This is a true story.
A friend’s wife received a call from someone claiming to be from the ATO. The caller was aggressive and convincing. He told her that her husband had been arrested for tax fraud and, because of the “seriousness” of the case, the family was now under government surveillance.
Then came the demand: pay $5,000 to secure his release.
She was terrified and only moments away from sending the money.
The transfer was stopped for one reason only: her daughter happened to be home, called her father, and confirmed it was a scam.
That detail matters. The thing that saved them was not a bank control, a telco safeguard, or a platform warning. It was luck.
Scams are designed to overwhelm judgment. They create urgency, authority, and fear so that normal people act before they can think. If our only defence is “be more careful,” then we are asking consumers to win a psychological battle that scammers have spent years refining.
That is why the Scam Prevention Framework (SPF) matters. Its biggest idea is simple: scam prevention should not sit only with the victim. It should be built into the systems scammers depend on — banks, digital platforms, and telcos.
In this post, I want to focus on the telco side of that equation. Broadly, the SPF pushes telcos to work across three layers:
- Prevent
- Detect
- Disrupt
Scam Prevention Framework friction layers
What counts as a scam under the SPF?#
At a high level, a scam includes attempts to deceive a consumer into:
- making a payment to a scammer using a regulated service, such as a bank transfer, or
- giving personal information to a scammer using a regulated service, such as a phishing message on a digital platform.
Importantly, an attempt can still count as a scam even if it fails and no money is lost.
That matters because the SPF is not only about compensating victims after harm occurs. It is about increasing friction before the harm occurs.
Why telcos matter#
Telcos sit on one of the most important scam pathways: calls and messages.
They may not control the scammer’s script, but they do control parts of the infrastructure that lets a scam reach a consumer at scale. That means they are in a position to do more than simply pass traffic through the network. They can verify, filter, flag, block, and share intelligence.
The SPF reflects that reality.
1. Prevent: stop the scam before it reaches the customer#
The strongest anti-scam control is the one the customer never has to think about.
Verify legitimate use cases for high-risk services#
Some business communications features are perfectly legitimate. For example, a real estate agency may want calls from dozens of staff mobiles to display the agency’s main office number. That can improve consistency and call-back rates.
The same capability, however, can be abused by a scammer trying to make a call appear to come from the ATO, a bank, or a parcel delivery company.
Under the SPF approach, telcos are expected to verify that a customer has a genuine reason to use these services and a legitimate connection to the number or brand being presented. The goal is to make number spoofing harder before it becomes a consumer problem.
Filter phishing content in SMS and MMS#
Telcos are also expected to use technical controls to detect and block malicious messaging content, especially phishing links delivered by SMS.
Modern messaging firewalls can inspect traffic patterns, message content, sender behaviour, and embedded URLs. They can compare links against threat feeds, blacklists, and domain reputation signals to identify suspicious campaigns quickly.
The aim is straightforward: if a message contains a known malicious link, it should be stopped before a consumer ever taps it.
Protect brands and prevent sender impersonation#
One of the most effective scam tactics is pretending to be a trusted brand. A fake message that appears to come from a bank or from Australia Post has a much better chance of working than a random spam text.
That is why brand and number protection matter.
Telcos are increasingly expected to stop criminals from:
- using a telco’s own brand or official numbers in scam messages,
- spoofing the phone numbers of legitimate organisations, and
- sending branded SMS without proper verification.
As sender ID controls tighten, including the move toward a mandatory SMS Sender ID Register, unverified branded messages should become easier to label, filter, or block. That does not eliminate impersonation, but it does raise the cost of doing it at scale.
Educate customers#
Consumer education is the lightest layer of defence, but it still matters.
Scam awareness pages, alerts about current scam trends, and referrals to trusted sources such as Scamwatch help customers recognise common tactics. Education alone is not enough, but as part of a broader system it still has value.
2. Detect: identify suspicious behaviour early#
Not every scam can be stopped at the front door. Detection is about recognising suspicious behaviour while it is happening.
Analyse traffic patterns#
Telcos can look for network-level signals that are commonly associated with scam activity, including:
- bursts of bulk communications from a new number, service, or device,
- sudden spikes in call volume from a single source,
- repeated short-duration calls that may indicate robocalling,
- calls or messages originating from invalid numbers, or
- traffic linked to numbers on “do not originate” lists.
A single signal may not prove a scam. But when several appear together, they can provide a strong basis for investigation or intervention.
Identify customers who may be engaging with a scam#
Detection is not only about spotting the scammer. It is also about spotting the potential victim.
If a suspicious SMS campaign goes out, telcos may be able to identify customers who replied, clicked, or called back. If a scam number is active, they may be able to identify customers who had meaningful engagement with it.
That creates an opportunity for targeted intervention: warnings, blocks, or escalation to other providers before more harm occurs.
3. Disrupt: act quickly once a scam is identified#
Prevention and detection only matter if they lead to action.
Block or withdraw scam-linked numbers#
Where a calling line identifier (CLI) or sender is confirmed to be linked to scam activity, telcos can block calls and messages from that source. In higher-risk situations, they may also temporarily withdraw or suspend a service while they investigate.
This is one of the clearest ways to turn intelligence into protection. A blocked number cannot keep reaching fresh victims across the network.
Cooperate on traceback#
Scam traffic rarely stays within one network. Calls and messages can cross multiple providers, making origin tracing difficult.
That is why traceback cooperation matters. Telcos need to work with one another and with regulators to identify where scam traffic actually started and where intervention will be most effective.
The SPF also supports more decisive action by giving providers a degree of legal protection when they act in good faith on high-risk scam intelligence during an investigation window. That matters because hesitation helps scammers.
Use shared scam intelligence#
Scam prevention becomes far more effective when intelligence moves quickly across the ecosystem.
If a bank, digital platform, regulator, or another telco identifies a scam number, domain, or pattern, that intelligence can help telcos suppress related traffic across their networks before the same campaign spreads further.
In practice, this means one reported scam can lead to many blocked scam attempts — which is exactly how systemic defence should work.
Will this be enough?#
Not on its own.
Scammers adapt quickly. They rotate SIMs, change numbers, shift channels, and lean on stolen or synthetic identities to reopen access. Every layer of friction creates pressure, but none of it is permanent.
Still, that does not make the SPF ineffective. It makes the SPF necessary.
The real shift here is not that telcos will suddenly stop every scam. It is that scam prevention is no longer framed as a problem for the individual consumer alone. The burden is moving upstream, toward the organisations that operate the infrastructure scammers exploit.
That shift also changes incentives. With shared liability in the system, providers have a stronger reason to invest in controls, improve detection, and act earlier. Scam defence becomes part of operational responsibility, not just customer education.
SPF will not eliminate scams. But if it makes impersonation harder, phishing less scalable, and disruption faster, that is a meaningful change. The goal is not perfection. The goal is to make scams harder to deliver, harder to scale, and less profitable.