Ofcom SMS Consultation: New Rules to Tackle Mobile Messaging Scams

Written By Elwyn Davies

Mobile messaging remains a critical channel for UK consumers and businesses alike, underpinining everything from account security and service updates to customer engagement and public communications.

At the same time, the scale and persistence of SMS-based fraud has continued to test the effectiveness of existing safeguards across the mobile ecosystem.

On 28 January 2026, Ofcom closes its latest consultation on new rules and guidance to combat mobile messaging scams. The proposals are aimed at UK mobile network operators and business messaging aggregators, and focus on creating greater consistency in how anti-scam measures are applied across the industry.

This article explains what the consultation covers, why Ofcom believes change is necessary, and what the proposals may mean in practice for mobile operators, CPaaS providers, and enterprises that rely on A2P messaging in the UK.

 

Why Ofcom is consulting on mobile messaging scams

Ofcom’s consultation is grounded in a clear assessment of scale and impact. According to the regulator, around 100 million suspicious messages were reported to mobile operators in the past year alone. Many of these messages impersonate trusted organisations, exploiting SMS as a channel that consumers continue to associate with legitimacy and urgency.

Ofcom acknowledges that mobile operators have already implemented a range of countermeasures, including filtering, traffic analysis, and coordinated take-down activity. However, the regulator identifies a central weakness in the current landscape: inconsistent application of protections across networks and providers.

Where one operator may impose strict controls or monitoring, another may apply lighter-touch measures. From Ofcom’s perspective, this creates gaps that scammers can exploit, shifting activity to the least resistant routes rather than reducing overall harm.

The consultation therefore focuses less on inventing entirely new tools, and more on raising the baseline across the industry.

 

Understanding the two scam vectors: P2P and A2P messaging

A key feature of the consultation is its distinction between two different types of messaging abuse, each with its own risk profile.

Person-to-person (P2P) messaging

P2P scams typically involve fraudsters acquiring SIM cards, often on a pay-as-you-go basis, and using them to send large volumes of messages directly to consumers. These messages may contain malicious links, fake delivery notices, or urgent requests designed to provoke quick action.

Ofcom highlights several challenges associated with this model:

  • High-volume abuse originating from consumer-grade SIMs

  • Difficulty distinguishing early-stage fraud from legitimate personal use

  • Rapid SIM churn once detection thresholds are approached

Application-to-person (A2P) messaging

A2P scams are structurally different. In these cases, scammers imitate legitimate businesses in order to gain access to business messaging services, whether directly or through intermediaries. Once access is secured, messages can be sent at scale using branded sender IDs or long codes that appear trustworthy to recipients.

The consultation notes that A2P abuse often involves:

  • False or misleading sender identity information

  • Misuse of enterprise messaging routes

  • Exploitation of onboarding or monitoring gaps

 

By addressing both vectors explicitly, Ofcom signals that effective scam reduction requires controls
at multiple points in the messaging chain, not just at the consumer interface.

The proposed new General Conditions

At the heart of the consultation are proposed new General Conditions that would apply to mobile operators, and in some cases to messaging aggregators operating within the UK ecosystem.

While the consultation document sets these out in detail, several themes recur throughout.

Volume limits on pay-as-you-go SIMs

For P2P messaging, Ofcom proposes that operators should set and enforce volume limits on PAYG SIM cards. The aim is not to disrupt ordinary consumer use, but to reduce the feasibility of using consumer SIMs for bulk messaging campaigns.

Operators would retain discretion over how these limits are defined, but would be expected to ensure they are proportionate and effective.

Continual “Know Your Traffic” checks

A second pillar of the proposals is ongoing traffic monitoring, often described by Ofcom as “Know Your Traffic”. Rather than relying solely on static rules or one-time checks, providers would be expected to:

  • Review account activity on a continual basis

  • Investigate anomalous patterns or sudden volume changes

  • Respond promptly to credible reports of fraud

This approach mirrors wider regulatory trends towards continuous risk assessment rather than point-in-time compliance.

Blocking and intervention obligations

Where scam activity is identified, the proposed conditions would require operators to block numbers or routes associated with fraud and take steps to prevent recurrence. Importantly, Ofcom frames this as a responsibility to act decisively while maintaining proportionality and due process.

How Ofcom expects providers to comply

Alongside the proposed rules, Ofcom has published draft guidance intended to support practical implementation. This guidance does not prescribe specific technologies or thresholds, but instead outlines principles that providers should follow when designing their controls.

Key points include:

  • Controls should be risk-based, reflecting the nature of the traffic and customer

  • Measures should be scalable, capable of handling large volumes without excessive manual intervention

  • Providers should maintain clear escalation and response processes

For many operators and aggregators, much of this will align with existing practices. The consultation is less about starting from zero, and more about ensuring a consistent minimum standard across the market.

Implications for mobile network operators

For UK MNOs, including BT/EE, Virgin Media O2, VodafoneThree, the consultation formalises expectations that are already broadly understood within the industry.

However, formal General Conditions would bring additional weight and scrutiny. Operators may need to:

  • Review PAYG SIM policies and thresholds

  • Document traffic monitoring processes more explicitly

  • Ensure internal teams and tooling can support continuous assessment

Ofcom’s emphasis on consistency suggests that peer comparison will become more visible, with less tolerance for outliers.

What this means for aggregators and CPaaS providers

Business messaging aggregators and CPaaS platforms are not the primary targets of the consultation, but they are clearly within scope of its effects.

Providers such as Sinch, Infobip, Twilio, Bird, and Vonage operate at scale and already invest heavily in monitoring and compliance. The consultation reinforces the expectation that:

  • Customer onboarding processes remain robust

  • Sender behaviour is actively reviewed, not just at onboarding

  • Collaboration with upstream and downstream partners continues

From a commercial perspective, the proposals underline the importance of predictable, transparent controls rather than sudden or opaque blocking that can disrupt legitimate enterprise messaging.

The role of industry collaboration

Ofcom is explicit that regulation alone cannot solve messaging fraud. Effective outcomes depend on cooperation across the ecosystem, including:

  • Mobile operators

  • Aggregators and CPaaS providers

  • Solution vendors focused on filtering and fraud detection

  • Industry bodies such as Comms Council UK and MEF

The consultation builds on existing collaboration rather than replacing it. By setting clearer expectations, Ofcom aims to support more effective coordination rather than fragmented responses.

Consumer reporting and the role of 7726

While the consultation is primarily industry-focused, Ofcom continues to emphasise the importance of consumer reporting. The 7726 shortcode remains a key mechanism for identifying suspicious messages at scale.

Reports to 7726 feed into operator investigations and, in aggregate, help shape broader intervention strategies. Ofcom also references public guidance from bodies such as NCSC, reinforcing that scam reduction is a shared responsibility.

Why consistency matters more than new technology

One of the more notable aspects of the consultation is what it does not focus on. Ofcom does not argue that the industry lacks tools, data, or technical capability. Instead, it points to uneven application.

From a regulatory perspective, consistent baseline controls can often deliver greater impact than isolated, advanced measures deployed by only part of the market. This framing is likely to resonate with operators who have long argued that uneven enforcement undermines collective efforts.

Timeline and next steps

The consultation closes on 28 January 2026. After reviewing responses, Ofcom will decide whether and how to implement the proposed General Conditions, potentially with revisions informed by industry feedback.

For organisations active in UK messaging, this is a clear opportunity to:

  • Review the consultation in detail

  • Assess how existing controls align with the proposals

  • Submit practical, evidence-based responses

The full consultation document is available on Ofcom’s website.

Key takeaways

  • Ofcom estimates around 100 million suspicious messages were reported in the past year

  • The consultation targets both P2P and A2P messaging scams

  • New General Conditions focus on volume limits, continual monitoring, and intervention

  • Consistency across the industry is the regulator’s central concern

  • The consultation closes on 28 January 2026

The consultation represents a significant moment for the UK messaging ecosystem. Industry participants are encouraged to read the consultation in full and respond with practical input based on operational experience.

If you want to discuss the potential implications at a high level, or explore how these proposals intersect with existing compliance approaches, we are always happy to have a conversation.

 

Frequently asked questions

  • The consultation sets out proposed new rules and guidance for tackling mobile messaging scams in the UK. It focuses on improving consistency across mobile operators and messaging providers, covering both P2P and A2P messaging abuse.text goes here

  • The proposals primarily apply to UK mobile network operators, but aggregators and CPaaS providers will also be affected through their relationships with operators and their role in enterprise messaging delivery.

  • No. Ofcom does not suggest that SMS is fundamentally unsafe. The consultation recognises SMS as a critical communications channel and focuses on reducing misuse through consistent safeguards.

  • “Know Your Traffic” refers to ongoing monitoring of messaging activity to identify anomalous patterns, investigate potential fraud, and respond appropriately rather than relying solely on static rules.

  • Organisations can submit responses directly to Ofcom before 28 January 2026, providing evidence-based feedback on the proposals and their practical implications.

Elwyn Davies