Why the telecom industry needs to look at a multi-tier defense mechanism to combat illegal and malicious robocalls (Reader Forum)
Fraudulent robocalls are a menace across the globe. Many of these utilize call spoofing, a practice by which voice carriers and aggregators intentionally falsify caller ID information to gain an illicit advantage. Call spoofing enables many different types of fraud such as Wangiri (short or faked missed calls generated to leave a notification on the customers’ display prompting them to call back), social engineering calls (people claiming to be from a trusted company to obtain personal or financial information) and robocalling (where scammers use an auto-dialer that can originate millions of calls within hours). The intention behind these calls varies from simply maximizing the chances that the called party will answer the call to being part of a larger fraud scheme to steal identities, financial details and more.
Fraudulent robocalls are projected to cost customers US $40 billion in 2022, up from US $31 billion in 2021, according to a report from Juniper Research. The report predicts thatNorth America will be the region most afflicted by fraudulent robocalling, accounting for 45 percent of global losses this year, despite representing just five percent of mobile subscribers.
To combat the surge in fraudulent robocalls, the telecommunications industry is implementing several strategies. These include one of the prominent standards known as STIR/SHAKEN, short for “Secure Telephone Identity Revisited” (STIR), and “Signature-based Handling of Asserted information using toKENs” (SHAKEN). Developed and deployed in the US, the Juniper Research report recommends that other regions emulate STIR/SHAKEN to standardize stakeholders’ roles in reducing financial losses from fraud.
The STIR/SHAKEN framework uses digital certificates based on common public-key cryptography techniques to ensure that the calling number of a telephone call is secure. The deadline for implementing the framework for voice service providers in the US was June 30 last year (2021). The FCC issued a public notice stating:
“Those voice service providers and intermediate providers without an extension of, or exemption from, the STIR/SHAKEN implementation deadline that fail to implement the authentication framework by June 30, 2021, and those voice service providers that fail to file the required certification and accompanying information in the Robocall Mitigation Database by this date may be subject to appropriate enforcement action…. Beginning September 28, 2021, intermediate providers and voice service providers may not accept traffic directly from voice service providers that are not listed in the database.”
And yet Juniper Research shows the cost to customers from fraudulent robocalls increasing by some 30 percent in 2022.
So, what else needs to be done? Telecommunications providers are far from achieving spoof-free networks. Implementing STIR/SHAKEN standards is a step in the right direction. And while STIR/SHAKEN can be lauded for its advantages, it also has shortcomings.
Just utilizing the framework is no guarantee that service providers can detect and block fraudulent robocalls. STIR/SHAKEN is expensive to deploy, works only if all operators have it, and even then, is no guarantee of success. It also only works on IP-based networks and, therefore, cannot be a universal solution, as many areas still have non-IP telecom services.
Take the case of Ofcom, the UK’s communications regulator, which plans to fully retire copper lines and adopt VoIP from the PSTN by January 2025 as a step towards implementing STIR/SHAKEN. However, the UK does not have a national telephone number database of assigned numbers. Canada and France are in a similar situation.
Fraudsters are constantly seeking clever ways to bypass stronger security protocols and are quick to adapt to obstacles put in their way. Because these fraudulent calls can originate from anywhere in the world, nations and their legitimate telecom service providers must work together to create interoperable standards that can weed out the menace of illegal and malicious robocalls.
Robocall mitigation programs need to include detailed practices that can help stop illegal calls at the source, vet customers when establishing service, monitor traffic for suspicious calling patterns and take appropriate and timely action when fraudulent calls are confirmed.
The implementation of advanced analytical solutions within the telecom network, based on real-time signaling level analysis working in conjunction with machine learning, can provide a new proactive approach to identifying these fraudulent robocalls. When the system identifies a fraudulent or illegal call, the call can be canceled in real-time, so it does not reach its intended target. Suspicious calls can be tagged as ‘likely spam’ so the target ‘customer’ is pre-warned and can choose whether to answer or not. Similar to the way websites weed out ‘robots,’ a CAPTCHA system can also ask the caller to enter a random three-digit code in order to complete the call. Since this cannot be completed by an auto-dialer, these fraudulent calls can be automatically terminated.
STIR/SHAKEN does not currently cover SMS messages, so the industry should also look at how customers can identify spam messaging and receive real-time notifications about suspicious messages and block them accordingly.
Robocalls, auto-dialing, computer-generated calls — however they are described — are becoming an increasing menace. They are at best a nuisance, and at worst, the cause of significant financial loss to many scammed consumers. They are also hugely damaging to the reputation and revenue of communications service providers.
To address the issue of fraudulent robocalls, communications service providers need to coordinate on a global basis to address this issue. Regulators must also come together and study the effectiveness of STIR/SHAKEN’s standards and other efforts at mitigation, and then agree on a clear and aggressive strategy to shut down these criminal activities.