The MCA outlines a suite of new measures to tackle the increasing volume of scam calls coming from abroad, while plugging gaps in its existing regulation

Impersonation scams undermine trust in domestic telephone numbers

On 11 April 2024, the Malta Communications Authority (MCA) issued a decision notice on a range of preventative measures to tackle Calling Line Identification (CLI) spoofing and ‘vishing’ scams. While fraud based on CLI spoofing technology is on the rise globally, criminals are increasingly relying on spoofing Maltese numbers to trick victims into revealing personal information over the phone – a practice known as vishing, or voice phishing. According to the MCA, such impersonation scams abuse victims’ knowledge of, and trust, in locally-known numbers, which can have a negative impact on the telecoms market as a whole. In September 2023, the regulator launched a consultation on a framework of measures – to be introduced at a network level – to combat the misuse or unauthorised use of numbers, receiving feedback from six respondents.

Network-based blocking measures target calls originating from abroad

Having taken stakeholder input into account, the notice outlines a series of actions aimed at identifying, and subsequently blocking, potential scam calls received in Malta over international network interfaces. The focus on this type of call reflects the fact that the majority of scam calls are received from abroad. The MCA is requiring that local providers operating Malta’s international links with foreign operators implement specific “rule-based filters” to block calls likely to be fraudulent. For example, operators will be required to block calls where the calling party number is invalid (starts with ‘3’ or ‘6’) or not permitted (‘5’), as well as calls directed towards Maltese numbers where the calling party uses another Maltese number starting with ‘1’, ‘2’ or ‘8’ but where the calls are received from abroad. The MCA has set a deadline of 1 November 2024 for the new rule-based filters to come into effect.

New obligations will resolve a current gap in the regulation of ‘overseas solutions’

The decision notice also addresses the use by businesses and organisations of ‘overseas solutions’, which use internet- or cloud-based apps or services, and allow call origination towards other phone numbers without relying on local service providers. The calling party would use a number assigned by the local operator as their CLI (a practice known as ‘decoupled call origination’) to properly identify itself to the recipient and to facilitate any call-back. Overseas solutions are generating a large volume of calls from abroad bearing a Maltese number, but no operator is currently regulated in how it provides decoupled call origination, with the MCA not in a position to enforce any specific requirements (e.g. subscriber validation) on them. To ensure businesses and organisations can keep using these services legitimately, the MCA is introducing obligations to regulate the decoupled use of specific Maltese numbers in such overseas solutions, as well as requirements for providers to notify the MCA that they are offering such services and implement subscriber validation processes when using Maltese numbers.

Awareness will be key to the success of the MCA’s interventions

In announcing its package of measures, the MCA noted a concerted effort among stakeholders to raise awareness of malicious communications and on how to avoid them. The regulator publishes content itself for the same purpose, including articles on its website and promotional material posted on social media. While such campaigns will continue to play a role, the MCA has also committed to raising awareness about the implications of the blocking measures and facilitating compliance with them, and will engage in outreach efforts to educate stakeholders. Meanwhile, local service providers will be required to notify subscribers about the forthcoming changes and their potential impact.