Decoding the world of cybersecurity

Ofcom moves messaging controls upstream

New Ofcom rules require mobile operators and messaging aggregators to strengthen sender verification, traffic monitoring, message blocking, and incident management across the business-messaging supply chain.

Ofcom moves messaging controls upstream
Summary
  • Mobile providers must collect scam indicators, block malicious numbers and messages, and restrict high-volume use of some pay-as-you-go services.
  • Business-messaging providers and aggregators face stronger customer checks, traffic monitoring, and sender-identity requirements.
  • Accountability is moving towards the intermediaries that onboard senders and carry messages at scale.

Ofcom has finalised rules requiring UK mobile operators and business-messaging intermediaries to strengthen sender checks, monitor traffic, block malicious messages, and respond more consistently when their services are abused.

The measures cover person-to-person messages and the bulk business-messaging services used by banks, retailers, delivery companies, government bodies, and other organisations to contact customers.

For person-to-person traffic, mobile providers will have to collect information about scam numbers, links, and content from customers and anti-fraud organisations. They must use that intelligence to block numbers associated with abuse and stop messages containing identified malicious links or telephone numbers while they are in transit.

Providers must also introduce volume limits for pay-as-you-go SIM cards, restricting the use of individual connections for mass messaging. The measure operates beside the government’s prohibition on SIM farms and commitments made through the Fraud Sector Charter.

Business messaging presents a different identity problem because a message can display an alphanumeric sender name rather than an ordinary telephone number. Ofcom’s new framework requires mobile operators and aggregators to conduct initial and continuing checks on senders, examine account activity, and investigate reports of fraud.

Providers must corroborate sender identities against information about the organisation and maintain policies for protected or generic names. Incident-management procedures must support the blocking of malicious sender identities, links, and numbers when abuse is identified.

Separate guidance says telecoms companies should withhold caller identification from international calls that appear to originate from a UK mobile user roaming abroad unless the number can be verified.

Sender names become controlled identities

Business messaging relies on the name displayed on the recipient’s handset. A message carrying the identity of a bank, delivery company, or public body may be grouped with legitimate correspondence, making an unauthorised sender name more persuasive than an unknown telephone number.

Control of that identity has often been distributed among brands, communications providers, aggregators, resellers, and platform suppliers. Weak onboarding at any stage can allow a criminal customer to obtain a channel that appears authoritative.

Ofcom’s approach places responsibility on the companies with visibility of sender registration and traffic patterns. Initial customer checks establish who is requesting the service, while continuing monitoring tests whether subsequent activity remains consistent with its declared purpose.

Neither control is sufficient in isolation. A legitimate company account may be compromised after onboarding, while a previously low-risk sender can change its behaviour. Providers need thresholds and investigative processes that detect unusual destinations, message volumes, links, timings, and deviations from expected activity.

Organisations using business messaging also need clear ownership of their sender identities. Procurement and communications teams should know which aggregators and resellers are authorised, how abuse is reported, and how quickly a compromised sender name can be suspended throughout the chain.

Fraud prevention depends on security controls

Ofcom estimates that mobile operators already block more than 600 million scam messages a year, while four in ten UK mobile users reported receiving at least one suspicious message during the previous three months. Fraud accounted for an estimated 45% of reported crime incidents in England and Wales, with £1.28 billion lost during 2025.

The measures address fraud, but the required capabilities overlap with enterprise security: identity verification, behavioural monitoring, threat intelligence, incident response, third-party governance, and evidence retention.

Blocking will not eliminate malicious messaging. Attackers can move between providers, compromise legitimate accounts, change content, or use channels outside the mobile network. Providers will need controls that adapt without producing unacceptable delays for genuine communications.

False positives also carry operational costs. Blocking a legitimate bank alert, healthcare message, or public-service notification can prevent time-sensitive communication. Governance should establish how decisions are reviewed, how senders appeal, and how urgent services are restored.

Consistent application across operators and aggregators will determine whether the framework reduces abuse or simply redirects it towards intermediaries with weaker checks. Sender identity is now part of an authentication chain whose failure can expose customers and damage the organisation whose name appears on the message.

×