What is Proximus doing to counter online and telephone fraud?

We have all probably experienced it: You receive a text message or e-mail with a link on which you are supposed to click like "your package is on the way" although you have not ordered anything… Then you are asked to enter all kinds of personal data, codes and passwords. This is how criminals gain access to your account and steal your money. It also happens by phone: they call you and persuade you to share your passwords and bank account details.

What is Proximus actually doing to counter this fraud? To find the answer to that, I contacted my colleague Patrick Coone, incident and communication manager in Customer Operations.

KRYSTINA SFERLAZZA

Patrick: I am the communications manager for the residential market. In the event of major incidents with a high impact, we intervene both externally (our customers) and internally (stores, field employees, call centers, etc.). I am also the liaison between IT and the press department - it’s a matter of being able to communicate with our customers quickly and efficiently. We also are in daily contact with the investigation and regulatory authorities that deal with fraud cases. Another very important factor is that you have to be able to think like a fraudster: "If I was a fraudster, what could I do with this? How much could I make out of it?".

Krystina: That sounds as if there is more to it than just extracting data?

Take the mass spoofing over the past few days, they call you and play an automated message, saying that the bank details have been compromised and you have to press a key to be transferred to a federal agent. There is a risk that a customer will do this, and the defrauder will then try to extract data. That's dangerous, but what really matters to them is trying to create a database that allows them to check 'is the number we're currently targeting active or not? If this is confirmed, and that’s very simple by simply answering or a voice mail arriving, then that number can be flagged as active. They can even tell who your provider is. When you call from abroad, you get a different kind of ring tone and that can be identified via a robotic mechanism as a number from Telenet, Proximus, etc. Also on the basis of the voice mail. The voice we use, the announcement itself is different for each operator and the robot mechanism can recognize that too.

This way they can make constant improvements to make them come across as more credible…

What they do is build lists and those lists are worth their weight in gold. They then sell these on the dark web with fraudsters paying anything from €1,000 to €10,000 for them. Suppose you, as a fraudster, wish to launch a smishing campaign or something similar you simply look for lists which you are sure do not contain any false positives or at least as few as possible. And here they’re compiling a Belgian list of active customers, both fixed and mobile, which is 100% correct. They can then use this in the coming weeks, months and years for all kinds of malicious campaigns.

As a community manager, I sometimes read comments such as the following from customers when they have received a suspicious call: "I really pranked this guy! I answered and said: police department Louvain, how can I help you? He got quite a shock! Or: I kept him busy.” That certainly doesn't seem advisable to me?

No absolutely not. When you answer they have even more details. This is a Dutch-speaking customer for example and you also mention the name of a city where you probably live. Not a good idea at all. Customers should always pass on suspicious numbers to us for analysis.

Can we do something about it?

It's very complex and I'm going to try to answer this as best I can without sharing too many important details because we need to be aware that people with less good intentions may also read this of course. The classic spoofing incident goes like this: A customer notices that his or her number is being hacked - for example he or she receives one or more phone calls with the message that his or her call was missed although the customer had not called these numbers. The person calls Proximus to report this. The Proximus agent notes 3 important parameters: the customer's number, the number he/she allegedly called and the time. He forwards this to the 'spoofing' mailbox. They conduct an initial investigation and, if it turns out that something is indeed wrong, they forward it to us and the colleagues at the NMC (Network Monitoring Center). They open a ticket asking for an investigation and for this traffic to be stopped as soon as possible.

And why do we not block those numbers immediately after a certain number of reports? Certain smartphone vendors can also do this, right?

Nowadays, manufacturers have software in their devices that allows you to report numbers, so you can pass a call on as being suspicious. Some allow even more. For example, you can even indicate what kind of scam it is and what kind of call it was (e.g. Microsoft scam call). If the same number is repeatedly indicated as being involved in fraud, they will then forward that number to their database with the result that other customers will see the message: caution: fraud call, scam call. The numbers are therefore intercepted on the device itself, but they are not actually blocked. We also have the ability to block ranges of numbers, but this is simply not allowed in Belgium. There must be a valid reason for this. There are a lot of genuine customers behind a lot of these spoofing numbers. So if we block these just like that, all of those customers will suddenly no longer be able to make calls. So it's not that simple.

Safeonweb, with the support of all telco operators

‘Unity is strength’ is Belgium's national motto and it could just as well be that of the Belgian operators.

The national system to which our citizens can send phishing mails was expanded last December so as also to allow the forwarding of text messages. After analysis by Safeonweb, the websites confirmed as phishing will be forwarded in real time to the operators, which will then block the links. This project is called BAPS (Belgian Anti-Phishing Shield).

Proximus is currently the only operator that blocks all phishing sites received by the CCB (Centre Cyber security Belgium) in (almost) real time. The aim is for all operators to be able to do this by the end of this year. Of course the defrauders continuously modify their texts in order to circumvent these blocks. But the telecom operators remain vigilant!

More information about BAPS (Belgian Anti-Phishing Shield)

In this story, a customer needs to report such an incident to the operator, while we have one central point for phishing, i.e. Safeonweb. Would it not' have been easier to report all forms of fraud to one central point?

Safeonweb will not intervene in the spoofing incident. They do not focus on voice-related fraud but rather on everything that is cyber-related fraud and that is why they intervene with text messages, MMSs and e-mail, because they contain URLs. People can report phishing or smishing via suspicious@safeonweb which is backed up by an engine that will recognize and investigate such URLs. When the engine detects phishing or other suspicious sites it collects them and then forwards them and translates them into IPs and DNSs. They are then forwarded to the ISPs (Internet service providers, such as Proximus) with the request to take the relevant pages offline and replace them with the BAPS page, the warning page to alert the customer that the URL for which he or she is looking is a fraudulent page. But they can't do this for voice as they do not have a voice analytics module and cannot perform any checks in our network. This is done by the operator itself.

Warning page showing that a website you want to visit is malicious
(example of a rogue site that has been taken offline)

What a lot of people do not know is that we work very well with the other operators in this context; we may be competitors but we are fighting the fight against criminals together. In the context of combating fraud it is important for all operators and parties to work together. Everyone who benefits from it should be involved because a fraudster does not stay with one party and will indeed turn the whole telco world upside down. And that is why we work very closely with the various operators, the Belgian Institute for Postal Services and Telecommunications (BIPT that is the link between all operators) and the CCB (Center for Cyber-security Belgium, the administrator of SafeOnWeb) when it comes to major forms of fraud. Meetings are regularly set up for us to share information and consult with each other. What can we do? How can we inform people better? We also exchange data with each other about scenarios and actions that we can undertake together. Based on such exchanges we can learn things from each other in order to do even better.

We have already worked together a few times in my role as CM, on major malfunctions as well as in relation to fraudulent messages. We then started to warn our customers effectively on social media channels. I do not think that that had ever happened before. Do you think we are doing well in terms of communication or is there still room for improvement?

I believe that we are a role model in the field of communication. We had had so many reports of fraud at one point and decided to communicate this on our social media channels. We then also alerted Safeonweb, and they wrote about it too and sent notifications to their users. At a certain point in time however it became such a big issue that there was a real need to spread this wider and also let the media report on it so as to warn and inform the public at large. We then called in BIPT and the CCB with the request to inform the media accordingly. And they then did this in an effective manner. We adapted to the situation really quickly.

Examples of Proximus warning for phishing, published in different media

One last question, please. How do you see the fight against fraud in the future? The fraudsters are getting increasingly smarter.

It’s not only the fraudsters that are getting smarter so are we and when we join forces it certainly makes us strong! Because the cooperation between operators and cyber defense centers has also grown much stronger in recent years. And not only in Belgium, but also internationally. We continue to invest in new technology, where machine learning and AI will play an especially important role. These are things that we did not have available in the pat, but which have fortunately undergone huge development in recent years and will provide us with the necessary support in analyzing new patterns. It will remain a challenge to continue to identify and recognize the ever-changing patterns of the fraudsters.

image not available

A Community Manager? What's that? For those who don’t know what a CM does, allow me to explain briefly.

A community manager protects the reputation of the company on social media, really listens to the questions and feedback from the community, and ensures that the internal teams use this input to improve the services.

And now let me use our customers' feedback as the inspiration for my first blog post "What is Proximus doing to counter online and telephone fraud?"