How telcos can navigate the European regulatory landscape securely

Goran Valjak
Senior Telecom Business Executive

The European telecommunications industry is experiencing a wave of regulatory changes aimed at enhancing security and combating fraud. These changes will have a significant impact on the industry, and it is important for telecom companies to stay informed and adapt accordingly.

However, at the same time the EU has been grappling with the issue of balancing privacy and security obligations for mobile operators for several years now. While there is a strict privacy obligation that prohibits operators from checking or recording any telecommunication between individuals, in the past few years the regulation has seen several exceptions to this obligation with the aim of preserving security of users and/or networks.

To give you a snapshot, on one hand you have the General Data Protection Regulation (GDPR) that went into effect in May 2018, giving individuals greater control over their personal data and places strict requirements on how companies collect, store, and process this data. This includes telecom companies who must ensure they comply with GDPR provisions if they want to avoid heavy fines and reputational damage.

However, one thing to keep in mind is that GDPR provisions the processing of personal data if it’s strictly necessary and proportionate for ensuring network and information security; such as accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

And on the other hand, telecom companies need to balance that with:

The European Electronic Communications Code (EECC) requires operators to take appropriate and proportionate measures to ensure the security of networks and services, considering the expertise and recommendations of ENISA.
ENISA (the authority whose opinion the EECC refers to) mentions the measures operators must implement to ensure the security of their networks and services. The ruling points out that the implementation of firewalls and content filtering to locate SPAM can be an appropriate and proportionate measure for the growing spam SMS traffic risks.
The Network and Information Systems Directive (NIS Directive) requires telecom companies to take measures to protect their networks and systems against cyber threats. The directive obliges telecom companies to implement appropriate security measures and report any security incidents to national authorities.

The above rules make it feel that telecoms cannot fully protect end customers without affecting their privacy, resulting in a fight between security and privacy obligations. However, there is a compliant way to do this, where telcos can protect customers from fraudulent messages and respect their privacy at the same time.

But first, it’s important to know why this important, and for that we need to deep dive into the cost of fraud.

Let’s talk about the cost of fraud in the world of A2P messaging

A2P messaging has become incredibly popular because it’s simple, fast, and direct. However, A2P SMS is also a channel that fraudsters have been taking advantage of more and more in recent years.

According to the Communications Fraud Control Association – Fraud Loss Survey Report 2021, the estimated global telecoms revenues was $1.8 trillion but the estimated global telecom fraud loss was $39.893 billion, or 2.22% of the former amount.

$39.893 billion

global telecom fraud loss

Some of the most common SMS frauds are:

SMS Phishing, also known as smishing where criminals contact potential victims to trick them into providing personal information, bank account information or clicking on links that that download malware onto their phones.
SMS Spoofing, which is when a fraudster pretends to be a well-known business by manipulating the location and identity of the sender.
SMS Faking, where the fraudster manipulates signaling parameters to fake the operator’s details, causing customers to receive unsolicited SMS messages.
SMS Spamming, where a callback premium rate number is embedded in the SMS, resulting in high charges for the recipient.
SMS Flubots infect smartphones and steal passwords, online banking details, or other sensitive information along with sending malicious messages without the end customer’s knowledge
SMS grey routes, when traffic is routed through alternate networks, which leads to a loss of revenue for the telecom operator.
Lastly, SIM Farms that involve a collection of SIM cards used to issue business SMS messages to avoid paying A2P SMS rates.

The situation in Europe

According to a report from Europol’s European Cybercrime Centre, fraud cost the telecom industry an estimated €10.6 billion ($12 billion) in 2019. This includes a range of different types of fraud such as international revenue share fraud, PBX hacking, roaming fraud, and more.

The problem with combating this kind of activity is that it’s incredibly time-consuming. The Communications Fraud Control Association reported that many operators with between one million and 10 million subscribers are dealing with more than 10,000 incidents per month.

And in a study by PwC two-thirds of operators reported facing fraud in the last two years.

2/3rd

of operators face fraud in the last 2 years

So, just how costly is all of this? Usually MNOs bear the cost of fraud themselves as investigations take a long time, and sometimes, cases cannot be resolved. On top of that fraud gives rise to other issues such as damage resolution costs time and reputation control.

Then there is the loss of revenue, subscriber churn and the deterioration of their brand image. Acquiring new customers costs much more time, money and effort than retaining existing ones.

For the end-user, the biggest threat is arguably smishing, where the victim unknowingly shares personal information with a criminal who has sent a fraudulent SMS. According to data from consumer group ‘Which?’, reports of smishing attacks in the UK grew by more than 700% in the first six months of 2021.

Shockingly, young people are most at risk. A UK study found that a quarter of young people trust scam messages, and Gen Z is twice as likely to fall victim to smishing than the older generation. The reason could very well be because of the need for instant communications and transactions, which often means being lazy at validation. And if that is so, then this makes the case for being more vigilant on messages being sent, as this would increase the number and also types of frauds.

All of this just goes to show how important it is to be aware of the risks associated with A2P messaging and the reason why telcos need to comply with the recent European and national regulations. Especially with an increasing number of EU countries (such as Netherlands, Germany and Croatia) stipulating that confidentiality of electronic communications obligation does not apply to activities necessary to maintain the security of electronic communications networks and services.

The impact of fraud

Operators	Customers
Loss of revenue / Customer churn	Loss of money
Damage to brand and reputation	Loss of personal data and repercussions from it
Increased spending on customer service	Time spent to recover data
Time and manpower to repair damage	Frustration, loss of trust and emotional distress

It’s time to protect A2P SMS

The rising incidences of fraud has led to a decrease in trust. UK consumer body Which? Said 71% of customers don’t trust messages from companies to be free from scam risks. This ends up undermining a core channel for business communications and telecoms such as SMS which is known for reliability, deliverability, and results.

SMS is also a ubiquitous tool for business messaging. From appointment reminders to verification codes, text messages are the go-to choice for many businesses. But with the rise of fraud exploiting this channel for their own gain, it has raised question mark on trust.

So, how do we protect SMS as a channel and keep it safe from bad actors?

Phishing and fraudulent activities have become rampant, with fraudsters using the logos and brands of legitimate entities to gain the trust of end-users. DHL, for example, has had significant issues with fraudsters using their logo and brand to trick end-users into sharing information.

One solution is to encrypt messages, but unfortunately, encryption doesn’t always help. For example, with smishing since fraudsters are sending these messages, encryption won’t stop them.

Another issue is the risk of exposure to third parties as messages make their way to the operator. At each hop along the way, the message is logged, processed, and stored by intermediaries, which gives their employees access to the data. This is particularly concerning for enterprises that send sensitive information via text, such as banking. The real risk here is the non-delivery of important messages or fraudsters imitating real messages to phish or smish.

Inspecting messages can be another solution. Operators deploy firewalls to reduce spam and smishing, protecting their subscribers. Additionally, they need to accurately invoice for messages based on their origin, whether it’s national or international.

Here, while the shift towards security is understandable, the question remains about how much content can be accessed to protect against fraud while still ensuring customer privacy.

At Infobip, our stance is that telcos need to go into content to protect the network and subscribers from fraud while still ensuring privacy. It is a complex issue, but with the right solutions, companies and regulators can strike a balance between privacy and security.

Managing security without invading customer privacy

The world of communications is changing rapidly in the European Union (EU), with a slew of new laws and regulations being rolled out and reaching beyond borders. This means that telecom companies need to be more resilient than ever before to combat the growing number of cybersecurity threats they face daily.

It’s not just the increase in data transmissions and complex technologies that telcos have to worry about. They also face the constant threat of attacks, making it a tough battle to keep their networks safe and secure.

Despite these challenges, there are still exciting opportunities for telecom players to protect their reputation, the SMS ecosystem and build trust with their customers. However, with the pressure of new regulations, they must constantly adapt to keep up with the ever-evolving landscape of the industry.

Mijo Soldin, VP telecom strategy and partnerships, Infobip says mobile network operators have a crucial role to play as secure gate-keepers when it comes to combatting fraud.

“The solution to this challenge is investment in AI (artificial intelligence) and ML (machine learning)-powered next-generation firewalls. These can identify fraudulent messages, white route traffic and block grey route traffic, flag spam messages, close off low-quality, backdoor SMS routes, and are better equipped in tackling fraudulent SMS messages than their predecessors.

“The onus is on mobile network operators to protect customers, and creating solid digital defences, with next-generation SMS firewalls, will give telecommunication providers the upper-hand amongst competitors,” he says.

The need for a complaint SMS firewall solution

A few years ago, due to the privacy obligations telcos in Europe were apprehensive of deploying firewalls. However, with the new regulations and emphasis on security, telcos must invest in a SMS firewall solution that is AI and ML-powered and offers content filtering and data anonymization.

Content filtering:

Content filtering is vital as it protects telcos, businesses, and customers against potentially fraudulent content.

The European Union Agency for Network and Information Security (ENISA) in its document “ENISA Threat Landscape 2020 – Spam” highlights the different spamming techniques and provides a series of actions for mitigating spam messages. In this document, ENISA proposes that to combat spam, telcos should take the following action – implementation of content filtering to locate unwanted attachments, SPAM and unwanted network traffic.

One way content filters work is by scanning inbound content for any restricted phrases or data types. If they come across anything objectionable, the content is rejected. Another method is to exclude executable files, which may contain malware or other unwanted programs.

In addition, certain anti-phishing capabilities such as Anam Protect can scan and compare the content to a database of malicious URLS for each region, along with going through links and attachments that may be suspicious.

Filters can also screen out different types of content, like links, to prevent users from accessing potentially harmful sites. Additionally, some filters screen content based on its origin, blocking any content from specific networks or domains known to host malicious or illegal content. By using these mechanisms, content filters can help keep your network safer and more secure.

Data anonymization:

Data anonymization works in tandem with filtering and separates content-sensitive information from personal information, so no one can see who is sending a specific text without the operator’s key for encryption. This ensures customer privacy while still allowing checks for keywords to recognize fraud.

Ultimately, to have strong and reliable security mechanisms, telecoms will need to switch from reactive security to proactive – one that relies on extensive monitoring and has predictive capabilities, powered by advanced analytics and AI.