Telecoms Tackle 19 Year New Security Risk


In the ever-evolving landscape of digital threats, telecommunications companies find themselves on high alert as a newly discovered consumer security risk emerges. This threat allows scammers to circumvent identity checks for online transactions, including banking, shopping, and messaging. Surprisingly, the vulnerability lies in a feature implemented on mobile phone networks 19 years ago, which, when exploited, can compromise the security of systems used by major software providers like Apple, Microsoft, Okta, and Signal.

The Old Feature’s Comeback

An Australian information security company report reveals that a little-known feature, integrated into mobile phone systems in 2004, is at the heart of this security loophole. This feature enables hackers to divert voice calls by tricking phone owners into clicking on a link with a “tel://” prefix, followed by a code redirecting calls to a number owned by the attacker.

The Growing Risk

While the potential for abuse of the call-diversion system has existed since its inception, the risk has heightened with the increasing use of voice calls as a fallback in multifactor authentication (MFA) systems. Many companies have implemented MFA, adding extra layers to login processes, such as passwords, SMS codes, or secret questions. Attackers can bypass these security measures by diverting a victim’s voice calls and requesting login codes via voice.

AI Impersonation and Modern Phones

The rise of AI systems capable of mimicking an individual’s voice adds another layer of danger. Call diversion can be exploited to launch attacks where computers impersonate call recipients, compromising voice-based MFA systems’ security. Combining old-school carrier technology with modern phones and widespread reliance on phone-based MFA creates a perfect storm for potential security breaches.

Distribution Channels and Cross-Platform Vulnerability

The malicious “tel://” link can be distributed through various channels, including SMS messages, WhatsApp messages, and links in websites or emails. Even Apple users with Mac-iPhone connectivity are not immune, falling victim to the attack if they click on the malicious link on their Mac. The attack may appear unsophisticated, but its low cost and the ease of reaching numerous potential victims simultaneously make it a potent threat.

As telecommunications companies and software providers work tirelessly to address this newfound security risk, consumers must remain vigilant. Implementing additional security measures, staying informed about potential threats, and exercising caution when clicking links are crucial to safeguarding personal and financial information. In a world where technology evolves rapidly, staying one step ahead of scammers and hackers is the key to maintaining a secure digital environment.

Stay ahead of the Fraudsters

For top-notch social media security, stay vigilant against online fraud and prioritize safeguarding your account’s privacy. Dive deeper into cyber consumer concerns and discover the best protection practices by accessing our interactive mobile app, FRAUDSTER, which is compatible with Apple and Android devices. Explore further at

Already got the FraudsterApp? Simply tap the training icon on your home screen to improve your self-protection skills.

Posted in

Terry Cutler

I’m Terry Cutler, the creator of Internet Safety University, an educational system helping to defend corporations and individuals against growing cyber threats. I’m a federal government-cleared cybersecurity expert (a Certified Ethical Hacker), and the founder of Cyology Labs, a first-line security defence firm headquartered in Montréal, Canada. In 2020, I wrote a bestselling book about the secrets of internet safety from the viewpoint of an ethical hacker. I’m a frequent contributor to National & Global media coverage about cyber-crime, spying, security failures, internet scams, and social network dangers families and individuals face daily.