Track and Trace Spoofing

 

By Simon Woodhead

Spoofing phone numbers is a reality on international networks, and in a UK context it is something we’ve raised time and time and time again. So you can imagine our concern to see the media trotting out the NHS meme that the only legitimate calls for COVID-19 Track and Trace will be from a single un-spoofable number. There are efforts to close this particular door after the horse has bolted, but they will not work.

We’re aware of what they’re trying to do to make this number un-spoofable, by virtue of a Simwood customer carrying some of this legitimate traffic and undergoing testing. I have also spoken to the relevant lead at Ofcom (who is eminently sensible!) this morning.

Any number can be spoofed and saying the Track and Trace number cannot be is simply going to amplify the harm done to innocent members of the public. Instead, members of the public need to know that no presented number can be trusted (regardless what the expert Openreach engineer that used to drink in the pub when it was open says), they can and are routinely spoofed, and this Track and Trace number is no exception, despite late efforts to make it so.

Members of the public need to validate callers in another way. We don’t know how workable it is for the Track and Trace process but calling a number back is always far, far more reliable than trusting where it appears to have come from. Anyone can spoof where it looks to have come from; moving where it routes to is harder and generally more noticeable!

Now we are aware of the intent, we have blocked the Track and Trace number being presented over the Simwood network except for customers we know to be part of the programme. That stops our customers inadvertently causing harm, but does not help with the hundreds of other networks that will allow it. Equally, we cannot filter it on incoming calls because we have no way of identifying which calls are genuine and which aren’t when they originate on other networks. We might have mentioned that once or twice too.

Please tell friends and family that they are not to trust calls from any number simply because of the number that is presented and should validate the caller in another way. The NHS make clear what information will and will not be asked for on their website; anything outside this is likely a scam. Regardless, do not trust the caller simply because it looks like the number they claim to have made un-spoofable which is going to be a honeypot for scammers. Hopefully they’ll change course on that.