Upping the ante on phishing through AI – The TRAI directive

Phishing misleads and tricks individuals into revealing personal or confidential information through deceptive emails or messages. Such information is then used for unlawful or harmful purposes, such as fraud or installing ransomware. Smishing, a subset of phishing, uses SMSs or text messages as a vector. India is reportedly the third most popular country with perpetrators of phishing attacks, seeing over 50 million passwords stolen. Phishing attacks have apparently risen by 50 percent over the last two years.

This increase in attacks has led regulators to protect the text message user base. In June 2023, the Telecom Regulatory Authority of India (TRAI), the country’s telecom regulatory body, issued a directive on the use of technology tools to detect smishing and curb the harm it causes.

Previously, no express regulations existed requiring ecosystem stakeholders or players to curb smishing. In 2018, the TRAI established a co-regulatory regime with telecom service providers (TSP), regulating all commercial communications, such as text messages and phone calls, transmitted through telecommunication networks. Under the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR), TSPs have to establish distributed ledger technology-based platforms to regulate commercial communications. Businesses in India are required to register on these platforms as senders or telemarketers, undertake scrubbing as set out in user preferences lists to send only specific types of commercial communication and seek and offer specific consent and opt-out for certain commercial communications. TSPs must impose usage caps on senders who do not comply with such requirements and, ultimately, discontinue service for continuous non-compliance.

Under the TCCCPR, TSPs must spearhead the development and maintenance of ecosystems to regulate and oversee commercial communications delivered through their networks. They have to develop codes of practice (CoP), including the detection of unsolicited commercial communications and their senders (UCC Detect CoP) by using technology tools. The TRAI has reserved the right to adopt its own CoPs, and direct TSPs to change theirs.

The wide-ranging powers offered to and responsibilities imposed on TSPs make the TCCCPR an ideal regulatory base from which to curb smishing. However, such attacks have become more sophisticated and existing technologies used by TSPs can no longer detect such attacks in a timely manner.

Following the setting up of a regulatory sandbox by an inter-ministry committee exploring new anti-smishing technologies, the TRAI has directed all TSPs to adopt artificial intelligence and machine learning tools. These are technologies used under their existing UCC Detect CoPs but now able to detect new patterns, techniques, calls to action and signatures used by smishing attackers. These tools must analyse the reputations of senders, based on such factors as the duration of use of a TSP’s network and verification mechanisms and calling patterns. Intended to avoid false positives, the directive underscores the lack of regulatory guidance on the use of artificial intelligence tools. Coupled with a lack of requirements for transparency and impact assessments, an unregulated ecosystem may let additional biases into the detection process.

The new directions require TSPs to share information from detection systems with other TSPs, law enforcement authorities, the Ministry of Home Affairs, and the Department of Telecommunications. As to data protection, such disclosure requires no additional consent from individual senders of information. TSPs must have these tools in operation by mid-July 2023, with no additional changes to their existing data protection frameworks.

The directions provide no new sanctions or penalties for senders launching smishing attacks, but rely on existing usage caps and service discontinuation, under which TSPs can prevent identified senders accessing their networks.

An artificial intelligence mechanism for restricting unsolicited commercial communication is a pioneering move for the TRAI. Among the first of its kind, regulation through TSPs employing artificial intelligence is a major advance in reducing the harm caused by smishing. However, there should be a greater examination of the harm and bias artificial intelligence tools may cause.

Mathew Chacko is a partner and Aadya Misra is a counsel at Spice Route Legal. Shambhavi Mishra and Ajeeth Srinivas, both associates, also contributed to the article.