back to article Ofcom issues stern warning over fake caller number ID scam

Telecoms regulator Ofcom is warning customers of the dangers of CLI spoofing – the process which allows incoming calls to display fake originating numbers on recipients' phones. The organisation has pointed out that there are valid reasons for spoofing – “for example, a caller who wishes to leave an 0800 number for you to call …

Page:

  1. Anonymous Blowhard

    "Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences."

    Sound advice; are you sure this came from Ofcom?

    1. Vic

      Sound advice; are you sure this came from Ofcom?

      Sure. It was their phone number, anyway...

      Vic.

  2. AndrueC Silver badge
    Meh

    "Never give out your personal information in response to an incoming call"

    And what's the first thing Barclays says to you when they call? "Can you confirm your date of birth, please?"

    To be fair when you object they will then suggest you call them with a reference number or using the free built in messaging facility of their phone app but it still seems unfortunate that their default position is to ask for personal information on what is essentially a cold call.

    1. Doctor Syntax Silver badge

      I never was a Barclays customer but when I was an HSBC business customer I used to get calls purporting to be from them wanting identification information. I always asked them to prove who they were. They never offered any proof. If a cold caller can't prove who they are before asking for any information always assume they're faking it.

      1. Anonymous Coward
        Anonymous Coward

        "Hello can I speak to Mr A Coward, please?"

        "Who's calling please?"

        "XYZ Bank. It's a personal call."

        "Ah, OK. Mr Coward speaking."

        "Can we go through some security?"

        "Sure, what's the pence balance of my account?"

        "I'm sorry Sir, we have to go through your security. What's your date of birth?"

        "Now, hold on a cotton-picking minute ... you called me! How are you going to prove you are XYZ Bank?"

        "Err ... we don't have a way of doing that."

        "OK fine. So never call me again *click*"

        1. Badvok

          Re: "Hello can I speak to Mr A Coward, please?"

          I had that exact conversation with a certain three-letter bank several years ago, needless to say that I don't bank with them anymore.

        2. SImon Hobson Silver badge

          Re: "Hello can I speak to Mr A Coward, please?"

          HSBC used to do that with me. I made "something of a nuisance" over it and they agreed it was "rather a silly thing to be doing".

          It didn't stop them doing it though - all they did was flag my account for "no sales calls". AFAIK they still use the same "forget all about good security practice" technique with others.

          The one exception to that is when there was some suspicious activity with my card. The lady that called had no problem with me not answering any security questions, now calling back at the number she started to rattle off. The only problem was that she wasn't allowed to give me any information whatsoever, so when I did call back on the bank's published number, it took a while to get through to the right department.

          And of course, you get that certain "looks like a bank but isn't so you don't get those protections" PayPal that keeps sending out their spam about checking your account and stuff. Doing exactly what all good advice says not to do - providing a link in the email for you to click to access your account.

          No PayPal, just including my real name does NOT prove that you sent the message, nor does it prove that the link you included is to your official site.

          I've come to the conclusion that the marketing cretins have more clout than the security people at pretty well all the financial institutions I've dealt with over the years.

          1. tfewster Silver badge

            Re: HSBC

            A couple of times when HSBC called me, they had an authentication method for both sides, e.g. they would tell me my month of birth and ask me to confirm the date; Or tell me a standing order payee and ask me to confirm the amount.

            I seem to recall I'd made a nuisance of myself before that by refusing to give info to a caller (allegedly) from my bank, so it was a big improvement (if still not perfect).

          2. Anonymous Coward
            Anonymous Coward

            Re: "Hello can I speak to Mr A Coward, please?"

            Don't get me started. I've had the whole "can we just ask you for some security" bollocks. Of course I said no. They suggested I phone them back. Let me just check, said I, this isn't a sales call is it? Oh no, certainly not, says the bank. So I phoned them back. It was a sales call (can we just review your accounts). OK, I said, review away, but first, please transfer me to your complaints department.

            Banks need a score way to communicate with customers. This isn't it. Why popular messaging apps don't take the opportunity to solve this with a user-friendly approach to PKI is a mystery to me.

          3. Terry 6 Silver badge

            Re: "Hello can I speak to Mr A Coward, please?"

            I've come to the conclusion that the marketing cretins have more clout than the security people at pretty well all the financial institutions I've dealt with over the years.

            Sigh!

            Pretty much all organisations if my experience is anything to go by

    2. Lee D Silver badge

      You think that's bad? I ordered two beds from Bensons for Beds (now on my permanent blacklist). One was missing over 50 individual parts.

      I called to complain, they wanted all the details known to man. In the end, they refused to send me a kit of the replacement parts (for free) because my girlfriend paid with a card and works in a hospital job where she can't use a phone during the day. They refused to send our replacement parts - to the DELIVERY address that the beds had already been sent to - because of "Data Protection".

      Needless to say, I spoke to MANY people at their customer services department that day. When one then eventually phoned me back, they asked if I was Mr D. My response? Sorry, I can't tell you that - Data Protection, you know. (Fortunately THAT guy had a sense of humour and just said "Ah, yes, I'm definitely talking to the right person then!").

      Banks do it all the time. I phone them back on the bank number (if it's 0800 of course) and let them chase who it was that needed to speak to me. But even companies are doing this same kind of junk for the simplest of things.

      Unfortunately, they ALL have absolutely zero concept of Data Protection anyway, not to mention they really don't care about your security. Why? Well, that side of it is your liability anyway. If someone nicks the banks database, they care about that. If someone finds out your date of birth or they talk to the wrong person, they couldn't care less.

      1. Doctor Syntax Silver badge

        "Needless to say, I spoke to MANY people at their customer services department that day"

        Why didn't you mention the words "small claims court"?

    3. georgied
      Happy

      Give them their own password

      I hated the quandary of disclosing information to them as well. So I wrote to them and gave them their very own password, which I'd challenge them for. They stopped calling. Probably because they had no provision to store a password. It's probably buried deep in my notes somewhere..

      1. Anonymous Coward
        Anonymous Coward

        Re: Give them their own password

        The HBOS online validation of credit card transactions had a phrase you created when you initially registered. That phrase was displayed with the request for your private code. It gave some confidence it wasn't being spoofed.

        1. Lee D Silver badge

          Re: Give them their own password

          "The HBOS online validation of credit card transactions had a phrase you created when you initially registered."

          That's a VISA / Mastercard thing - SecureCode or whatever. The banks have no access to those details, as far as I know.

          This is precisely the kind of thing they SHOULD have, and don't. But that's not the bank that you're seeing there. It might even have the bank logo, etc. And if the bank doesn't want it (e.g. Halifax), those screens just zip through and say "authorised" immediately anyway. But it's not the bank that is storing or showing that phrase to you.

          "arcot" in the URL?

    4. Julian 8

      Ask them a question back

      I then ask them a question which they should know from my records

      If they don't know I cut them off.

    5. Anonymous Coward
      Anonymous Coward

      It was quite useful when I had debt collectors chasing me (on a false accusation) - they'd cold call me and ask for personal details to confirm I was who I said I was. I would ask them to prove who they are first and that they have the right to know my info. They didn't have a mechanism to do that, so I then said "OK, I can't talk to you then. Don't call me again unless you can prove who you are."

      That put them off for a couple of weeks.

      Rinse, repeat with the added threat of legal action for harassment.

      They eventually gave up when I said "OK, let me know which court you want to use and I'll see you there" (I was feeling generous at the time!)

  3. A Non e-mouse Silver badge

    Block sources from abroad.

    One way to reduce the abuse of this is to prevent UK CLIs being sent from phone systems outside the UK. Sure, it'll affect all those overseas call centers that we all love using, but isn't it a small price to pay?

    I know this won't be 100% effective, but surely it'll cut down a lot of fake CLI calls?

    1. Your alien overlord - fear me

      Re: Block sources from abroad.

      Trouble is, all those junk callers use UK SIP service providers so they are 'technically' calling from the UK.

      The solution is to only allow CLI from numbers you own, so if someone wants to use an 0800 CLI number, they must 'own' that number else the actually physical one gets shown.

      1. Anonymous Coward
        Anonymous Coward

        Re: Block sources from abroad.

        "so if someone wants to use an 0800 CLI number, they must 'own' that number else the actually physical one gets shown."

        Unfortunately this is not how it works in the real world.

        Say you are an outsourcer for a company (could just as easily be a UK call centre instead of an offshore one) and a customer requests you send their number, be it a Non-Geo or not, you send this.

        In the UK your normally sign a consent form for your carrier to allow it.

        So the answer would be to say unless you are using a carrier using an approved code of conduct, we won't present the the ID.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do it!

      You'd stop mobile roaming from working if you did that.

      I don't know how you'd police it either. Ofcom can't make laws for other countries.

  4. Pen-y-gors Silver badge

    Tracing?

    "Ofcom...was stopping nuisance calls at source through an agreed call-tracing process"

    Curious...for years BT have been saying they can't trace incoming overseas 'nuisance' calls. What's changed now?

    1. Graham Marsden
      Meh

      Re: Tracing?

      I think when then said "can't", what they meant was "can't be bothered to".

    2. Anonymous Coward
      Anonymous Coward

      Re: Tracing?

      Most incoming international calls don't hit BT's network, so I'd imagine that's why BT couldn't do it.

    3. PatientOne

      Re: Tracing?

      It's to do with call routing: BT charge the previous sender for handling the call (pass it on to another network or connecting it to your phone line). The previous sender charge whoever was before them and so on until you get to the source carrier/provider who bill their customer.

      Even though modern switches can pass on the CLI, not all sources have modern switches, and not all providers from outside the UK will pass on CLI data, so you'll see more 'international call' notices than actual foreign CLI data.

      Now, what BT an other carriers *could* do is give you the option to block ALL 'international' and/or withheld numbers. They *can* do this - their equipment has that capability, but they *don't* because doing so costs them money (they don't connect the call so they can't charge for handling the call), unless you can provide evidence you are a 'vulnerable' person (court order or get the police to hassle BT for this) or... you know someone working for BT and so know who to talk to about it. If you do push them then they generally reply by saying that blocking all such calls may block a call you *may* want.

      Oh, and it's coincidental that BT also produce phones with 'Call guardian' that can 'block' withheld and international calls. Well, not block, but hide - the line is still in use, you just don't hear the phone ring.

      1. Graham Marsden

        @PatientOne - Re: Tracing?

        > what BT an other carriers *could* do is give you the option to block ALL 'international' and/or withheld numbers. They *can* do this - their equipment has that capability, but they *don't* because doing so costs them money

        Interesting, I didn't know that, which is why I've always resisted implementing Anonymous Call Blocking on my phone because I would have to pay for it.

        I may rethink this now.

  5. Warm Braw Silver badge

    "Telecoms regulator Ofcom is warning customers of the dangers of CLI spoofing"

    Well, perhaps "Telecoms regulator Ofcom" should instruct network operators to suppress the reported CLI in the case that the originating network can't/won't verify it - at least as a default option for consumers. We're basically talking international and VoIP calls, the majority of which outside the rarified corporate world seem to be scams anyway.

  6. Anonymous Coward
    Anonymous Coward

    RBS simply use Unknown number

    Somebody should tell Royal Bank of Scotland.

    Somebody phoned me on Saturday claiming to be from them with an 'Unknown' number. I wouldn't talk to them and then looked up their help pages.

    Surprise, surprise. "If we phone you the number may register as Unknown".

    Very secure.

    Considering they have my mobile number and send me regular texts surely it is not beyond their wit to do some form of 'we are texting you to let you know we will be calling you today and person will know x about your account and identify themselves as probably legit with y.

    1. Steve Davies 3 Silver badge

      Re: RBS simply use Unknown number

      Coming soon, the SMS invitation scam

      None of the methods are safe.

      The only way is for you to call them. Let them SMS/phone you. Then you call them. Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work.

      Then the only solution is to go into a branch. Yeah right. Now where's the nearest branch of my Bank?

      What if there isn't one. eg First Direct.

      1. Doctor Syntax Silver badge

        Re: RBS simply use Unknown number

        "Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work."

        Of course it will work but only if they're obliged to do it which at the moment they're not.

        One test, of course, is to offer them incorrect information. If the call is genuine they'll know it's wrong.

        1. dajames Silver badge

          Re: RBS simply use Unknown number

          "Let them prove that they have the right information on YOU Not the other way round. Oh wait that won't work."

          Of course it will work but only if they're obliged to do it which at the moment they're not.

          It won't work because the bank have a duty of care to ensure that they keep your personal data confidential, so they aren't allowed to answer any questions that might reveal that information.

      2. Anonymous Coward
        Anonymous Coward

        Re: What if there isn't one. eg First Direct.

        Anytime I've needed a branch service from First Direct, HSBC (the parent of First Direct) have obliged.

        Anytime I've had an unexpected important/urgent call from First Direct to me (a handful of occasions over a number of years, usually relating to unexpected but actually genuine card activity, including one occasion in the last few months) they've been entirely understanding if I've said "no I won't take your call, I want to call you on a number you publish".

        Occasionally I get a routine call from them and I'm unable to take it, in which case they leave an automated message "routine call no need to call back" and they use a presentation CLI which is a published First Direct number.

        Happy customer for several decades (no other connection).

        [Exception: Their phone app setup could do with some improvement]

        YMMV.

      3. Anonymous Coward
        Anonymous Coward

        Re: RBS simply use Unknown number

        "Let them SMS/phone you. Then you call them."

        A proven security hole. They even suggest you call the bank. They then hold the line open and simulate a dialtone and ringing sound for your "call". You are then talking to the conmen who "confirm" the caller was from the bank - and they proceed to tell you you have to transfer all your funds immediately - or alternatively a courier will collect your "compromised" card shortly.

        1. Ken Moorhouse Silver badge

          They then hold the line open and simulate a dialtone

          So what you do is make a call to your Aunt Mabel before ringing the bank. If the conman can mimic her then I would be very surprised.

          1. Vic

            Re: They then hold the line open and simulate a dialtone

            So what you do is make a call to your Aunt Mabel before ringing the bank

            That's a definite improvement, but isn't absolutely secure.

            It would be a comparatively simple task to intercept any DTMF tones on the (still-open) line, and pass through the dialling info to another line - i.e. act as a proxy. In the event that the target bank number is dialled, you don't pass through...

            Vic.

        2. dcluley

          Re: RBS simply use Unknown number

          I get round that one. Most calls of that sort I receive are on my land line so I phone them back on my mobile.

        3. Alan Brown Silver badge

          Re: RBS simply use Unknown number

          > A proven security hole. They even suggest you call the bank. They then hold the line open and simulate a dialtone and ringing sound for your "call".

          1: That doesn't work on mobiles. Or if you make the call on your mobile when the original was on your landline or vice versa.

          2: Dialling a number other than the bank's should expose this one PDQ.

          The "hold the line open" thing only works for about 30 seconds anyway. Just be sure to hang up and leave it longer than a couple of minutes.

          1. Anonymous Coward
            Anonymous Coward

            Re: RBS simply use Unknown number

            "The "hold the line open" thing only works for about 30 seconds anyway. "

            That may be the case now for most (all?) UK telcos, but back when this thread was started (1955 or something) the "hold the line open" thing allowed people plenty of time to move between phones without dropping the call. More than 30 seconds, by a long way.

    2. Ken Moorhouse Silver badge

      'we are texting you .. we will be calling .. person will know x about your account

      Yes, but what if someone other than you answers the phone? It has to be information that is not in the public domain otherwise you're still none the wiser as to who is calling. Do you want that person to know what "x" is?

    3. Anonymous Coward
      Anonymous Coward

      Re: RBS simply use Unknown number

      "Somebody phoned me on Saturday claiming to be from them with an 'Unknown' number."

      Both my doctors' health centre and the local council offices use "withheld". They tell me they "cannot" put their known public number as a CLI.

  7. alain williams Silver badge

    It should be illegal ...

    for any company or other organisation to withhold their number. Indeed the number given must, when used to call back, result in a connection to the company. It it is found not to: then it will result in an immediate statutory fine of 5% of turnover.

    This would reduce the number of crap calls - eg PPI or 'you have had a recent accident' scammers.

    Exceptions for a worthy few like childline, samaritans, ...

    1. Irongut

      Re: It should be illegal ...

      Because making something illegal ensures it never happens.

      1. Paul Crawford Silver badge

        Re: It should be illegal ...

        Where as allowing it to remain legal makes it stop quicker?

      2. James 100

        Re: It should be illegal ...

        When you make a regulation for phone companies to stop third parties using a particular trick, it should be fairly effective.

        Mind you, they're all required to allow us to block anonymous calls, but BT and Virgin charge an unreasonable price for the option, while the mobile networks ignore the obligation completely (claiming the facility to reject each call individually using CLI was sufficient). On the other hand, they were all too compliant about providing 141 free of charge in the first place; perhaps prohibiting its provision on business lines would actually be obeyed.

  8. Phil O'Sophical Silver badge
    Thumb Down

    Toothless watchdog whimpers again

    also outlined the need for a long-term – as in five-year – plan to build rules for CLI spoofing into the regulations.

    And no doubt when these are complete, anyone who dares to infringe them will be given a severe smack on both wrists, and made to stand on the naughty step for at least 30 minutes before they can make any more phone calls.

    1. Anonymous Coward
      WTF?

      Re: Toothless watchdog whimeprs again

      Toothless? It's one of the few that actually has powers.

      Ofcom fines EE £1m over handling of complaints

      TALKTALK was hit with a £3MILLION fine from Ofcom yesterday.

      Silent call company fined £150,000

      Ofcom Fine ISP Unicom GBP200K for “mis-leading” Sales and Marketing

      Ofcom fines Ageas £10,000

      Ofcom has fined two companies a total of £40,000 for making abandoned calls.

      1. Vince

        Re: Toothless watchdog whimeprs again

        You say they give out all those fines.

        Let's put it in perspective.

        Ofcom gives EE a £1m fine.

        OK, well from the 6 month interim results from the end of July, EE turned over £3,116m

        Or in other words, a couple pence down the back of the sofa.

        Quite a small fraction of 1% of the turnover.

        I doubt they noticed.

        1. John Brown (no body) Silver badge

          Re: Toothless watchdog whimeprs again

          OK, well from the 6 month interim results from the end of July, EE turned over £3,116m

          Or in other words, a couple pence down the back of the sofa.

          Quite a small fraction of 1% of the turnover.

          Turnover != profit.

          On the other hand, their profits are not small either so I agree with you in principle.

      2. Anonymous Coward
        Anonymous Coward

        Re: Toothless watchdog whimeprs again

        Which of those companies isn't based in the UK?

        Not based in the UK = get away with CLI spoofing.

  9. Roland6 Silver badge

    Calls with CLI's beginning 04

    I find it interesting seeing just how many calls I'm getting from numbers beginning with 04 and other number ranges (specifically within the 03 range) that Ofcom haven't released.

    Ofcom coould quite easily require all operators to block any call that uses a UK CLI for a number that hasn't been officially released by and registered with Ofcom.

    Likewise they could make the operators do similar for other holes in the international number ranges.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019