Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

The WeDDa framework for preventing smishing and vishing using protocol agnostic cryptographic trust

· Back to index

Why fake calls and texts matter to everyone

Most of us now rely on our phones for banking, government services, deliveries, and even emergency alerts. Yet the global phone system still allows criminals to pretend to be anyone they want—your bank, a health ministry, or the police—simply by faking the caller ID. This has fueled explosive growth in smishing (fraudulent text messages) and vishing (fraudulent voice calls), costing billions and quietly eroding public trust in digital services. This paper introduces WeDDa, a new way to rebuild trust into the telephone network so that a number must be proven, not just claimed.

Figure 1
Figure 1.

The scale of the problem

The authors show that today’s defenses against fraudulent calls and texts are mostly reactive. Phone companies and apps use blacklists, machine learning, and user reports to spot suspicious traffic, but only after it has already reached the user. Meanwhile, attacks are growing rapidly: smishing alone has surged by hundreds of percent in just a few years, with losses in the billions of dollars. Beyond money, this constant stream of fakes creates what the authors call a “digital trust tax”: people start ignoring legitimate messages, governments struggle to reach citizens, and critical services like emergency alerts or health campaigns lose credibility.

The hidden design flaw in phone networks

At the heart of this crisis is a basic design mistake in the world’s phone infrastructure. Core signaling systems such as SS7 for traditional calls and SIP for internet calls were built decades ago for a small club of trusted carriers, not for a hostile, internet-scale environment. These protocols let one network tell another, “This call is from this number,” without any built‑in way to prove it cryptographically. Modern tools like spam filters and AI classifiers are therefore trying to judge the honesty of a message after the network has already accepted a lie about who sent it. The authors argue that as long as caller identity is only asserted and not proven, fraud will remain inevitable.

A new trust layer for verified caller identity

The WeDDa framework proposes adding a mandatory trust layer inside the network, rather than relying on apps or end-user devices. Its core idea is to create a verified “name space” for communication identities and to require cryptographic proof at the gateway where calls and texts enter the network. Organizations first register their identities—using clear, human‑readable labels such as Bank_Alerts_City—with a Verified Communications Authority. That authority issues digital keys that are tightly bound to specific number ranges and network operators. When a call or message is sent, the originating gateway signs it using these keys; the receiving gateway then checks the signature against a secure registry before deciding whether to let it through.

How WeDDa works in practice

To make this practical, the authors design four main building blocks. First, a national registry stores the approved identities, their phone numbers, and the public keys needed to verify signatures. Second, telecom and internet gateways perform the cryptographic checks on all protected traffic, blocking anything that has no valid proof. Third, specialized databases record failed attempts and patterns of abuse, giving investigators and machine‑learning systems rich evidence about how attackers operate. Finally, a human‑focused layer includes public awareness campaigns and transparent, searchable lists of verified numbers so that people can see which names they can safely trust. Crucially, all of this can be added at the network level without changing users’ phones.

Figure 2
Figure 2.

Evidence from large-scale simulations

Because it is difficult to overhaul a live national phone system, the team built high‑fidelity laboratory simulations modeled on Egypt’s telecommunications infrastructure. They generated 200,000 test calls across traditional SS7 and internet-based VoIP systems, mixing genuine traffic with several types of spoofing attacks. Under controlled conditions, every spoofed call that relied on a forged caller ID was blocked, while all legitimately signed calls were allowed, and the added processing delay stayed in the microsecond range—far below what humans could notice. The authors stress that real networks are messier and adversaries more creative, but these experiments show that cryptographic gatekeeping can, in principle, stop identity spoofing at the source without slowing the system down.

Limits, challenges, and what it would take

WeDDa is not a magic shield against all fraud. It cannot stop scams that use real, but compromised, numbers, nor can it read the content of calls or detect manipulative scripts. It also depends heavily on governance: countries would need to establish trustworthy authorities, coordinate across borders, and persuade or compel carriers to adopt the system. Older networks may require hardware upgrades, and incomplete adoption would leave weak spots that attackers could exploit. The authors therefore see WeDDa as one essential layer in a broader “defense in depth” strategy that also includes education, app-level protections, and strong policies for online platforms.

What this means for everyday users

For ordinary people, the vision behind WeDDa is simple: when your phone says a call is from your bank, the network itself will have already checked a cryptographic passport proving that identity before the phone ever rings. In such a world, smishing and vishing that depend on fake caller IDs would become vastly harder and more expensive to pull off. While turning this blueprint into reality will require years of technical work and international coordination, the study offers a clear path toward phone networks where trust is built in by design, rather than patched on after the fact.

Citation: Salem, M.F.M., Hamad, E.K.I. & El-Bendary, M.A.M. The WeDDa framework for preventing smishing and vishing using protocol agnostic cryptographic trust. Sci Rep 16, 7949 (2026). https://doi.org/10.1038/s41598-026-38539-y

Keywords: smishing, vishing, caller ID spoofing, cryptographic authentication, telecommunications security