Telecommunications SPF Is Quietly Becoming Australia's Strongest Anti-Spoofing Rulebook

The telecommunications draft may prove to be one of the most operationally significant parts of the SPF package.

For a long time, scam-related telecom reform was often discussed in broad terms. The expectation was clear enough: providers should do more to reduce spoofing, scam calls and message abuse. What was less clear was exactly how that expectation would be translated into day-to-day carriage decisions. The new draft begins to answer that question.

It does not merely say telecommunications providers should help prevent scams. It starts to define a more explicit network-level rulebook around who may use a number, what traffic may be carried, how uncertainty should be signalled, and what kinds of traffic should simply never be allowed to pass.

That matters because some of the most damaging scam journeys still begin with a call or message that looks legitimate enough to earn a few seconds of trust. In that sense, anti-spoofing controls are not separate from brand impersonation. They are another layer of the same trust problem — identity on the network is now being contested just as much as identity on the web.

Why the telecommunications draft matters more than it first appears

The draft telecommunications code is more detailed than many outside the sector may realise. It pushes scam prevention much closer to the network edge and the origination point. That is important because telecom infrastructure is often where false identity first becomes operational. A spoofed calling line, an illegitimate Australian number presented from overseas, or a high-risk messaging service without credible rights of use can all become the first stage of scam conversion.

The draft therefore focuses on legitimacy before carriage, not merely disruption after harm. That is a major shift in emphasis and aligns with the broader SPF framework which requires regulated entities to prevent harm before it occurs rather than simply responding after the fact.

The new baseline: rights of use, CLI and international traffic

Several proposed controls stand out.

Rights-of-use checks

For high-risk telecommunications services, entities must verify that a customer has rights of use in respect of the number associated with the service by conducting a rights-of-use check, and must also establish a legitimate use case. The rights-of-use check itself requires both proof of association and a real-time demonstration of access to the number, such as an immediate confirmation code or URL activation. This takes anti-abuse onboarding well beyond verbal assertion.

CLI and international traffic controls

The draft says a regulated entity must not carry a voice call unless a CLI is attached. It also says a regulated entity must not carry an inbound international voice call to which an Australian CLI is attached unless the call falls within tightly defined legitimate scenarios. The code goes further by prohibiting carriage of certain categories of traffic altogether, including calls or messages using numbers on Do Not Originate lists and traffic where trust information is incorrectly attached.

What no-verification signals and trust information could change

One of the most interesting parts of the draft is that it does not treat all uncertainty the same way. Where an interconnected carrier cannot determine whether an inbound international call using an Australian mobile number is legitimate, it must attach a no-verification signal. Terminating providers receiving that signal must then make their own reasonable attempt to verify legitimacy. If they still cannot do so, the draft points toward blocking the CLI or over-stamping it with a warning before terminating the call.

This begins to create an explicit signalling model for uncertainty. That is useful in scam prevention because many harmful interactions sit in a grey zone before they become fully provable scams. The framework is effectively saying that uncertainty itself must be handled in a more disciplined way — a principle directly connected to the need for explainable verification across the whole SPF system.

Where implementation friction will emerge

None of this means implementation will be easy. The practical friction points are obvious. International roaming is one. Legitimate outsourced business services are another. Cross-border customer journeys do not always fit neatly into idealised anti-spoofing logic. Entities will also need to balance stronger carriage controls against the risk of blocking legitimate traffic or degrading consumer experience.

That is why the draft matters. It does not simply declare that telecom providers should solve spoofing. It forces the harder question: what does a proportionate, technically credible and operationally sustainable anti-spoofing posture actually look like across origination, interconnection and termination? The answer will almost certainly depend on better service-chain governance — a theme explored further in our next article on third-party, outsourcing and white-label risk under SPF.

Why this matters beyond telecommunications

Banks, platforms and other regulated entities should pay attention as well. Scam harm is frequently cross-sector. A spoofed call can prime the victim. A fake platform or message can continue the deception. A payment event can complete it. Stronger telecom controls therefore influence the scam exposure of other sectors, even where those sectors are not directly responsible for the voice or message channel itself.

In that sense, telecommunications SPF may become one of the strongest practical demonstrations of what SPF is trying to do overall: move scam prevention closer to the points where trust is created, carried and abused. Understanding how each layer connects is precisely the subject of building a closed-loop scam response system.

• Brand Impersonation Has Moved from “Nice to Have” to a Civil Penalty Issue
• The Hidden Compliance Burden in SPF: Third Parties, Outsourcing and White-Label Risk

FAQ