The UKs Growing Scam Call Crisis

It is getting worse

In 2023, it was reported that 9.3% of all UK calls were fraudulent, and a third were classed as spam or nuisance calls, which is the highest rate in Europe.

This alarming trend brings devastating consequences for both the economy and individuals. The financial impact is staggering, with an estimated £1.1 billion lost to scammers in 2023 alone, draining resources from legitimate businesses and public services.

Beyond the economic damage, these calls cause immense personal harm, particularly to vulnerable populations such as the elderly and those with limited technical knowledge. Many victims report increased anxiety, loss of trust in essential services, and in severe cases, financial hardship that can lead to debt, housing insecurity, and mental health crises. The psychological toll is often overlooked but equally damaging, with victims experiencing shame, embarrassment, and a persistent fear of answering their phones – effectively isolating them from family and essential services.

It's important to consider that the accuracy of these statistics, which are drawn from Hiya, Ofcom and Action Fraud, and the reporting systems are not well established, something we'll deal with later.

The Business Model

Spam

Spam and nuisance calls are by far the largest proportion of unwanted calls, and the majority are sales calls. These calls are from companies pushing their goods to consumers without any legal basis to do so, many of whom are either buying lists or just robo-calling (A technique where a system simply dials all possible numbers in a range).

These spam calls are not harmless, and whilst they are not immediately fraudulent, the goods and services often are. Here's a few examples:

• Personal Injury and Accident Claims: Calls offering compensation for personal injuries or accidents, often unsolicited and repetitive.
• Gas and Electricity Suppliers: Cold calls promoting energy deals or switching services, particularly targeting households during energy price hikes.
• Double Glazing and Home Improvement Offers: Calls from companies selling windows, insulation, or other home improvement services.
• Debt Relief Services: Unsolicited offers to help consolidate or manage debts, often targeting vulnerable individuals.
• Extended Warranty Offers: Calls offering extended warranties for appliances or electronics, typically after the initial warranty expires.
• Pension Unlocking Services: Promoting schemes to access pensions early, often with misleading claims about financial benefits.
• Telemarketing for Products/Services: General sales calls promoting various products or services that recipients have not opted into.
• Silent or Abandoned Calls: Calls where no one speaks, often used to detect active phone numbers for future marketing or scams.
• Recorded Sales Messages: Robocalls delivering pre-recorded messages promoting products or services.
• Broadband and Telecom Offers: Calls from telecom providers (or impersonators) offering upgrades or new packages without prior consent.

Spam Text Messages

I think Spam SMS deserves a mention here, because it is very easy to do, and there is no way for you to stop it. Any company can send you endless SMS messages without any fear of reprise. The mobile carriers won't block them, you can't block them, and ICO has no interest in doing anything. It is estimated that 78 billion spam text messages were sent in the first half of 2023, or 13 billion per month. One company sent 7.8 million spam texts in just one month. This is a serious problem, and without any way to block the likes of "RainbowRich", "UKSlotz", "ZevenSpinz", "WinzToday", "KingsWinUK", "InstaWinUK", "KingsLuck", "WinUK", "PalmzUK", "MerryPerk", "BigUK", "Party-Spinz", "UKWin", "Spinzler", "GxSpinz", "TopSpin", "instantplay", "nonstop", "playfreely", "fridayfun", "fastest", "kingsoffer", "getready", "bestpack", "gamblii", "hotgames", "newgames", "topgames", "hivespins", "grosvenor", "limitless", "nolimit", "nostops", "hypernite", "hypersino", "casigood", and many, many more.

Scam

Scam calls are fraud where their only intention is stealing money, information or both. Scam calls are by far the most damaging because the losses can be significant, and personal. Scams typically target the elderly who grew up in an age where people were generally decent, and they aren't used to the sort of evil that exists in the world today. Here's some of the common ones reported in the UK:

Police Impersonation

A precursor to bank, NI, DWP, HMRC scams is often information gathering, and this is regularly done with the police scam, where fake police officers call and claim the customers unwitting involvement in fraud cases. The customer will give up all sorts of information to a 'police officer' in the UK simply because the police are feared, and to avoid any retribution the customer will divulge what bank they bank with, credit cards, bank cards, loans, even what vehicles, insurances and pets they have. Having solid information like this makes other scams far more credible.

HMRC Scams

The scammers Impersonate HMRC, claiming you have unpaid taxes or offering fake tax refunds to steal personal and financial information. These scams succeed because the HMRC has a reputation for treating people unfairly and imposing punative and disproportionate fines and penalties.

Bank Scams

Another popular scam is the 'Your Bank' scam, where fraudsters pretending to be from banks, make unsolicited calls warning people of suspicious activity and requesting account details or transfers to "safe accounts". You may think this is obviously a scam and no one could ever fall for this, but unfortunately, many do. The scammers are experienced manipulators and again the elderly and vulnerable are the primary targets.

Amazon Impersonation

Surprisingly this scam centres around calls claiming there are issues with your Amazon accounts or unauthorised charges, often asking for account verification (user and password). These scams aim to gain access to the Amazon account after which goods can be ordered, usually digital goods like gift cards and because the caller would have told the customer to expect some alerts from amazon, and not to worry because they'll take care of it - they don't and days to week later there's a large bill.

Phone Contract Scams

Fraudsters posing as telecom providers offering discounts or upgrades to gain access to accounts through which they will order replacement handsets and other goods to be delivered to alternative addresses.

Energy Scams

Impersonating utility companies, claiming unpaid bills or offering fake deals on energy services. These succeed because in the UK, your energy provider can apply to a magistrate for permission to force entry to your home to disconnect your supply. That is, legally break down the door and cut of your electricity. This threat alone can be used to leverage payments easily.

Broadband and Tech Support Scams

Calls pretending to be from broadband providers or tech support, claiming issues with internet service or security threats. These scams are manifest and often involve installing a remote access tool on a customers computer. This is then used to 'watch' what the customer does, lifting usernames and passwords as well as taking control after the customer has been persuaded to login to their bank account or other provider. Many of these remote access tools can blank the screen so the customer can't even see that their bank account is being drained of funds which are transferred offshore.

National Insurance Number Scams

Threatening suspension or invalidation of NI numbers to extract personal details, and with these details scammers can build a better profile for a later HMRC Scam for example.

Callback Scams

A message is left on your answerphone asking you to call back urgently with some made up important reason - the only problem, the number you're calling back in a premium rate number and it will cost you several £ per minute. You'll be kept on the phone for a while waiting to find the right department or person then who knows, the scam is simple and effective.

Premium Texts

Something that should never have existed in the first place is premium texts, or reverse charge texts, where a company can send a text message to a customer, and that customer is charged between £1.50 and £5 for the privilege. It is a real struggle to get any sort of refund and mobile carriers refuse to be involved. Some providers offer a service to block premium text messages but not all. How crazy is this?

Link Scams

In this scam, the scammer will tell the customer that they will be sent a link to securely log them into their bank (usually) and this link when it arrives will of course take them to a login page that looks very much like their bank, but it's not. Since banks started using 2FA, this scam has been less successful instead pivoting to email compromise, after which the 2FA code can be retrieved. Banks deploying things like pin-pads are circumvented by the scammer talking the customer through what to put in and what to read back. Things like letters in memorable words can be defeated by requesting sequential 'letters', 1 and 2, 3 and 4, 5 and 6 and so on, not hard and very effective because many people struggle getting it right the first time, or second or third. You would be surprised how many 'memorable' words can be guessed once you know only a few characters.

Wills and Probate

You would be surprised how many times a second or third cousin once removed is going to die and leave you a significant estate as the last traceable heir. This is of course rubbish, but this is the scam, and there will be a fee to pay to the solicitors or some other outfit that needs paying before deeds can be transferred.

"Hi Mum" Scam

Texts or calls impersonating family members in distress, asking for urgent financial help. This despicable scam leverages peoples natural need to protect their children, and is as close to kidnap and ransom as you can get without actually abducting anyone.

Delivery Scams

Fake calls about missed deliveries or surprise packages requiring payment for release. These work because many people are receiving deliveries from couriers every day and whilst a low grade scam, it's quick to execute.

Catfishing Scams

In this more long term scam, a scammer befriends someone on social media, and becomes their 'friend' then their 'partner'. They will cultivate these people and extort vast sums of money over time with various excuses and emergencies.

Many, Many More

These are just examples of the common ones, and scammers are constantly inventing new and effective ones. To protect yourself you simply need to think logically - who is this person, why are they calling me, and is this likely to be correct. I have to say that organisations, especially banks don't help - they'll call you in the middle of the day, and then ask YOU to pass their security checks! I simply refuse, and ask them a few security questions first, like how much was the last payment on the account, or what is the branch address for this sort code, and of course they refuse to answer, give some lame made-up excuse and hang up, but that's fine, perhaps they were the bank, or maybe they weren't. The bank shouldn't be calling me and asking me to impart sensitive information, ever - but the fact they do clearly indicates that most people aren't that aware, and will tell them anything they ask.

How do they find you?

Even after GDPR, which incidentally did nothing in this area except frustrate legitimate businesses from contacting their prospects and customers, Scammers and Spammers continue without restriction. They have no interest in GDPR, and they can buy lists of names and numbers easily online. Many of these lists are leaked from data breaches or compiled from other scammers who's business is simply collecting and selling lists of vulnerable people.

Lets take a look at some notable data breaches that have fuelled these spammers and scammers for many years to come:

• Dixons Carphone, exposed 14 million records including phone numbers, names and addresses.
• Equifax, 15.2 million records exposed including phone numbers and sensitive personal data.
• VirginMedia, 900,000 customers including names, addresses and phone numbers.
• JD Weatherspoon, 650k customers date of birth, email addresses, names and phone numbers.
• Three mobile, 130k customers names, phone numbers and addresses.
• TalkTalk, 157k customer names, phone numbers and financial details.
• Easyjet, 9 million records globally with email addresses, travel details and phone numbers.
• British Airways, 430k customers names and phone numbers.
• NHS Surrey, 3k patient records.

We maintain a curated list of known data breaches available {{Here|DB}} for the full picture, and with data like this readily available online to buy and sell, it is very easy to find targets for spam and scams, and that's without any baiting.

If they don't want the expense of buying data, they can robo-call, a common technique used to simply call all possible numbers in a range. 02081110000 to 02081119999 for example is ten thousand numbers, and with parallel dialling these can be called very quickly indeed. Many numbers will fail, but there's no cost for that, and those that do answer are added to a list to be called properly later. There are actually businesses setup to robo-call blocks and provide the active numbers.

Companies like Google, Meta (Facebook/Instagram), Reddit, LinkedIn, Youtube, Tiktok and others sell advertising space to pretty much anyone with a credit card. This space is often hijacked by scammers to place their links ahead of legitimate businesses on search engines, and in ads shown to users. This provides a quick and easy feed of potential victims, who click on links and ads and are then funnelled into the scammers net. Always be aware of this and never click the sponsored links or ads anywhere, instead using a search engine and getting to the genuine (not paid for) results which are usually just below. If you know the company you're trying to reach, type it in instead of searching for it to be even safer.

Reporting Spam and Scams

You may think that the most obvious defence to this would be to simply have an easy way to report spam and scam calls, allowing the regulator and authorities to quickly block numbers and prevent further exploitation, right?

You would be wrong. Ofcom, the telecommunications regulator doesn't have any interest in spam or scam calls, and ICO (The Information Commissioners Office) has a 'form' on their website that is awkward to use, unreasonably lengthy, and time consuming, the result of which - very few people bother.

There is the TPS, a private limited company that charges telemarketing companies an extortionate amount of money to buy the list and exclude these numbers from their systems, but (a) TPS is broken and not fit for purpose, (b) many smaller companies cannot afford the exorbitant charges, and (c) spammers and scammers don't care at all about TPS.

Action Fraud, an organisation who is government funded, has an 'online' reporting tool but you need to create an account, login, and even then its not simple to use and very time consuming, so only serious fraud gets reported.

Telecommunication companies, can of course provide simply and effective ways to block spam and scam callers, and indeed many do. BT for example has BTCaller Protect, which blocks numbers that customers report as spam and it works quite well, providing enough people report the same number to trigger the block - but there is a problem. Once that number is blocked, from it to BT customers play a message that it has been blocked, so of course the spammers and scammers just rotate numbers.

IP Telephony

Way back before we had IP Telephony, calls had to be made from landlines, and the costs were quite high and there were was very little scam or spam calling in this country. IP Telephony however has had two fundamental affects:

Impersonation

Now a company in the far east can easily buy a UK phone number, and start making calls from that number without any need to be in the UK. This of course works both ways and anyone in the UK can easily buy a number in the far easy and start making calls there as that number.

The issue with this is two fold. Firstly, calls are dirt cheap, as low as 0.04ppm so scammers and spammers can make as many calls as they like for very little cost, and Secondly, getting numbers is easy and almost instant. You can request 100 numbers today, drop those tomorrow and request another 100 and this effectively sidesteps any number blocking systems employed by telcos, as well as obfuscating any reporting to the regulator or authorities.

Spoofing

It is possible, in IP Voice to make a call to someone and show a different number than is being used. This is of course not 'allowed' but it is done and done regularly. This spoofing enables scammers to further bolster the scam by asking the customer to check the number they are calling from, and to go online and check that is the correct number of the 'bank' or whatever scam is being perpetrated.

Spoofing should never have been possible, but because of the way the system is setup in the UK, and how calls flow between providers, there is currently no way to effectively block it.

Solutions

Ah, my favourite part of the article, where I get to tell you have this can all be solved overnight and with very little effort. Well, its not that simple, but it is fixable.

OFCOM and ICO have no remit to impose any sanctions on any offshore company, so these offshore scam call-centres are effectively safe, and the telcos are absolved from any blame. To make matters worse there are now offshore telcos being issues control of UK numbers!

So the first step would be to make UK Telcos actually liable for financial loss perpetrated on numbers they manage, and open them up to significant fines for failing in due diligence. This would of course never happen because the telcos have a powerful lobby, but if it did then suddenly these companies would start making rigorous checks on their customers as well as putting in place triggers and monitors. ONLY UK companies should be able to manage numbers in the UK.

We know that pretty much all scam calls comes from offshore, so they could easily block offshore traffic - if you want a UK number then you need to be in the UK to use it or go through an extensive vetting process. There are very effective IP Reputation providers that can identify suspect addresses and that can be used to further block traffic routed over VPNs or from cloud hosted services.

They could monitor the number of calls made, the duration of those calls, the number of calls to inactive numbers, and so on, and with a little code they could be made aware of suspect activity, and take action.

The fact is, many of these companies literally enable scammers by providing easy to setup, cheap and remotely accessible UK numbers with little or no checks or balances.

A better system for reporting scam or spam numbers could be implemented, the same system that every telco uses, and when a number is reported many times the 'owner' of that number is put on notice to investigate and block all other numbers from that same client. This is not hard to do, the regulator would provide a short code, and all telco's would provide an API allowing a lookup of the last caller to a number. Then when calling that short code, a lookup is done, the last caller identified and a second API notifies all carriers to block the number, and the number owner to investigate.

Cooperation Globally, has to be a prerequisite, when a scam call center is identified (above) then the IP is tracked back to the ISP, who will know exactly where that service is provided to, and the local police spring into action to thwart further crime. Sounds complex, but it really isn't and most of that can be automated. A clearing-house could be setup to handle global scam call centre reports, looking up the ISPs, making the requests and disseminating the information. The ONLY reason there are so many scammers is because they rarely get caught, or when they do they are able to bribe their way out of trouble.

Until there is a better system, you're stuck with the imperfect one we've got. Report fraud to Action Fraud, and if you have limitless free time, report spam to ICO, both are linked below.

Blog Index   PermaLink   Comment           15 Votes