Interviews, insight & analysis on digital media & marketing

Combatting the SMS spoofing threat

By Lee Suker, Head of Authentication and Number Information, Sinch

The proliferation of digital connectivity has provided cybercriminals with new avenues to exploit secure systems and breach parameters designed to protect personal information. Today, one of the biggest emerging threats is SMS spoofing, wherein scammers manipulate text messages to masquerade as trusted sources. This poses a significant risk, and the ramification can range from identity theft and financial losses to system compromises and data breaches, which are increasingly difficult to identify.

Recent reports indicate that authorities and companies in the United Kingdom have issued warnings to the public regarding illegitimate text messages appearing to originate from family members and requesting money transfers to specific bank accounts. According to the NCSC, more than 32 million scams have been reported up to May 2024.  However, the challenge with SMS fraud lies in its identification, as it is possible to unknowingly become a target of the bots utilised by scammers to exploit unsuspecting victims.

The mechanics of SMS spoofing 

SMS spoofing involves cybercriminals impersonating trusted entities with the intent to deceive individuals into actions that benefit the perpetrator, such as clicking malicious links, downloading harmful files, or revealing sensitive information. Specifically, SMS spoofing refers to deceptive text messages sent to smartphones, often including links meant to mislead recipients into compromising personal data or infecting their devices with malware. Scammers disguise their true identities by manipulating the sender ID to appear as a trusted business or known contact, increasing the likelihood that recipients will engage with the message.

There are six common types of SMS spoofing: fake sender ID, unsolicited bulk messages, harassment, corporate espionage, fake money transfers, and identity theft. Falling victim to any of these approaches can have severe consequences.

The business risks 

Businesses face substantial risks from SMS spoofing. When an employee inadvertently clicks on a malicious link, fraudsters can gain access to company systems and customer data, potentially leading to defrauded customers, implanted viruses within the company’s digital infrastructure, or ransomware attacks demanding payment for data recovery. Consequently, the company’s reputation can easily suffer as customers lose trust, and the organisation may incur significant costs to repair damages and manage privacy leaks. Additionally, scammers can use compromised contact information to send further spoofed messages, expanding their victim pool and further damaging the brand’s reputation. For example, the CEO of WPP was impersonated by fraudsters recently, using a deep fake scam that included an imitation WhatsApp account, Youtube footage and a voice clone in an attempt to solicit money and personal information. 

Proactive strategies to combat SMS spoofing

Unlike other forms of text fraud, SMS spoofing specifically involves altering the sender ID to appear as someone trusted, making it more challenging to detect in comparison to phishing and smishing, which often have suspicious sender information.

Businesses should implement several key strategies to combat SMS spoofing proactively. First, educating employees on recognising the signs of a spoofed SMS, such as suspicious wording, unfamiliar numbers, spelling errors, strange hyperlinks, unsettling requests, and a false sense of urgency, is crucial. Consistent communication is essential; businesses should ensure that all messages from their organisation are clearly identifiable and inform customers of actions the business will never take via SMS, such as requesting sensitive information.

Securing communication channels through SMS verification methods like two-factor authentication and one-time passwords is recommended. It is also advisable to promptly investigate any suspicious activity and collaborate with cybersecurity experts where necessary. Partnering with SMS service providers who take spoofing seriously and have measures in place to block problematic messages and verify their credentials, such as membership in the SMS Protection Registry, can also be beneficial.

Maintaining brand reputation and customer trust

Businesses must prioritise ensuring that their messages are easily identifiable by their subscribers. Keeping branding consistent in all texts and providing clear contact details for verification is essential. It is recommended that customers regularly remind the business that they will never request personal information via SMS and encourage them to report any suspicious messages.

In the U.K. and U.S., subscribers can forward suspicious messages to the shortcode 7726. Ensuring that an SMS service provider is committed to combating fraud and considering the use of an SMS API for smoother integration and better security are also prudent measures.

In the fight against SMS spoofing, everyone plays a role—employees, companies, customers, friends, and relatives. By staying informed, vigilant, and communicative about these threats, we can collectively mitigate the risks and build a safer digital environment.