20.5k unique visitors in the last 3 days

Spanish Government Launches Consultation on Tackling Telecom Scams

The three controls that get most attention are: blocking inbound international calls that spoof domestic numbers; creating a SenderID registry; and scanning the content of messages.

Spain’s Ministry of Digital Transformation is seeking opinions on potential new controls to protect consumers from scams that rely on voice calls and messaging. The consultation was launched last week and their discussion of potential methods is extremely succinct compared to the anti-scam consultations of other national governments and regulators, although it ambitiously seeks to cover more territory. The methods mooted by the consultation include:

  • Barring calls that match a national Do Not Originate list
  • Blocking of inbound international calls that spoof a Spanish phone number
  • A national SMS SenderID registry
  • Automated scanning of SMS content and the removal of dangerous URLs from SMS messages
  • Requiring telemarketing businesses to use a specific number range so it is easier for the public to identify, reject and block their calls
  • Prohibiting call centers from using mobile numbers as the apparent A-number for their outbound calls
  • A common database of unassigned phone numbers so their misuse can easily be identified
  • The potential for a STIR/SHAKEN-style national mechanism to prevent manipulation of CLIs after a digital signature has been applied

The consultation also enquires about potential new curbs on how websites are exploited by scammers.

  • New procedures to tear down phishing websites
  • Mandatory blocking of URLs on a national blocklist
  • A list of URLs which the public can continue to visit, but only after they receive a warning

It is worth reiterating how short and superficial the consultation document is, especially given the number and significance of the controls mentioned. This means anyone relying on a third party’s summary of the proposals is unlikely to get an accurate impression of how the Spanish government’s thinking compares to that of authorities in other countries. Ireland’s anti-scam consultation described their aspiration to implement a comprehensive new series of anti-scam controls in a well-written document that is 313 pages long. This new Spanish consultation asks for feedback about more controls than the Irish considered, but the consultation document barely stretches to 13 pages. Nevertheless, these are the few areas where the Spanish government has clearly applied more thought to the potential for an anti-scam control.

  • The questions asked about how to block inbound international calls that spoof a Spanish number are the longest and most detailed. Attention is paid to the issue of how such a control could be applied to mobile numbers without interfering with outbound roamers making calls back to Spain. The Spanish government also takes the unusual step of proposing the same kind of control be applied to SMS messages received from aboard, although my immediate impression is that such a control would be ineffective because scams perpetrated by SMS can much more readily be originated on a network within the country.
  • The potential for an SMS registry is the subject of several questions. Intriguingly, one of those questions asks whether the registry should be run by the public sector, the private sector, or a hybrid of the two. This suggests they are anticipating a registry will be implemented but want to see if there would be resistance to outsourcing the work to the private sector.
  • Almost one-third of the document is devoted to the potential to automatically scan SMS content in order to block smishing messages. Relevant extracts of Belgian and Polish law are quoted; these two European countries are the first to have amended privacy rights to permit the automated scanning of SMS content for the purpose of preventing smishing. This indicates the Spanish government would like to follow the lead of Belgium and Poland but is wary of the political blowback if the necessary changes to the law are widely seen as a threat to privacy.

Parts of the Spanish media have chosen to exaggerate the extent to which the consultation suggests artificial intelligence might be used to tackle scams. Given the brevity of the entire consultation document, journalists have chosen to hype this aspect for selfish reasons unrelated to the importance of AI to Spain’s anti-scam strategy. The Spanish government asks about so many possible controls, and describes these controls in such a superficial manner, that journalists lack the ability to explain their true significance to the public. Cheap controls that could be implemented within a few weeks are presented alongside expensive techniques that would take years to realize in practice, with no sense of the relative weight of each potential new obligation or how much benefit would be delivered in return. I hence expect that only a small number of industry insiders will be able to provide useful feedback to the majority of the government’s suggestions.

And it pains me to make this observation, but somebody somewhere is likely to treat this consultation as proof that Spain is about to implement STIR/SHAKEN, whilst failing to mention any of the numerous contrasting methods listed alongside. Decide for yourself if 144 words is sufficient to demonstrate a deep interest in the complicated challenge of CLI validation. Oddly, the consultation document does not even mention the implementation of STIR/SHAKEN by neighboring France, although the authors do refer to its use in Canada and the USA.

To reiterate, the consultation document is exceptionally short — you can obtain it here — but so is the time allowed for feedback. The deadline for responses is March 8.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email