Telecommunication companies GO, Melita and Epic said that combating SMS spoofing bank scams should not be a “question of blame”, instead there should be a push for more educational campaigns.
“None of them are to blame because none are behind the spoofing scams,” Epic said. Epic also admitted that moving forward they need to work hand in hand with the banks to “strengthen the infrastructure”.
GO also spoke about all the security measures it has in place to prevent this from happening, while Melita mentioned how telecom companies do not have the authority to block numbers.
The SMS spoofing bank scam is when a client receives an SMS from the bank number, which would usually have an alarming message asking people to click on a link.
Telecom companies were asked for their views following a story published by The Malta Independent on Sunday last week in which Bank of Valletta’s head of Operational Risk Antoine Aquilina said that the telecom companies’ lack of security is to blame for SMS spoofing.
Aquilina insisted that, although the messages were coming from the BOV number, there was no security breach. “The banks can't stop it from happening because we're not in control of the technology being used… The real issue with security is with the telecom companies, bluntly.”
“We live in an industry where there is a lack of legislation to enforce security controls on telecom companies. We've been in contact with the Malta Bankers Association (MBA), the Malta Communications Authority (MCA) and the telecom companies. Bluntly, without legislation, telecom companies don't have the initiative to enforce or implement security controls,” Aquilina said.
Following this story, the MCA, GO, Melita and Epic were contacted to get a response to BOV’s claims.
In its reply, the MCA said that “under the laws it enforces, it does not have specific powers to intervene in cases of smishing and other forms of phishing. Meanwhile, the MCA has taken steps to promote greater awareness of this topic through its online channels, alongside other public and private bodies”.
“The MCA considers that this is a multi-faceted issue and having multiple stakeholders join forces in a collaborative environment is the key towards mitigating the harmful effects of smishing and other fraudulent activities.”
It also suggested that people refer to its article, 5 Tips to Slam the Scam.
All telecom companies were asked: “What are your reactions to BOV’s claim? Are the telecommunications companies to blame for the spoofing scams or are banks also to blame?”
In its reply, GO said that its responses were not a reaction to BOV’s claims, but simply acknowledging the questions “out of pure courtesy”.
GO said that it does not “think this is a question of blame, but rather a question of what more can we do collectively to raise awareness and educate the general public on security matters”.
“GO takes security extremely seriously and has invested millions over the years in this regard. Our systems are robust and we have a team of individuals who are dedicated purely to security matters. In support of this, more recently, GO also invested in a cyber security company called Cybersift, acquiring majority shareholding.”
Melita also said that this was not a question of blame, but it gave more importance to “customers’ interest” and “ensuring all stakeholders are equipped to minimise these scams as much as possible”.
Melita also spoke about the importance of minimising “the number of customers who fall victim to such scams through preventive and informative educational campaigns”.
“It is not in the telecoms’ remit to decide and block numbers, neither do such companies have enforcement powers. Melita has already proposed, moving forward, that there should be a central authority that maintains and circulates an updated blacklist, which all operators must comply to. This is something that is already practised in other EU member states.”
“None of them are to blame because none are behind the spoofing scams,” Epic said.
“Having said that there is a need to work together on this new challenge to minimise the impact these spoofing scams could have on subscribers.”
The telecom companies were also asked: “Have you been in discussion with banks about this issue? If yes, what was the outcome of these meetings?”
GO said it is in constant discussions with its clients, including banks, about several matters, including security.
Melita said that “earlier this month the Critical Infrastructure Protection Department held a meeting, which was attended by security officials from the government, authorities, banks and telcos”.
“During this meeting, the telecom companies and the sector's regulator, the Malta Communications Authority, clearly explained that telecom operators are not allowed to block numbers based on the instruction of a non-authoritative organisation.”
Epic said that it communicates “with the banks when similar spoofing scams are reported by their subscribers and we work together to minimise the impact they could have. The next step is to strengthen the infrastructure to avoid these scams even earlier than we already do today. This is why we believe both banks and providers need to work together and to establish the right regulatory framework to protect subscribers.”
Lastly, the companies were asked whether they have done anything to prevent these spoofing scams from taking place.
GO said that it takes “security matters extremely seriously and takes every preventive measure possible to keep its clients protected”, however, scammers are still at large finding new ways to defraud people. “This is why GO continuously invests to mitigate and minimise the impact as much as possible.”
“We have the necessary products such as SecureNet that customers can use which are effective, seamless and affordable. We have solutions for businesses to minimise security threats and also notify clients immediately when we suspect a potential threat, not to mention the awareness and educational initiatives we embark on across multiple channels.”
Melita responded by saying that it “conducts its own educational security campaigns and also issues warnings when such scams are circulating. It has always and will continue to cooperate with the authorities in the fight against cybercrime. It is important to stress that if you are a victim of cybercrime or suspect something is out of place, you can seek help by calling on 2294 2231 or by sending an email to [email protected].”