UK NCSC shares guidance for organizations to secure their communications with customers
UK NCSC has published new guidance for organizations to secure their communications with customers via SMS or phone calls.
UK’s National Cyber Security Center (NCSC) has published new guidance for organizations for combatting telephone and SMS fraud. This guide aims at protecting their customers from fraudulent activities, while also ensuring that their SMS and telephone messages are consistent and trustworthy.
The adoption of such practices will make it harder for criminals to exploit telecoms channels to targets their customers.
“The goal is to help you protect your customers from fraud, while also ensuring that your SMS and telephone messages are consistent and trustworthy, reaching your target audience without being blocked or deleted as suspicious.” reads the guidance published by the NCSC. “The practices we recommend also make it harder for criminals to exploit telecoms channels and, by minimising the complexity of any given service, enable the authorities to be more focussed and efficient in detecting and preventing fraud on telecoms networks.”
The UK agency recommends creating trustworthy content that meets the standards expected for communications. Poor formatting, spelling mistakes and other inconsistencies lead the receivers into thinking that they are facing fake messaging.
Below are some recommendations provided by the agency when creating content:
Don’t ask for personal details
Don’t include weblinks, if possible
Where it is absolutely necessary to include weblinks, make sure they are human readable and easy to remember
Consistency is important across all channels
Avoid language that induces panic or implies urgency
When communication via SMS, the NCSC recommends:
Use a five-digit number instead of a regular phone number.
Use a SenderID that appears in place of the sending number, indicating that the sender is trustworthy.
Try not to include web links in SMS, but if it’s absolutely necessary, do not use URL shortening services that obscure the domain.
Use as few SMS distribution providers as possible, and audit all messages to validate the content.
When dealing with phone calls, the UK agency recommends to follow these guidelines:
Provide mechanisms for customers to establish contact. It’s always better to allow the customer to initiate contact when providing personal information, as this significantly inhibits fraudsters. This could be achieved through a number of channels, including email, online, or inbound calls.
Understand who is providing your telephony services and the call routes they are using. Having fewer providers makes it easier to ensure, for example, that your calls are not being routed overseas.
Maintain consistency on numbers used for services.
Any service that only receives calls should be added to the Do Not Originate list. This helps prevent the number from being used to make outbound calls. In order to deal with the limitations of this protective measure, you should also make it clear that your customers will never receive a legitimate call from this number. Please contact Ofcom about this at DNO@ofcom.org.uk
Check your provider is correctly identifying, or ‘signalling’ the numbers they use to make calls on your behalf. Ensure they are following the General Conditions.
Request that your provider prevents your numbers from being moved (ported) to a different operator. In the UK, porting of numbers between operators (such as EE, Vodafone, BT and Three) is both quick and easy.
Confirm that the routing does not go offshore. Many fraudulent calls originate outside the UK. Routing legitimate calls outside the UK and back for a cost saving makes it harder to protect your customer.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.