2G/3G services, SS7 roaming connections still need to remain in service or via the interworking between SS7 and Diameter.

Other Bypass Techniques

There are complementary situations that are not controllable via the purely mobile network solutions described above. These situations permit potentially abusive bypass techniques like over-the-top voice applications and unified communications (fixed/mobile) services that allow mobile CLIs to be included in outbound calls without direct control by the mobile operator.

The above considerations highlight a key security problem in the existing worldwide ecosystem. The vulnerability cannot be isolated or disabled. The risk will thus persist for years, and potentially without end. It will remain a common thread for the meshed, globally interconnected mobile networks. Attackers are adept at exploiting vulnerabilities and can easily shift activities to countries where niche exploits and bypass techniques remain viable.

The most dangerous risk arises when mitigation solutions are successfully bypassed and calls with false CLIs are classified as having trusted mobile CLIs. This is a known ‘garbage in, garbage out’ issue as found in STIR/SHAKEN. Labelling a dangerous call as safe causes more confusion for customers than if no labels were applied to any calls.

GSMA Call Check

Given these problems with mobile CLIs, it was good to see an initiative from within the industry with the launch of the GSMA Call Check in September 2024. This is an opt-in mechanism for operators to exchange call information via an overlay by which the receiving network can validate the call setup information received with the incoming call.

Since this is an opt-in mechanism, the scope of the solution is fragmented and leaves plenty of room for bad actors to infiltrate via unprotected networks. Another reason to be sceptical about the prospects for GSMA Call Check is the changing worldwide political climate which discourages collaboration in the exchange of trustful information.

The Need for an “Is Roaming” Check

Based on the above, calls made by roaming users on 2G and 3G networks — or generated through bypass techniques — may arrive as international calls with a domestic mobile CLI. So bad actors can misuse and spoof mobile number CLIs to infiltrate international networks with malicious traffic.

The most effective defence against this is to verify if the subscriber associated with that CLI is currently roaming. This is known as the “Is Roaming” check. Roaming status data is maintained in the HLR, HSS, or UDR in the home network, and continuously updated by visited foreign networks where roaming users are connected.

An “Is Roaming” check involves a real-time query during the call setup process to the subscriber registry in the home network that owns the CLI. If the queried CLI belongs to a subscriber who is currently roaming, the international call is more likely to be legitimate. However, if the subscriber is not roaming, the call may be fraudulent and the CLI has potentially been spoofed.

Whilst not completely eradicating the spoofing of mobile CLIs, in some markets it has proven to have significantly improved the trustworthiness of CLIs. The attack surface for CLI abuse radically shrinks with the implementation of the “Is Roaming” check.

Concluding Remarks

While mobile operators are reducing the attack surface with home roaming routing advancements, they will not be able to guarantee the authenticity of the mobile caller ID of all calls, given the many bypass techniques via the heterogeneous worldwide roaming system. This includes the potential misuse of subscribers’ mobile CLIs served by their more secure 5G networks.

Declining volumes of inbound international calls with a local mobile caller ID won’t impede scams with the wide variety of backdoors. This needs the implementation of the “Is Roaming” check as a robust validation for inbound international calls to combat the spoofing of domestic mobile CLIs.

The industry could explore opt-in registries, allowing customers to specify their roaming status. Inbound international calls with mobile caller IDs would be blocked automatically unless customers indicate they are roaming. This proactive self-protection mirrors practices offered by financial institutions for credit/debt cards, enabling customers to safeguard themselves against potential misuse of their financial services.

Pieter Veenstra
Pieter Veenstra
After a distinguished career in leading roles within the telecom industry, Pieter now serves as an independent expert in routing and security. He is an advisory member of CPaaSAA, a partner of i3forum, and a guest lecturer for MSc courses at the Technical University of Delft. Throughout his career, Pieter has contributed significantly to the field, publishing articles, and chairing various working groups in ETSI and GSMA. His contributions include serving as the Chair of the GSMA Roaming and Interconnection Fraud and Security working group and editor for detailed technical specifications such as the GSMA PRD FS.40 - 5G Security Guide. He also currently contributes his insights to the i3Forum Technology working group and the One Consortium Restore Trust initiative with GIRAF. His goal it to help the community converge on practical and effective solutions for CLI data protection. See Pieter's LinkedIn profile here.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email