Leeds. 11th and 12th March 2025: aql, a longstanding supporter of the UK’s Law Enforcement community activity into the prevention of fraud and digital crimes is hosting the milestone event for https://www.tuff.co.uk/

In looking forward to the upcoming TUFF event it got me thinking about the challenges that aql and the wider telecoms industry are facing: Namely, fraud, public safety concerns and also the associated reputational risks that arise from being an operator in an industry which is experiencing accelerating threats from malicious use of communications technology.

aql was one of the first significant IP (cloud) telephony operators in the UK providing numbering to the industry.

We host over ten million of our own numbers across all UK prefixes (allocations of numbers in specific area codes) which can be selected and assigned by our resellers using our APIs (application programmer interfaces, or a way to link two systems together at the machine level). These APIs mean that our number choosing and allocation can be automated and integrated into third party customer-boarding processes seamlessly.

We’ve been doing this for the business telephony industry for two decades. We’ve never been a premium rate operator out of concern of the high scope for misuse of such numbers. 

One of the issues facing ourselves and the industry is to make sure we know who our customers are: both direct users and resellers (and their subsequent customers). 

In addition to strong commercial terms to assert to our customers the need for their legal and regulatory compliance, we believe it’s our duty to exercise diligence using innovative technical measures at our disposal. The scale of our operations mean that we are also able to gather threat intelligence data to help better protect ourselves, other operators and the public. And to provide this intelligence to the regulators for the benefit of the industry.

As one of the first telephony-as-a-service operators, we’ve worked hard to find ways using smart automation (sometimes known as “RegTech” – regulatory technology) to gather data to ascertain that both our direct users and any resellers are acting responsibly.  

This also extends to overseeing the access we allow for the secure updating of the 999 emergency databases, helping to ensure that the emergency services are supported efficiently and to provide location information wherever possible. 

Whilst we work hard to design automated checking and diligence processes, no process is entirely foolproof and we constantly work to learn from any of our own issues or from the industry.  

On rare occasions, numbers may get assigned to an entity that doesn’t share the same ethical standards as aql, resulting in the potential for these numbers to be misused. In those situations, the important thing is what we do about it (and also how we architect systems to ensure we know about it in a timely manner).

A significant challenge is public awareness and education: It’s still a common public preconception amongst many that “BT is the only operator”.  In reality, according to Ofcom data, there are 303 companies who have had blocks of numbering issued to them, which subsequently, are then issued to 7,692 resellers. So, the industry is far more diverse and complex than the public often realises and undoubtedly harder to regulate and protect public interest and safety.

What does this mean for aql and other similar operators?  

If a member of the public receives a nuisance/malicious phone call, the first thing they tend to do is Google for the number and/or gain information from websites such as https://who-called.co.uk (or sometimes get the data through aql’s own network lookup (Google for “network lookup”), you’ll find us, we’re one of the most referred to self-help public portals).

If someone should receive a nuisance call from an “aql owned phone number”, most members of the public would not make a distinction between the operator who owns the number (us) and the organisation making the call. They may not have heard of aql in the retail space and therefore assume that aql has made the call to them. (aql don’t run call centres, nor do we make unsolicited calls, ever!).

This is much in contrast to the public’s perceptions should they receive a nuisance call from a BT number: The assumption is, that it was a malicious third party making the call using a BT number! 

How do complaints manifest themselves? Should we report to Ofcom? The police?

Unfortunately, it’s not clear to the public where they should go to report their issues. If it’s directly abusive or threatening – Dial 999.

In many cases, recipients of unsolicited calls simply add a negative Google review about the company which owns the number allocation.  When others go online, they see the complaints, which further fuels others to draw the same conclusion, who then in turn, leave a similar review. This also has the effect of diverting the complainants’ efforts from reporting the issue to the police or Ofcom. They leave reviews on Google, meaning this is then a complaint that does not get reported formally or acted upon.

We’re trying to break that cycle and change public understanding: 

• By working closer with Ofcom and the industry to drive real-time information flows on any public complaints. We’re proactively collaborating with the regulators to speed up the reporting process. The quicker a complaint reaches us, the quicker we can act, whether that’s to deal with the issue directly or to confirm that the number is not under our control. 

• By working proactively with Ofcom (and their nuisance calling initiatives), the Department of Science Innovation and Technology (DSIT) and also the Telecommunications Fraud Forum (TUFF). And of course, the UK Law Enforcement community. We’re also keen to talk with the “Who Called” sites to engage and work out a more accurate way of diagnosing the source and nature of a complaint.

• By evaluating objectively. Telecoms misuse is very subjective: We can’t simply turn off a phone number if asked to by a complainant. The complaint may be vexatious – imagine if we turned off your business(!). We have to investigate and or pass the matter to the police ourselves.

• By being transparent. We’ve nothing to hide: we’d also urge any complainant if they are highly concerned or feel that a call was a threat, to ALWAYS report the matter to the police. The police know how to contact us and there are strong processes in place to handle investigations and escalations. From a public perspective, the perception is sometimes that “aql does nothing”, but once a number is part of a criminal investigation, there can be no further discussion or update other than by the police: If we were to make any comment we could prejudice an active investigation. 

At aql we take our roles and responsibilities seriously. Using our insights into the industry, we designed, built and hosted the UK’s first system for telephony related crime escalation, serving the UK’s law enforcement community and entire telecoms industry with live data supporting more effective crime fighting and public safety.  

The challenges we are seeing in the UK are accelerating and the only way we will all solve these issues is with well architected technical measures and industry-wide collaboration.

The shape of the challenge.

From our own data, plus reports by industry platforms such as the various “Who Called” type of websites, we’re seeing that the main industry challenge is not from the direct (or indirect) end users of companies such as aql, who’ve purchased telephone numbers. We have strong commercial terms and stipulations with our resellers. Similarly, to purchase even a single number directly from us relies on a very well checked e-commerce transaction with advanced cross-checking. 

Who called?

It must also be noted that many of the “Who Called” sites are funded by advertising. Closer collaboration with the industry could perhaps include funding for them by industry or the regulator, so that they could focus on providing a service which does not have to attract advertising views.

Whilst these sites can be useful in some cases, they can also be misleading. For instance, from our own research across a significant sample set of our own number inventory, we see complaints about numbers on the “Who Called” sites which have never been allocated by aql to a customer or reseller, or even worse, a number allocated to a perfectly legitimate aql customer.  

In such instances, the reason for the complaint is not the action of the number-holder but the actions of a malicious third party spoofing that number.

How does call spoofing work?

When a call is spoofed, a malicious party uses a third party operator to make a call using the calling line identity (CLI) or number belonging to another operator. In other words, they make a call from a phone number that they don’t own. The CLI is the number that appears on your handset, i.e. the phone number of a company or person.  

When the number is looked up via a “Who Called” service online, the complainant is told who the original number allocation was assigned to via Ofcom.

One-way calling.

If the number that has been spoofed has not been allocated to any end customer at all, it’s likely that if you call it, you’ll receive “this number is out of use”.

In some cases, a number that’s being spoofed could belong to an unwitting business (like a pet shop or a hairdressers) or in some cases it may even be a business that is related to the purported intentions of the call scam, such as an insurance company. This is harder to track and report.

Telephone number spoofing is a technical measure which was created for valid reasons, because some businesses will legitimately use different outbound (calling) providers than inbound (being called) providers. However, this functionality can be abused and very few of the public are aware that they can’t trust CLIs.

Covid didn’t help.

During the rise of the pandemic there was a need for rapid communication: We’d never prepared a masterplan to manage dissemination and information gathering at volume. 

However, we all recall narratives such as “The NHS will only ever call you from 0300 013 5000”, or you will only be texted from “NHS” (also easily spoofed). Unfortunately this did nothing to help the unwitting victims of malicious calls on these numbers. The campaign at the time created a sense of comfort to disclose personal details, details of vulnerable relatives and those they’d spent time with. A perfect storm.

You’d be right to ask the question: “Surely there’s a block list for important numbers to stop them being sent/spoofed from other operators?” The answer is “yes, in part.” There’s something called a DNO (do not originate) list, which is shared between carriers.  This is a manual process via lists of numbers sent by Ofcom to the UK telecommunications operators (such as ourselves) to prevent calls being made from certain numbers. The industry does hope to automate this (if you’re a notable institution, contact us and we can help get your numbering on the DNO list). 

However, during COVID, many numbers were, to our knowledge, not added to the DNO list.  This meant that any operator could spoof/present that CLI and purport to be from the NHS.  

It’s believed that one of the reasons that many important numbers weren’t added to this list was because the scale of the need for communication was large and the service was decentralised using multiple telecommunications operators. 

This serves to highlight that this system, similar to many of the systems the industry has to help protect the public, is not scalable and we need to all think again about how we address the issues.

aql was built as an enabler-innovator to help solve tomorrow’s challenges and around 20% of our technical resources are spent on research and development into fraud prevention. We also have patents in this area. We see this future facing issue as a challenge we wish to meet head on and to look to architect systems and processes to tackle fraud and misuse.

Spoofing – Now we know what it is, how do they do it?

The rise of spoofing has accompanied the move from traditional telephony, where a phone number is hard-coded to a particular telephone exchange, to a digital internet-based system where any number can be hosted and used anywhere, in the same way that a website can be hosted anywhere in the world and accessed from anywhere. The protocol that delivers web pages is called “HTTP” (hypertext transfer protocol) and its telephony equivalent protocol is “SIP” (session initiation protocol).

If a malicious party can get access to a SIP telephony account with an operator, calls to unwitting victims can be initiated and in many cases also automated from any line identity numbers.

There are accelerating technical measures being put in place by UK operators to prevent overseas operators from pretending to call from UK numbers. Whilst this is the default rule, global business creates the need for loopholes or allowances to support overseas call centres run by UK enterprises.  

The result being, there is always the possibility of exploiting these exceptions.

There’s also stronger technical measures being adopted, which validate the originating network of the call to provide more forensic traceability (of the call). This helps to eliminate what’s known as “grey routing”. 

Grey routes, or routing, is a process where malicious third parties in overseas networks use mechanisms to gain access to the capability to make calls in the UK from an overseas operator. These routes are being exploited and shut down rapidly, but the automated tools that are used to find these routes are tireless.

aql also goes further and uses AI and web bots to check for the sentiment relating to each of our phone numbers in relation to information published across the internet. 

If there’s ever been a public complaint left online, we try to find that information and use automated means to ascertain whether it’s a direct customer of ours, or a reseller, or most commonly, where the number is not in use by us but being spoofed by an anonymous third party. The fact that there are complaints online for numbers we have never sold is important information – that spoofing is significant in the UK. 

This online approach involves looking up millions of our phone numbers against billions of search results, but this technology is available to us and we must use everything available in our armoury.

How do sites like “Who Called” work? 

All of the telephone numbers assigned in the UK and to which operators are published by Ofcom and are freely downloadable from their website.

These can then be used to provide online  look-up database services such as “Who Called” type sites. We’re trying to work with the operators of such sites to gain real-time information about complaints but also provide information back, such as whether the number has ever been sold by us (if it’s one of our numbers and has never been sold, the issue lies elsewhere!).

Porting is also an issue.

aql has found numbers that were originally assigned to us by Ofcom that are the subject of public complaints but have been ported away from aql to another operator.   

Porting is where an end subscriber chooses to move to a different telecommunications operator. In these instances, the responsible telecoms operator for that number changes to the new operator. However, the number would still be listed by Ofcom and “Who Called” sites as the original numberblock operator, creating issues to follow the trail to investigate complaints.  

Back in 2012, an industry initiative called NP4UK was formed between founders, aql, Gamma telecom, Sky and others. The purpose of this was to create a not-for-profit entity that would manage the real-time porting of UK landline numbers along with providing industry information as to which operator was currently providing services on which numbers. Although it stalled, this project established a need for real-time visibility of which operators are responsible for which numbers.

The challenge of spoofing has been difficult to articulate to the public en masse and operators such as aql have on many occasions been accused of either being perpetrator or facilitator of the end user upset or worse. 

This goes against our founding vision, our values and everything we stand for. Our mission is to provide services which make life better.

The team at aql are long standing friends to law enforcement, helping design and implement technologies to protect the public at scale. Fraud is not just organised crime, it also extends to disruption and distraction techniques from hostile states, global bad actors and other hidden adversaries to cause confusion and erode the economy.”

 Andy Beet OBE, Chief Executive of the Telecommunications Fraud Forum commented “I’ve worked with Adam and his team not only in my current role at TUFF, but also for nearly 20 years in my law enforcement roles related to telecommunications, digital forensics and fraud. He’s given his time and expertise freely to help build systems and processes for the benefit of the telecoms industry and the safety of the public”.

In March, aql will be hosting a two-day TUFF industry anti-fraud event in Leeds at our historic HQ, to mark the 30th Anniversary of the organisation. At this event, we’ll be showcasing the work we’ve been doing with TUFF and OFCOM including real-life fraud examples, mitigations and knowledge sharing with members of our industry and law enforcement community.

Is spoofing the only issue to worry about?

Sadly not. So far, we’ve only talked about calls being spoofed from landlines (and this applies to mobiles too by the way). Although, it’s particularly fruitful pickings for the scammer to target landlines. Many residential landlines still in use by UK subscribers are the homes of the elderly and vulnerable, making them prime targets for malicious exploitation. 

Ourselves and the industry are constantly looking at how we can pattern-spot any usage of our outbound calling that is fishing for the vulnerable. The industry has a long way to go in terms of collaboration in this respect. Scammers don’t care about the “telephone preference service” and once they have found a route that allows them to spoof CLI’s, it’s open season.

Man in the middle.

As if it weren’t bad enough dealing with spoofing, there’s a proliferation of telecoms services”self-build sites, where a malicious subscriber can build a complete fake business including IVR (interactive voice response – the complex voice menus that large corporations have). They can also build-in call recording.  

This can allow “man in the middle” functionality scams.

Imagine if you had a call (apparently) from the bank on a new, but similar number. Let’s name this caller Chloe.

Chloe tells you this is the direct number to reach her or the team. In fact, it’s a number which has been purchased fraudulently.  

If you call the number back, it forwards you to your real banking team on their real number. What you don’t know is that your call is being recorded by a malicious third party and every time you disclose the 4th, 3rd, 5th or 2nd letter of your passcode, you’re filling in the gaps. 

It doesn’t matter whether it takes weeks, months or years. Once they have this, they have access to your account. Luckily, many of our banking clients are also implementing defence in depth including voice recognition and two-factor authentication to help overcome such sophisticated attacks. Always and only phone your bank on their main number, never be pressured by any call.

Everything we can do, machines can do faster.

The future is bright and it’s not all risk and threat. As the telecoms industry migrates from legacy systems known as the public switched telecoms network (PSTN) to a purely digital IP network, this also allows the development of stronger security measures to further protect the public by the use of AI in self-learning security technologies.

However, we’re going to see a rise in sophisticated, AI driven criminality. aql and the industry need to ensure that not only are we aware of the threats of such technology, but that we, as an industry, have all of our operational data in a form where we can access it and allow it to be leveraged by these new technologies to identify malicious practices and bad activity.

Show and tell.

There are already fora for the exchange of best practice. One of which is the Ofcom Nuisance Call (Technical Measures) group. aql are a longstanding participant in this forum. The UK regulator (and ourselves) are keen to support cross-industry collaboration to help identify malicious and criminal activity earlier.

This collaboration is key, because, for example, aql’s network is entirely business-to-business end users, whereas some operators are almost entirely consumer focused. It’s the consumers who are being scammed and targeted, so, it’s important that we work together, along with UK law enforcement to ensure that information is shared in a timely manner between all parties.

Energy wars. 

Fraud takes digital effort by the malicious party. It takes approximately twice that effort to detect it and act on it.  As fraud moves from the scripted domain to the AI domain, the main digital effort is computational power. 

The raw material for computation is electrical energy. It takes much more energy to detect and protect from fraud than it does to initiate it.

As telecommunications operators we have a duty to protect the public and also to use energy in a responsible manner.  

This means we must cast our collaboration efforts wider: We must work with government, regulation and the energy industry to ensure that our compute impact carries a cost which is in balance with our desired outcomes and which is also long-term sustainable. 

We must acknowledge that our industry is the conduit for election fraud, identity theft, fake news, fake documentation: all of which are erosions of of society.  

Not only less bad, but more good.

As communications providers, we need to ensure that we support and work with our innovators to not only develop the technologies to minimise the effect of bad actors, but more importantly to create the supporting technologies to enable more good, supporting health, social cohesion, connectedness and community.

What’s next? We’ll be next talking about SMS text messaging, the regulation, controls and cyber risks associated with the use of this mobile medium and how the technology works and has been built. We’ll also be talking about the work we’re doing in building provenance and trust systems to underpin security of communications data and the growing world of the Internet of Things.

-ends-

About the author: Professor Adam Beaumont is the founder and Chairman of the aql group of companies. Prior to this, he built secure communications for the UK government and defence. He’s an active investor and innovator and pioneered the phrase “TrustTech”. He has a PhD in thermodynamics and is a passionate advocate of the circular economy for climate benefit.  He’s also a Hon Group Captain in the RAF and the Honorary Consul on behalf of the Republic of Estonia to the UK and Isle of Man.  

Sources

1. https://newsroom.shropshire.gov.uk/2020/06/nhs-test-trace-scam/
2. https://niccstandards.org.uk/wp-content/uploads/2021/04/ND1447V1.1.1.pdf
3. https://www.ofcom.org.uk/siteassets/resources/documents/consultations/category-2-6-weeks/232897-improving-accuracy-of-cli-data/associated-documents/cli-guidance-annex.pdf?v=328767
4. https://www.ofcom.org.uk/phones-and-broadband/phone-numbers/numbering-data/