UK NCSC shares guidance for organizations to secure their communications with customers

Pierluigi Paganini January 19, 2022

UK NCSC has published new guidance for organizations to secure their communications with customers via SMS or phone calls.

UK’s National Cyber Security Center (NCSC) has published new guidance for organizations for combatting telephone and SMS fraud. This guide aims at protecting their customers from fraudulent activities, while also ensuring that their SMS and telephone messages are consistent and trustworthy.

The adoption of such practices will make it harder for criminals to exploit telecoms channels to targets their customers.

“The goal is to help you protect your customers from fraud, while also ensuring that your SMS and telephone messages are consistent and trustworthy, reaching your target audience without being blocked or deleted as suspicious.” reads the guidance published by the NCSC. “The practices we recommend also make it harder for criminals to exploit telecoms channels and, by minimising the complexity of any given service, enable the authorities to be more focussed and efficient in detecting and preventing fraud on telecoms networks.”

The NCSC has already published advice on email security and anti-spoofing, however, this guide only covers SMS and telephone messaging.

The UK agency recommends creating trustworthy content that meets the standards expected for communications. Poor formatting, spelling mistakes and other inconsistencies lead the receivers into thinking that they are facing fake messaging.

Below are some recommendations provided by the agency when creating content:

  • Don’t ask for personal details
  • Don’t include weblinks, if possible
  • Where it is absolutely necessary to include weblinks, make sure they are human readable and easy to remember
  • Consistency is important across all channels
  • Avoid language that induces panic or implies urgency

When communication via SMS, the NCSC recommends:

  • Use a five-digit number instead of a regular phone number.
  • Use a SenderID that appears in place of the sending number, indicating that the sender is trustworthy.
  • Use the same SenderID consistently across all communications and register it with the MEF.
  • Try not to include web links in SMS, but if it’s absolutely necessary, do not use URL shortening services that obscure the domain.
  • Use as few SMS distribution providers as possible, and audit all messages to validate the content.

When dealing with phone calls, the UK agency recommends to follow these guidelines:

  • Provide mechanisms for customers to establish contact. It’s always better to allow the customer to initiate contact when providing personal information, as this significantly inhibits fraudsters. This could be achieved through a number of channels, including email, online, or inbound calls.
  • Understand who is providing your telephony services and the call routes they are using. Having fewer providers makes it easier to ensure, for example, that your calls are not being routed overseas.
  • Maintain consistency on numbers used for services.
  • Any service that only receives calls should be added to the Do Not Originate list. This helps prevent the number from being used to make outbound calls. In order to deal with the limitations of this protective measure, you should also make it clear that your customers will never receive a legitimate call from this number. Please contact Ofcom about this at [email protected]
  • Check your provider is correctly identifying, or ‘signalling’ the numbers they use to make calls on your behalf. Ensure they are following the General Conditions.
  • Request that your provider prevents your numbers from being moved (ported) to a different operator. In the UK, porting of numbers between operators (such as EE, Vodafone, BT and Three) is both quick and easy.
  • Confirm that the routing does not go offshore. Many fraudulent calls originate outside the UK. Routing legitimate calls outside the UK and back for a cost saving makes it harder to protect your customer.

Additional tips are included in the guidance.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SMS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment