Security

UK NCSC shares guidance for organizations to secure their communications with customers

UK NCSC has published new guidance for organizations to secure their communications with customers via SMS or phone calls.

UK’s National Cyber Security Center (NCSC) has published new guidance for organizations for combatting telephone and SMS fraud. This guide aims at protecting their customers from fraudulent activities, while also ensuring that their SMS and telephone messages are consistent and trustworthy.

The adoption of such practices will make it harder for criminals to exploit telecoms channels to targets their customers.

“The goal is to help you protect your customers from fraud, while also ensuring that your SMS and telephone messages are consistent and trustworthy, reaching your target audience without being blocked or deleted as suspicious.” reads the guidance published by the NCSC. “The practices we recommend also make it harder for criminals to exploit telecoms channels and, by minimising the complexity of any given service, enable the authorities to be more focussed and efficient in detecting and preventing fraud on telecoms networks.”

The NCSC has already published advice on email security and anti-spoofing, however, this guide only covers SMS and telephone messaging.

The UK agency recommends creating trustworthy content that meets the standards expected for communications. Poor formatting, spelling mistakes and other inconsistencies lead the receivers into thinking that they are facing fake messaging.

Below are some recommendations provided by the agency when creating content:

  • Don’t ask for personal details
  • Don’t include weblinks, if possible
  • Where it is absolutely necessary to include weblinks, make sure they are human readable and easy to remember
  • Consistency is important across all channels
  • Avoid language that induces panic or implies urgency

When communication via SMS, the NCSC recommends:

  • Use a five-digit number instead of a regular phone number.
  • Use a SenderID that appears in place of the sending number, indicating that the sender is trustworthy.
  • Use the same SenderID consistently across all communications and register it with the MEF.
  • Try not to include web links in SMS, but if it’s absolutely necessary, do not use URL shortening services that obscure the domain.
  • Use as few SMS distribution providers as possible, and audit all messages to validate the content.

When dealing with phone calls, the UK agency recommends to follow these guidelines:

  • Provide mechanisms for customers to establish contact. It’s always better to allow the customer to initiate contact when providing personal information, as this significantly inhibits fraudsters. This could be achieved through a number of channels, including email, online, or inbound calls.
  • Understand who is providing your telephony services and the call routes they are using. Having fewer providers makes it easier to ensure, for example, that your calls are not being routed overseas.
  • Maintain consistency on numbers used for services.
  • Any service that only receives calls should be added to the Do Not Originate list. This helps prevent the number from being used to make outbound calls. In order to deal with the limitations of this protective measure, you should also make it clear that your customers will never receive a legitimate call from this number. Please contact Ofcom about this at DNO@ofcom.org.uk
  • Check your provider is correctly identifying, or ‘signalling’ the numbers they use to make calls on your behalf. Ensure they are following the General Conditions.
  • Request that your provider prevents your numbers from being moved (ported) to a different operator. In the UK, porting of numbers between operators (such as EE, Vodafone, BT and Three) is both quick and easy.
  • Confirm that the routing does not go offshore. Many fraudulent calls originate outside the UK. Routing legitimate calls outside the UK and back for a cost saving makes it harder to protect your customer.

Additional tips are included in the guidance.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SMS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

CISA adds NextGen Healthcare Mirth Connect flaw to its Known Exploited Vulnerabilities catalog

CISA adds NextGen Healthcare Mirth Connect deserialization of untrusted data vulnerability to its Known Exploited…

26 mins ago

Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors

The Blackbasta extortion group claims to have hacked Atlas, one of the largest national distributors…

7 hours ago

Experts warn of a flaw in Fluent Bit utility that is used by major cloud platforms and firms

A vulnerability in the Fluent Bit Utility, which is used by major cloud providers, can…

11 hours ago

Experts released PoC exploit code for RCE in QNAP QTS

Experts warn of fifteen vulnerabilities in the QNAP QTS, the operating system for the Taiwanese…

13 hours ago

GitCaught campaign relies on Github and Filezilla to deliver multiple malware

Researchers discovered a sophisticated cybercriminal campaign by Russian-speaking threat actors that used GitHub to distribute…

1 day ago

Two students uncovered a flaw that allows to use laundry machines for free

Two students discovered a security flaw in over a million internet-connected laundry machines that could…

1 day ago

This website uses cookies.