[co-author: Wiktoria Kossakowska-Wojdaszka]
The Polish parliament has recently adopted an act prohibiting smishing and CLI spoofing among other forms of abuse of electronic communication. New regulation came into force on 25 September 2023.
The adoption of the Act on Combating Abuse in Electronic Communication (ustawa o zwalczaniu nadużyć w komunikacji elektronicznej) is a response to an increasing number of scammers employing telecommunication services to attack individuals.
Forms of abuse
The act identifies four forms of abuse: smishing, CLI spoofing, generating artificial traffic and making unauthorized changes of address information. Smishing is a fraudulent practice of sending misleading text messages in order to induce individuals to reveal personal information. CLI spoofing is employed for the same purpose. It occurs when a caller deliberately disguises their identity by transmitting incorrect number to the caller’s ID display. Moreover, the act prohibits generating artificial traffic and making unauthorized changes of address information to, for example, hinder call billing.
Obligations under the act
All entities, whose business activities involve the provision of telecommunication networks or telecommunication services (telecommunication entities) are covered by the new regulations. They are required to counteract telecommunication abuses by blocking text and voice messages that show signs of smishing or CLI spoofing.
Moreover, the act imposes new responsibilities on large e-mail providers, whose services are used by at least 500,000 users. They are obliged to implement specific authentication mechanisms (SPF, DKIM and DMARC authentication mechanisms) in order to limit fraudulent activity.
If the aforementioned requirements are not met, the President of the Office of Electronic Communications (UKE) may impose a fine of up to 3% of company’s revenue generated in the previous calendar year.
The Act came into effect on 25 September 2023. Companies must pay attention to implementation deadlines. The first important deadline lapses on 25 December 2023, until then
mobile operators are required to enroll into the UKE’s list of integrators (providers of publicly available SMS services).