The connected menaces of spam calls – unsolicited commercial communications (UCCs) – and scam calls, designed to cheat citizens, have reached unprecedented levels lately. Millions of UCCs and thousands of cyber scams take place every day.
India recorded over 1.7 million cybercrime complaints and losses exceeding Rs 110 billion in the first nine months of 2024. This estimate is lower than the actual losses, since it does not account for spam-related losses and undetected or unreported scams. Moreover, these incidents not only result in a waste of time and money, but they also undermine faith in digital infrastructure by exploiting the ease of data transfer and digital payments.
Stakeholders and regulators are working together to tackle these twin menaces. One of the key initiatives is the creation of the Financial Fraud Risk Indicator (FRI) by the Department of Telecommunications (DoT). The FRI is an analytical tool launched on DoT’s Digital Intelligence Platform, which is designed to help financial institutions by providing intelligence on cyber fraud prevention. The FRI classifies mobile numbers in three categories based on the risk of financial fraud: medium, high, or very high. It will enable banks, UPI service providers and financial institutions to take additional customer protection measures. According to DoT, the classification uses inputs from various sources, including the Indian CyberCrime Coordination Centre, the National Cyber Crime Reporting Portal and DoT’s Chakshu platform, as well as intelligence shared by banks and financial institutions. DoT also shares mobile numbers that have been disconnected for being involved in cybercrime, failing reverification and exceeding prescribed limits. Since mobile numbers misused in cyber frauds are typically active for only a few days, and full verification can take several days, an advanced risk indicator is crucial. As soon as a mobile number is flagged by a stakeholder, it undergoes multi-dimensional analysis and classification, and the rating is shared immediately.
The integration of FRI into customerfacing protection systems is expected to become an industry standard. PhonePe, Paytm and Google Pay, which collectively account for over 90 per cent of UPI transactions, have started integrating these alerts into their respective protection systems. PhonePe has started to decline transactions linked to very high-risk numbers and it displays an on-screen alert for medium-risk numbers.
The data shared by PhonePe indicates that the model is working well so far, since the classification seems to be accurate. Accuracy is essential since false negatives leave users exposed to fraud while false positives penalise legitimate transactions. Since UPI is the most popular payment method, this intervention could save millions of citizens from falling prey to fraud. DoT must continue to fine-tune the FRI mechanism to increase accuracy and reduce response time as far as possible.
Several private-public initiatives have been taken for consumer and enterprise protection against spam and cybercrimes. Bharti Airtel, for one, is attempting to stitch together a joint initiative for real-time detection and mitigation of telecom fraud. While it has already implemented an in-network fraud detection system that actively blocks scam links on its networks, the current protections remain insufficient, given that scammers exploit network-level vulnerabilities and switch easily between OTT platforms such as WhatsApp, Telegram and SMS. To address this, Airtel has reached out to private telcos Reliance Jio and Vodafone Idea, and formally presented a plan to DoT and the Telecom Regulatory Authority of India (TRAI). The plan envisages an interoperable, shared solution across all telcos to create a safety net that works for all users, regardless of which operator is hosting a given user. It outlines a national framework for fraud intelligence sharing, scam URL blacklisting, cross-network coordination and centralised fraud detection. The initiative is ambitious, but if executed as conceptualised, it could offer scalable protection across the entire domain of telecom fraud detection. At present, telecom fraud detection and protection are siloed across operators. A unified fraud detection layer could protect digital transactions and users at scale, and enable safer use of the internet.
Even globally, such a system does not exist and operators are siloed in all major markets. While various regulators have introduced different initiatives, integrated fraud data sharing is not a prevalent practice. In the US, for instance, the Federal Communications Commission mandates caller ID authentication but lacks integrated fraud data sharing. The UK regulator, Ofcom, requires telcos to block spoofed international calls, but the execution varies from operator to operator. Singtel in Singapore offers fraud prevention tools but largely targets enterprise clients. In Korea, SK Telecom’s ScamVanguard blocks over 1.3 million scam incidents monthly, but operates as an independent entity.
If India implements this concept, it could become the first large market to have a unified fraud detection framework. Of course, the legal and regulatory ramifications of such data sharing would have to be carefully thought through, apart from the technical complexities involved in creating such an interoperable system.
Airtel’s current in-network protection uses an artificial intelligence-based tool to scan internet traffic, cross-check global repositories and its own database of threat actors in real time, and block fraudulent websites. This has been under trial for six months and the company claims “a remarkable level of accuracy”.
Typically, an operator would use this as a marketing tool to differentiate itself and gain a competitive advantage by building trust and ensuring security. In trying to build a unified platform, Airtel is playing for a bigger role in terms of policy leadership, and success depends on adoption by competing networks. If Jio, Vodafone Idea and Bharat Sanchar Nigam Limited come on board, this initiative could revolutionise the industry and set a new global benchmark.
It will be important to review and amend existing rules and regulations to ensure that any such solutions are both effective and legal. In August 2024, TRAI released a consultation paper proposing a review of “The Telecom Commercial Communications Customer Preference Regulations, 2018” (TCCCPR-2018) in order to tighten regulations against UCC. The TCCCPR-2018 has failed to prevent spam and clearly needs an overhaul.
In June 2025, TRAI launched a pilot for banks and telecom companies to test solutions for gathering and managing user consent. The approved solutions will allow telcos to verify consumer consent in real time before connecting or delivering commercial calls and messages. This is the latest move and experts say it may overlap with the data protection law but is not in conflict with it.
It is an attempt to create a framework to validate the current aspects of consent registration, and lay the foundation for sector-wise scaling. For instance, TRAI aims to curtail the practice of collecting mobile numbers through unauthorised data-sharing practices, which leads to spam. The TCCCPR relied on a consent mechanism that allowed users to control what messages they received, but it failed due to gaps in enforcement and limited industry adoption.
No doubt businesses will face initial costs while adapting and upgrading their systems to adopt the new mechanism. Also, it does not cover OTT, which could be a critical gap. Since the consent framework currently applies only to SMS and voice communications, it will not tackle scams and unsolicited promotions originating on OTT apps.
When it comes to spam, the government has strengthened know-your-customer frameworks, mandating indisputable verification of each point of sale (PoS) by telecom service providers (TSPs) while issuing a SIM. TSPs are also mandated to blacklist non-compliant PoSs across TSPs and reverify users enrolled by such PoSs. These measures have led to the disconnection of millions of mobile connections using fake documents or failing reverification.
TRAI has also proposed that differential tariffs should be imposed for SMSs and voice calls above a certain number. For example, subscribers making over 50 calls per day or sending out over 50 SMSs daily could be flagged. Differential tariffs may raise the cost of commercial communication using 10-digit numbers and may, therefore, force unregistered telemarketers to adopt 140-series numbers, which are distributed ledger technology platforms, where consent is mandatory.
The regulation of OTTs remains a point of contention. A large chunk of spam and scam incidents comes through OTTs. Apart from this, the whitelisting/consent system can cause glitches in receiving one-time passwords (OTPs), which are often time sensitive. The entire digital economy, including banks, insurers, credit card issuers and other service providers such as government service providers, depends on OTPs, which must be generated “on the fly”. Technical solutions must be developed to ensure that SMS consent registration does not upset the well-established process.
Regulators and policymakers need to examine the UCC and scam epidemic to regulate the illegitimate usage of telemarketing. UCCs are economically viable even with a small “strike rate”.
The regulators have to find a balance in flagging spammers and scammers. In an ideal system, explicit user consent would be necessary, compliance would not be difficult and the cost of compliance would not escalate, impacting legitimate marketers. The new initiatives could help establish such an ecosystem.
Devangshu Datta
