27k unique visitors in the last 3 days

Registries, Timezones, Molehills and a Man Named Bhavesh: How Silos Give Scammers an Advantage

This week we examine how regulators are creating or overcoming barriers to cooperation via news from Australia, the UK and the USA.

In this week’s bulletin:

In each bulletin I will attempt to highlight news from around the world whilst also drawing attention to common themes. This week covers recent work by regulators in Australia, the UK and USA that may seem to have little in common apart from the desire to reduce scams. A closer examination shows they are all struggling with how to overcome siloed strategies and improve the exchange of information. However, some continue to suffer from siloed thinking more than others.

Thoughts about the UK Regulatory Consultation on Mobile Messaging Scams

The first thought on seeing Ofcom’s current call for information about how to tackle SMS and RCS scam messages is that it is long. The questions they asked were not long, but they were open-ended. That means they will get long answers, especially from me. There is no justification for this industry’s overuse of the cliché that fighting fraud is a game of whac-a-mole unless we are also prepared to point out every single molehill that we already know about. The meaning behind the cliché is that we know criminals will exploit very many different attack vectors. Examining a lone molehill in isolation is pointless, as you know the fraudsters will often choose to pop up somewhere else. We either seek to protect the entire terrain or we admit that whac-a-mole is an appropriate metaphor because we never expect to accomplish anything.

The second thought is that the wording of the consultation illustrates the siloed thinking demanded by institutions and the way their work is defined. Criminals endlessly exploit the divisions created by these silos. It is not Ofcom’s fault that the UK has a bunch of rules relating to messaging services that involve phone numbers — SMS and RCS — and a different bunch of rules relating to messaging services that do not involve phone numbers — Whatsapp, Facebook Messenger, and all the rest. That forced Ofcom to state at the outset of their consultation that it excludes ‘online communications services’ — Whatsapp and the others — because their consultation is about the services where a message is routed to a phone number. The routing to a phone number is not even entirely true of this consultation, because the consultation also asks about SMS blasters, and those devices only know your number because they have already connected to your phone and to every other phone within range of the radio signal. So even when an intelligent regulator tries to draw a sensible line between different kinds of fraud, it finds the real behavior of criminals is always pushing the limits of those definitions. And when I assert that Ofcom is intelligent, it is with reference to the fact that Ofcom is still a few months’ shy of its 21st birthday, having being created at the end of 2003 by a merger of regulators because of the need for a single body to oversee the whole of the communications landscape at once.

Criminals keep defying the boundaries applied to anti-scam work because they have no reason to care about categories. We care about categorizing the work we do; criminals do not. A scammer in a compound may first connect with you because you responded to their robocall, or to their A2P SMS, or to their P2P SMS, or to their Skype message, or to their advert on Craigslist, or you fancied somebody you saw on a dating app and did not realize the image was copy-pasted from a fashion catalogue. The scammer lures you into typing your details into a phishing website, or encourages you to switch to a communications channel they prefer because it is encrypted, such as Whatsapp. Maybe the goal is to get enough information so they can make a withdrawal from your bank account, or maybe they will sweet talk you into sending them the money yourself. They do not care about enumerating the thousands of variations upon the scams they devise. But we lose sight of the big picture concerning which controls would be most effective at tackling scams in the round because we keep trying to break down our work into manageable chunks. And that is why we end up in a situation where many clever people are talking about how to use registries and auditors to validate the identity of a logo of a business presented to us via an RCS message, and different clever people talk about mitigating scam and spam robocalls by having the logo of the same business presented to us via Rich Call Data (RCD), but there are not enough clever people talking about how the checking of the business and its logo has a lot in common, so we should find ways to protect RCS messages and RCD calls at the same time. Failing to see the bigger picture may lead to the unnecessary duplication of effort by businesses which want to use both RCS and RCD to share their logo when sending messages and making calls. And if we do not notice how much is in common, then the fraudster will just direct their efforts to the avenue where our work has left the largest loopholes, because criminals do not care if Ofcom runs a consultation that ultimately leads to a cost-benefit calculation for tackling scam messages, but without factoring in the costs and benefits of tackling scam calls at the same time.

The third thought was that the examples of anti-scam controls that Ofcom listed in their own consultation document were drawn from a particular range of countries even though the world is big and round and consists of more than just Europe and North America. Indians, Kenyans and Thais receive scam messages too. In some cases, their experience is worse, because they receive more scam messages, and that means their experience is superior, because their methods of tackling scam messages have had to evolve more rapidly. For example, if I want to know about techniques used to identify SMS blasters, I should speak to people in Thailand who have identified a lot of SMS blasters, and not to people in countries where the authorities (wrongly) believe there are no SMS blasters. Kenyans have some special insights into using mobile messages to trick people into transferring money because so many Kenyans use mobile phones to access their mobile money. India has reduced the number of nuisance messages with distributed ledger technology (DLT), which you may remember was the overhyped technology before AI became the overhyped technology. But India’s case shows the hype about DLT was not just hype, because they are actually using it to do things other countries are not attempting to do. Perhaps the conclusion will be that implementing a messaging allow-list by a DLT is the wrong approach for the UK, but it should be considered as an option. Which leads to a banal but fundamental observation about another kind of silo affecting our ability to learn from experience: timezones. One reason why Singaporeans and Australians have anti-scam policies that are so far ahead of other countries may be that other nationalities are not prepared to get out of bed at a peculiar hour just to listen to the experience that Singaporeans and Australians can share.

Why We Need a Global Federation of Registries

We live in a multinational world. If scammers make money by sending messages which impersonate Amazon to recipients in one country, it will not be long before they try to impersonate Amazon in many other countries. Scammers waste no time in copying successful scamming techniques from one country. It takes longer for national regulators to learn about mitigations that succeeded elsewhere. The use of a registry to prevent the impersonation of major brands, like the SMS Sender ID registry that the Mobile Ecosystem Forum (MEF) operates in the UK, is an idea that is being copied a lot these days, not least because MEF has spent so much time explaining the concept to regulators. The copying of this idea is a good thing, because it is a good idea. That is why the response to Ofcom’s consultation that I am writing on behalf of MEF will state that a country is better off having any registry than having no registry. However, we live in a multinational world. Having hundreds of different registries that each have hundreds of different rules would add a lot of complication to the task of preventing the same essential frauds.

Regulators are not suited to aligning their rules with each other, and are even less suited to creating spin-off institutions that work seamlessly across borders. This is why self-regulation executed via nonprofit organizations can often be the best way to tackle international problems afflicting the communications sector. What the global communications industry really needs is a global federation of registries, so companies like Amazon can have a one-stop-shop for registering their names, logos and the particulars of the communications they will send, whilst agreeing to be subjected to the most rigorous KYC checks at the same time. The more we can unify the performance of KYC, the higher the standard that can be achieved without also increasing the cost of checking KYC. I hope that national regulators will keep this in mind when contemplating whether they each want to run their own registries, and hence become responsible for the associated KYC. Creating a federation of registries is one kind of challenge that is best outsourced to nonprofits which are as multinational as the businesses listed on their registers. It would encourage a consistently high standard for KYC checks, and would leave fewer gaps between silos.

Australia’s Anti-Scam Philosophy Is Exceptionally Well Rounded

I am getting bored of singing the praises of the authorities in Australia, but I have to keep doing it because their thinking about how to tackle scams is so advanced. The government’s proposed scams prevention framework applies a nested approach to regulators, each of which has responsibility for implementing a consistent anti-scam strategy. The aim is to ensure businesses across multiple sectors will all have the same aligned responsibilities for tackling scams whilst their regulators are motivated to work together instead of arguing over who has jurisdiction over which mitigation for what kind of scam. The Australian Competition and Consumer Commission (ACCC) becomes the super-regulator with overall responsibility for tackling consumer scams, with other regulators accepting delegated responsibility for overseeing the particular organizations that lie within their domain. This means the Australian Communications and Media Authority (ACMA) will enforce the rules for the communications and media sector (duh!), the Australian Securities and Investments Commission (ASIC) will enforce the rules for the financial sector, and the door is left open to enroll other regulators in similarly subordinate roles to the ACCC if it becomes apparent that other kinds of organizations also need to take more responsibility for stopping scams. The philosophy is clearly designed to counter the problems otherwise created by too many legal and regulatory silos.

Each regulator will be responsible for fleshing out the details for the sectors they oversee, but each should adhere to the same six principles when setting expectations for the organizations they regulate.

  • Prevent: activities designed to stop scams before they occur
  • Detect: monitoring and identifying when scams occur
  • Disrupt: halt scams in progress
  • Report: share information about scams with any relevant party
  • Respond: listen to the experience of consumers and address their complaints
  • Govern: organizations publish an explanation of how they intend to satisfy the principles above

Governance includes making senior management responsible for adhering to new expectations.

Each regulated entity must develop and implement governance policies, procedures, metrics and targets for combatting scams. These must be reviewed, and certified by a senior officer of the entity, at least annually.

And most importantly, the framework promises tough penalties for organizations that fail to play their part in reducing scams. Civil penalties will be aligned across sectors for failing to meet the requirement to report, respond or govern, or for failing to take ‘reasonable steps’ to prevent, detect or disrupt scams. Much of the work for regulators will involve fleshing out the detail for what is considered a ‘reasonable step’ to prevent, detect or disrupt wildly different kinds of scams, including any new ones. However, there is a clear intention to tackle scams holistically and consistently, so society can use the broadest range of tools to reduce scams whilst spreading the burden evenly and fairly.

Auditing the US Robocall Mitigation Database, Episode 712

Regular readers of Commsrisk may think they know my opinion about the contents of the US Robocall Mitigation Database (RMD), but I only share a tiny proportion of the crap I find in there. To recap, the RMD is the kind of thing you get when one country decides it will get many entities worldwide to all register their details so they can be vetted and the public protected, but has no serious plan for the actual checking of the register and vetting of the (mis)information it contains. Whilst I have previously highlighted the the inept scrutiny of data stored in the database, I will reiterate the point because any auditor worth their salt should immediately see what is wrong with the following entry, which was added to the database last week.

Business Name: bhavesh

I was a professional auditor, but you do not need to be a professional auditor to notice this name is suspicious. It does not sound like the name of a business. It sounds like the name of a person. And that is exactly what it is. It is the first name of the person who submitted the entry, not the name of the business. I can deduce this by observing the name of the business per this RMD entry is the same as the name of individual who is the FCC’s contact for the business, which is the same as the name of the CEO of the business, but is not the name of the business displayed on the website of this business.

You might say this does not matter. I think it matters. The supposed purpose of the RMD is make it difficult for liars to lie about things. I am not suggesting Bhavesh is a liar, though he was a bit lazy with capitalizing his own name. He probably just did not read the FCC’s form correctly. But FCC employees are so lacking in curiosity that they do not instantly see there is something wrong with this entry, then how will they ever identify a determined liar? This RMD entry is wrong because there is no business with this name providing communications services, but somehow this entry exists. The RMD exists to support industry-wide know-your-customer (KYC) checks, so it is a sorry state of affairs if the quality of the industry’s KYC is so low that there is not even the expectation to get the name of the customer correct.

You already know the telltale weaknesses of scammers. They make spelling mistakes. Their corporate websites look like they were constructed using stock images and Windows 95. I do not wish to be rude about Bhavesh. He may be a busy guy. But he does make a lot of spelling mistakes. And the last time I saw such a ropey slow-loading website, I was using Mosaic as my browser. Some would consider these to be warning signs.

Just the few minutes spent doing research for this piece would have been sufficient to call Bhavesh and have a friendly chat with him. Asking him about the name of his business would have been an easy opportunity to see if his business is genuine, or whether he made a few mistakes with his RMD entry. I have not done that; it is the wrong time of day for me to call Bhavesh’s number in New Zealand, and I am not paid to do the FCC’s work for them. But if somebody at the FCC had contacted Bhavesh then any mistakes with his RMD entry might have been fixed immediately. Evidently they did not contact Bhavesh, although the main purpose of the RMD is to have a list of phone numbers so you can call people if something goes wrong. Which begs another question: if the names can be wrong, how can we trust the phone numbers in the entries?

I read Bhavesh’s robocall mitigation plan, and it was bad. It was not the worst; he actually did write some sentences about things that sound like mitigations of nuisance robocalls. The main difficulty was that Bhavesh’s robocall mitigation plan begged many questions about compiling many unexamined documents in a big database that is never scrutinized by anybody but me, and only by me when I feel like making fun at the FCC’s expense. The three most common words in Bhavesh’s robocall mitigation plan are: “upstream”, “provided” and “carrier”. That is because each of the mitigations in Bhavesh’s robocall mitigation plan were provided by the upstream carrier. So that suggests Bhavesh is an honest fellow who is telling the FCC how things really are. But it also means the FCC has learned nothing that it would not have learned by asking the upstream carrier how they mitigate robocalls.

To be clear, my guess is that Bhavesh is somebody who runs a small business and who put only a little effort into his RMD entry because the FCC puts even less effort into checking the submissions it receives. Currently the FCC is consulting on whether to introduce fees for people registering with the RMD, so the money can be spent on performing checks of the quality of the entries in the database. On the one hand, they obviously need to spend more money on checking the entries in the RMD. On the other hand, do we trust the FCC to spend this money well? And on the other other hand, how many small businesses will try to skip this fee by asking their upstream provider to do it for them instead?

The FCC makes a fair point in their consultation on RMD fees: they will not get decent quality control checks without spending some money on controlling quality. What a shame that did not occur to the FCC when they told the whole of the USA that STIR/SHAKEN guarantees calls are authenticated, although nobody was told to spend a single additional penny on checking who was making those calls.

Other News

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email