IT NEWS

I know many of us love(d) Windows XP and Windows 7 almost as much as we dislike Windows 10 and 11, but if you want to stay secure on Windows, the time to bite the bullet is closing in fast.

Support for Windows 10 will end on October 14, 2025, which means the only Windows version that will continue to receive updates after that date is Windows 11.

Why you should upgrade

Using an out‑of‑date Windows version leaves you exposed to threats designed for yesterday’s flaws. Each Windows update patches known vulnerabilities, some of which might already be used by cybercriminals, so closing those gaps as soon as possible is important. When official support ends, so do the security updates that help keep criminals out.

Through its updates, Microsoft also steadily adds new protection features, like better firewalls and improved warnings, which will never make it to older versions of Windows.

Security software is built for the latest, safest codebase. While programs may support older Windows versions, you may be missing out on some of the options, simply because the older Windows version does not support them.

Other programs may also be unavailable if you are sticking to an old Windows version.

How to upgrade

If you’re on Windows 10 than the upgrade to the equivalent version of Windows 11 is free, but that only works if your computer meets the minimum system specifications. If not you’ll either need another computer or you can explore other options.

You can check if your Windows 10 computer is eligible to upgrade for free to Windows 11 by selecting the Start button, then going to Settings > Update & Security > Windows Update. If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Before upgrading or switching, always do a complete backup of your system and all personal files. If something goes wrong, you’ll be glad you took this extra step.

Windows does retain your old operating system (OS) for up to 10 days after upgrading, letting you revert if problems pop up. After that period, rolling back means a clean install and restoring from backup.

At Malwarebytes, we want you to stay safe and secure, regardless of which operating system you use. While Malwarebytes continues to support Windows 7 and higher at this time, we strongly recommend updating to the latest operating system to ensure you receive the full protection and latest features we offer.

Make sure to have a plan ready before October 14, 2025 and be aware that doing nothing is also a choice, even though it may not be the best one.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin.

While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July.

The September updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows patch level 2025-09-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

Google notes that:

“there are indications that the following may be under limited, targeted exploitation.

CVE-2025-38352

CVE-2025-48543”

But it doesn’t provide any details about how and against whom these vulnerabilities were used. So, let’s have a closer look at those two first.

CVE-2025-38352 is a race condition vulnerability in the Linux kernel time subsystem, which may allow a local attacker to gain an elevation of privilege (EoP).

A race condition vulnerability means that during a moment where different threads (processes or programs) use the same resource,  but they are not synchronized, it creates a brief period during which an attacker could exploit the race window.

In this case the resource is the CPU time, the amount of time that a central processing unit (CPU) was used for processing instructions of a computer program or operating system.

A “local attacker” which can also be an installed app or shell could exploit this vulnerability to gain permissions it would normally not get or have.

CVE-2025-48543 is a vulnerability in Android runtime. The Android Runtime (ART) is the system responsible for running applications on Android devices. Basically it translates instructions into machine code which the processor understands. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

And then there is the vulnerability tracked as CVE-2025-48539. This critical vulnerability was found in the System component and could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed and no user interaction required.

The part where the description says remote (proximal/adjacent) is a bit of a mystery, but our best guess is this means an attacker could compromise a device from a short distance, so it might be by means of Bluetooth, NFC, or Wi-Fi Direct.

This type of vulnerability always makes researchers nervous, because they could be “wormable,” meaning they can spread from one device to the next. And if that is true, they can spread like wildfire in crowded environments like concerts and conferences.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena.

A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.”

We decided to see what the scammers are after. First thing to do is to look at the headers:

The sender address service@paypal.com (sometimes the emails come from service@paypal.co.uk) looks legitimate because it is, but the scammers have spoofed the address.

Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be.

So it’s hard for the everyday user to tell if the email has been spoofed or not.

There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own.

The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1.

When looking at the email itself, the subject line has nothing to do with what the email is asking the target to do. That’s red flag #2.

“Set up your PayPal account profile
New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
Your user ID: Receipt43535e
Use this link to finish setting up your profile for this account. The link will expire in 24 hours.”

The layout of the email looks convincing enough, likely copied from an actual PayPal email.

The content however is typical for a phishing email:

• Urgency: The link will expire in 24 hours.
• Amount: Over $900 dollars to grab your attention
• Crypto wallet: most people have only a vague notion of how crypto wallets work, so they don’t see the lie immediately. And Kraken.com is a crypto trading platform, so there is no discrepancy there.
• The phone number listed is known by the Better Business Bureau as related to this type of scam
• The recipient is not addressed by name in the email. Legitimate PayPal emails will always address you by your full name or business name, never generic greetings like “Dear Customer” or “Dear User”, or none at all as in this example. Red flag #3, 4, 5, 6, and 7.

The language used in the email is not perfect, but also not bad enough to stand out like a sore thumb. We have discussed in the past how AI-supported spear phishing fools more than 50% of targets, so looking for spelling errors is often not helpful these days.

But now comes the part which showcases the sophistication level of this scam. The link the button in the email points to, actually goes to PayPal.

However, the effect is different from what the target of the phishing email would expect. They are not going to set up a profile nor dispute a payment.

By clicking the link in the email, the target starts the routine to add a secondary user to their PayPal account. The danger here is that a secondary user can issue payments. In other words, the scammer would be able to clean out your PayPal account.

PayPal has over 434 million active users so for phishers that’s a large target audience. To make their attacks more targeted, some groups of phishers will buy or steal large databases of email addresses that are associated with PayPal accounts or which have previously interacted with PayPal services.

How to stay safe

As far as we could determine this campaign has been running for a month or more. Here are some tips to help you avoid being caught out:

• Look out for the red flags above.
• Always search phone numbers and email addresses to look for associations with known scams.
• Go directly to PayPal.com to see if there are any messages for your account.
• Enable two-factor authentication (2FA) to add an extra layer of security to your PayPal account and help prevent scammers getting in.
• Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

The State of California Franchise Tax Board (FTB) recently issued a warning to taxpayers to protect themselves from tax scams. In their warning the FTB states:

“Recently, the FTB received reports of a scam targeting taxpayers through text messages that appear to be from FTB. These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information. The scam aims to trick taxpayers into providing personal details and credit card information.”

As if to prove their point, one of my co-workers received this text message.

“State of California Franchise Tax Board (FTB)

Your tax refund claim has been processed and approved. Please provide your accurate collection information before September 01, 2025.

We will deposit the money into your bank account or email paper check within 1-2 working days.

{link}

Failure to submit required payment information by September 01, 2025 will result in permanent forfeiture of this refund under California Revenue and Taxation Code Section 19322.

Just reply with ‘Y’, then close and reopen the message to make the link work. If that doesn’t do it, copy the link and paste it straight into Safari.

California Franchise Tax Board|Sacramento, CA|Official State Agency”

The links that we found for this campaign are designed to look legitimate by using ftb.ca, ftb.gov, or ftb.cagov in the URL. The sites are designed to mimic the official version of certain FTB web pages, but in reality they are designed to steal your personal and banking information.

How to tell if a message is a scam

This type of scam is not limited to California or even to tax returns, so this advice is good for everyone. Here are some scammy signs to watch out for:

• Suspicious domain names: Official tax authorities only use domains ending in “.gov”. Any link leading to “ftb.ca-nt.cc” or other odd-looking domains is a major red flag.  
• Urgent or threatening language: Scammers often try to rush recipients with claims like “permanent forfeiture of your refund” and tight deadlines.
• Requests for sensitive personal or financial information: Legitimate agencies never ask for bank account info or other private details via text message.
• Promised instant rewards: Messages offering immediate deposits should not be trusted.
• Odd instructions for opening links: Watch out for steps like “reply with ‘Y’, then close and reopen the message” or pasting the link into Safari. This is a scam tactic to bypass security features.
• Foreign phone numbers: US federal and state agencies only use official numbers, not foreign codes. A sender like +63 (Philippines) pretending to be a US state agency is a sure giveaway of fraud.
• Grammatical mistakes, strange wording, and formatting errors: Even though the use of AI by scammers has reduced the number of these signs, they sometimes occur. “Email paper check” is a good example.
• Generic sign-offs or incomplete contact details: Real tax authorities provide clear and official contact information.

Spotting any one of these signs should be enough to delete the message. Never click links or provide personal details based on unsolicited texts or emails.

Other tips to stay safe are:

• Keep your device and the software on it up to date.
• Use an active anti-malware protection, preferably with a web protection module.
• If you’re worried something is a scam and want to confirm it, Malwarebytes users can submit suspicious messages to Scam Guard.

You can also visit the FTB Scams page to verify when FTB sends texts and what information is included.

Indicators

We have spotted these subdomains in this campaign:

ftb.gov-ciehka.xmnsia[.]cc

ftb.ca-nt[.]cc

ftb.cagov-Ibh[.]cc

ftb.cagov-tqn[.]cc

ftb.cagov-cg[.]cfd

ftb.cagov-onr[.]cc

ftb.cagov-jme[.]cc

ftb.cagov-etu[.]cc

ftb.cagov-ib[.]cc

ftb.ca-mg[.]cc

ftb.gov-qls[.]help

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.

While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.

To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

Technical details

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

What to do

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Two step verification is the name Meta uses for what is generally referred to as Two-factor authentication (2FA). 2FA is not fool-proof, but it is one of the best ways to protect your accounts from hackers.

It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security. WhatsApp 2FA, called Two-Step Verification, requires you to enter a PIN code when registering your phone number on a new device, stopping hackers even if they have your SMS code.

Here’s how to enable 2FA on WhatsApp for Android and iOS.

How to set up two-step verification for WhatsApp on Android

1. Open WhatsApp.
2. Go to Settings (you’ll see it if you tap the three dots, usually located in the upper right corner).
3. Tap Account.
4. Select Two-step verification.
5. Tap Enable.
6. Create a unique 6-digit PIN and confirm it.
7. Optionally, you can add your email address to recover your PIN if you forget it.
8. Tap Save.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

How to set up two-step verification for WhatsApp on iPhone or iPad

1. Open the WhatsApp app on your iPhone or iPad.
2. Tap on Settings (the gear icon)
3. Tap on Account.
4. Select Two-step verification.
5. Tap on Turn on or Set up PIN to begin.
6. Enter a six-digit PIN of your choice, then enter it again to confirm it.
7. Optionally, you can add your email address to recover your PIN if you forget it.
8. Tap Save or Done.
9. If you added an email, enter the verification code sent to that email to complete the process.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

Enable it today if you can

Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. In addition to your password, this makes an account takeover much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. Do it today if you get a chance: It only takes a few minutes but can save you from hours or even days of headaches later. It’s currently the best password advice we have.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Since January 8, 2025, travelers from most countries, including the US, Australia, and Canada have to apply for an Electronic Travel Authorisation (ETA) for visa free travel to the UK.

You can apply for an Electronic Travel Authorisation using the ETA App, or via an online form.

When you apply for a UK ETA you have to pay an application fee of £10 ($13.50), provide your contact and passport details, a valid passport photo, and answer a set of questions about suitability.

But as often happens when new regulations take effect, scammers are quick to exploit unsuspecting travelers by charging inflated fees or collecting personal information.

There are some that will get you an actual ETA, but at exorbitant prices, and some that you’ll never hear from again after you have made a payment.

Some scammers will promise to charge extra for guiding you quickly through the process, such as in this example we saw.

But there is absolutely no need to do that. Most ETA applicants receive an automatic decision within minutes when applying through the official UK ETA app, according to the UK government. However, some applications may take up to three working days to be processed, so, it’s a good idea to apply at least a few days before travel.

If you have applied for an ETA through an unofficial channel, or you have doubts about the validity of your ETA, you can check using the “Check eTA status” tool on the official UK government website. You will need your eTA reference number (found in your confirmation email) and the details of the passport used for the application.

The UK is not the only country targeted in this type of scam. One phishing scam targeted Canadian ETA applicants using fake websites closely mimicking the official Government of Canada eTA application site. Victims were lured to apply for travel authorization, providing personal data such as full name, passport number, and more. They were then asked to pay CAD $100, far above the official CAD $7 fee, to obtain the authorization.

Some AI search aids—I’m looking at you Gemini—will tell you there is an online “Check eTA status tool” which is only true for Canada. There is no such thing for the UK.

And searching for that tool brought me to another site that charges overpriced rates for an ETA.

Regarding the UK, once your application is approved, your ETA is electronically linked to the passport you used in your application. You will receive an email confirmation and a 16-digit ETA reference number from UK Visas and Immigration (UKVI), usually within three working days of applying. There is no need to present any document besides your passport when entering the UK.

How to avoid ETA scams

The risks of applying for an ETA through other sites may vary and range from paying more than necessary to identity theft. Here are several tips to stay safe when applying for your ETA.

• Stick to the official .gov.uk site, or use the official ETA app to make your application.
• Be wary of websites charging significantly higher fees than official amounts.
• Avoid clicking on sponsored advertisements or top search results without verifying their legitimacy.
  
• Do not share personal or payment data on suspicious or unknown sites.
• When contacted by email or phone about ETAs or visas, verify the contact through official government sources.
• Use an up-to-date real-time security solution that includes web protection.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Microsoft wants to automatically save your Word docs to the cloud
• “No place in our networks”: FCC hangs up on thousands of voice operators in robocall war
• Claude AI chatbot abused to launch “cybercrime spree”
• Developer verification: a promised lift for Android security
• More vulnerable stalkerware victims’ data exposed in new TheTruthSpy flaw
• 77 malicious apps removed from Google Play Store
• AI browsers could leave users penniless: A prompt injection warning
• How a scam hunter got scammed (Lock and Code S06E17)

On the ThreatDown blog:

• AI has “fully defeated” most of the ways people authenticate

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Microsoft has revealed it plans to automatically save all Word document to the cloud. The feature is currently only available to Microsoft 365 Insiders, although it’s likely to expand this to all users in the future.

Microsoft proudly announced:

“We are modernizing the way files are created and stored in Word for Windows! Now you don’t have to worry about saving your documents: Anything new you create will be saved automatically to OneDrive or your preferred cloud destination.”

The options this feature provides already existed, but Microsoft is changing the default save location for Word documents on Windows.

And Word is just the start:

“Similar functionality is coming to Excel for Windows and PowerPoint for Windows later this year.”

For those of us that have lost hours of work because we forgot to press Save while we were still writing, this could be a blessing at times. But we can already enable AutoSave and choose OneDrive as an option. So what’s new?

The key change with the new plan is that Word now saves all new documents automatically to the cloud by default, before you even assign a file name. This removes the step where users had to manually initiate the process—the first save, so to speak. Whether you saved the first file locally or in the cloud, until now AutoSave used to activate only after your manual save to OneDrive. Now, Word creates every new document directly in the cloud and turns on AutoSave immediately from the start.

And the advantages are clear. No more forgetting to save, and you can share the document with someone else for collaboration purposes. It also means you can work on the document from any computer, as long as you can login with your Microsoft credentials.

But that last advantage could also be a pitfall. Anyone with your credentials can access all the documents you saved to OneDrive. And even though I realize this may sound alarmist, I have to point out that breaches happen, credentials get stolen, and more documents will be found when this is the default setting.

Users are afraid that with AI integration (Copilot) and saving documents to the cloud, their work will be used to train artificial intelligence (AI) or that this is a Microsoft scheme to sell more cloud storage.

But most of the disgruntled users are saying that big tech’s habit to turn things on by default is annoying, to put it mildly.

Some pointers

So, what if you don’t want all your documents saved in the cloud? Or you want to change any of the other default settings that come with this feature?

• You can change how new files are created (either automatically in the cloud or in the traditional way) in the Save page of Word Options by selecting or deselecting Create new files in the cloud automatically.
  
• Any document in Word that has the autosave option set to “On” at the top of the window is saved in the cloud. Turn that off if you are concerned.
  
• To change the filename to something more meaningful than the date, use CTRL-S (simultaneously press the Ctrl button and the S) to change the name or the location where the document will be saved.
• If you prefer using another cloud location, you can change that by right-clicking on any cloud folder in the Save a copy dialog and selecting your preferred location and use the right-hand-click-menu option Set as Default Location.

Other things to remember:

• You still can’t close a document before saving if you ever need it again. If you close the document before saving, a dialog will appear asking you whether you want to Discard or Keep it. When you close an empty document, the system discards it without asking for confirmation.
• If you start a new Word session while another session is running, Word does not automatically save the new file due to a known issue.
• If you disable the Show the Start screen when this application starts setting, Word won’t automatically save the first file you create after launching it.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Everyone hates robocalls. However, it’s difficult to track down all the scammers and spammers that make them, so the Federal Communications Commission (FCC) has taken another approach: it just disconnected over a thousand voice operators from the public telephone network for not doing their part to stop the scourge.

This week, the Commission’s Enforcement Bureau removed over 1,200 voice service providers from its Robocall Mitigation Database (RMD). Created in 2020, this database is a ledger with records proving that telephony operators are taking measures to stop robocalls routing their calls through their networks. Removal from the database prevents other operators from taking a service provider’s traffic, effectively cutting it off from the US phone network.

Shaken and stirred

There’s a long road leading to this point, starting with the development of the STIR/SHAKEN protocol. Secure Telephone Identity Revisited (STIR) is a standard for ensuring that the caller ID showing up on your phone is legit. Signature-based Handling of Asserted information using toKENs (SHAKEN) is the technical tooling that lets telephony providers use the standard on their network.

Large voice telephony providers had to implement STIR/SHAKEN by June 30 2021 under the TRACED Act of 2019. Smaller providers got an extension. The RMD tracks which providers are using this system.

The Commission has been tightening the screws on companies that didn’t comply with the Act. In December, it announced that it might remove up to 2,411 companies if they couldn’t give a good reason for why they didn’t have up-to-date filings in the database.

On August 6, it began delivering on its promise, removing 185 voice providers from the database after they were found to be an originator or gateway provider for robocalls, or after they didn’t co-operate with the traceback procedures used to trace those calls.

The FCC also has support at a state level. In early August, 51 attorneys general launched Operation Robocall Roundup, which sent letters to 37 voice operators putting them on notice about illegal robocalls using their networks.

According to Commission Chair Brendan Carr:

“Robocalls are an all-too-common frustration — and threat — to Americans [sic] households. The FCC is doing everything in its power to fight back against these malicious and illegal calls. Providers that fail to do their duty when it comes to stopping these calls have no place in our networks. We’re taking action and we will continue to do so.”

Protection isn’t guaranteed

This is great, as far as it goes, but STIR/SHAKEN only works on IP-based phone networks (those that use the same protocol that the internet uses to move their digitized voice data around). Legacy phone networks that don’t use IP, such as in some rural areas, can’t use the technology. Those will fade over time, though.

Perhaps more importantly, the STIR/SHAKEN rules apply to US providers only, and it’s cheap for overseas providers to reach you. So overseas robocallers can still get to you easily via non-US operators while spoofing caller IDs.

Finally, STIR/SHAKEN only proves that the number showing up on your phone is the number that’s actually calling. The person using that number could still be a scammer.

So, you still need to do a little legwork of your own to minimize robocalls. Network providers (typically the larger ones) often run their own network analytics to root out robocallers. They frequently bundle such services. You can also set your phone to send all calls from numbers not in your contact list straight to voicemail.

If you use a landline, you can connect call blocking devices to your phone. Those use a variety of tricks, including messages that require a caller to press a specific number before the call goes through. The more action you take at your end, the more likely you are to block out automated nuisances.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.