By Staff Writer
While not a new problem, caller line identification overstamping is on the rise in Australia. The practice is better known as telephone spoofing and involves changing a caller ID to make it look like the call or text comes from a trusted or legitimate source.
Unless used for malicious purposes, spoofing is not illegal in Australia. An Australian company with a call centre based in India might use spoofing to create a local caller ID. But the wave of spoofing taking now place across Australia is not from legitimate sources.
Telstra says it is now blocking over 13 million suspected scam calls per month – twice the number the telco was blocking earlier in 2021. However, Telstra’s IT platform upgrades designed to catch more suspicious calls and texts are not keeping pace with ever-evolving spoofing practices.
“Spoofing can be used to gain access to a target’s personal information, spread malware through infected links or attachments, and bypass network access controls,” says data protection and cybersecurity consultancy, Forcepoint.
In spoofed phone calls, malicious actors use social engineering techniques to verbally convince their targets to provide sensitive information such as passwords and account information.
It is a problem that impacts individuals and organisations large and small. The Australian Cyber Security Centre (ACSC) has previously issued an alert regarding malicious actors calling from spoofed Australian phone numbers masquerading as ACSC employees.
While recipients of spoofed telephone calls can hang up, spoofed text messages are more of a threat. Opening a text message can potentially give cybercriminals access to your phone and its contents.
The reputational and financial consequences can be severe for individuals and businesses whose phone numbers have been used in the spoofing attack.
As the rate of spoofing increases, so to do calls for the telcos to address the problem. While the telecommunications industry is largely self-regulated, the industry did produce a Guidance Note (IGN 009) in late 2020 on Caller Line Identification Management.
According to that Guidance Note, telcos are obliged to intervene when malicious spoofing occurs. The problem is there is no established process for notifying telcos of spoofing incidents telcos and no set procedures to deal with and follow up on incidents.
Australian identity theft and cyber support service ID CARE reports some isolated successes after calling in the Australian Communications and Media Authority (ACMA). But ID CARE says such successes are one-offs.
“The solution is not industrialised or, at present, scalable,” ID CARE says.
Until the telcos come up with a solution to spoofing, the onus is on the recipient of spoofed calls to deal with the problem.
ScamWatch advises regular cyber housekeeping practices such as keeping antivirus software on phones up-to-date, regularly changing sensitive passwords, and not opening suspicious text messages or answering unusual calls.
But there are also calls for the telcos to lift their game and be more proactive in dealing with spoofing. As the incidence of spoofing increases, the pressure on telcos to do more may also increase.