Smishing and spoofing targeted for eradication by SMS Protection Registry

In the UK, many major banks and government brands are now better protected, with 352 trusted SenderIDs registered to date. Furthermore, over 1,500 unauthorised variants are being blocked on an ever-growing list, including 300 senderIDs relating to the government’s coronavirus campaign.

Government agencies, including HMRC and DVLA, are participating in this ecosystem wide anti-fraud solution, which is supported by BT/EE, O2, Three and Vodafone, along with the UK’s leading message providers including BT’s Smart Messaging Business, Commify, Dynamic Mobile Billing, Firetext, Fonix Mobile, IMImobile, Infobip/OpenMarket, mGage, Reach-Interactive, Sinch, TeleSign, Twilio and Vonage.

The cross-stakeholder working group has seen a significant drop in fraudulent messages being sent to the UK consumers of the participating merchants.

Following the pilot scheme's success in the UK, the Ireland SMS SenderID Protection Registry is being launched with the support of three mobile network operators; nine merchants; three major government agencies; banks, retailers and utilities.

The Registry is also launching in Singapore as the Singapore SMS SenderID Protection Registry. With strong interest from numerous other territories, the MEF expects new Registries will soon follow.

Dario Betti, CEO of MEF, said: “There are millions of faked SMS sent by fraudsters trying to steal passwords every day. We need to help consumers and organisations fight back. Thanks to the collective efforts of the British mobile industry, MEF has managed to show a way: a Registry for SMS short-code names. The fight against fraudsters is a relentless one, it will never stop. But we are happy to celebrate one successful tool created in the UK”.

The MEF’s SMS Protection Registry reduces the ability for fraudsters to send messages impersonating a brand in the message header, by checking whether the sender using that sender ID is authorised by the merchant or brand. If not, messages from this route are blocked as fraudulent, ensuring SMS remains a trusted communication channel for brands and consumers alike.

Sender IDs set up by fraudsters made up of misspellings and special characters aimed at impersonating a merchant or brand are also blocked via a ‘denied list’ circulated to messaging partners.

Text messaging scams, which trick consumers into sending money or sharing their account details with fraudsters, are known as ‘smishing’ (i.e. phishing by SMS). Criminals send bogus texts which appear to come from a trusted sender.

MEF’s SMS Protection Registry was established to automate cross-stakeholder processes, allowing reliable and fast sharing of information to facilitate an orchestrated blocking system. The online Registry platform helps identify and block fraudulent SMS texts, protecting consumers, legitimate businesses and organisations from falling victim to text messaging scams.

It also enables organisations to register the sender IDs/message headers used when sending text messages to their customers. This limits the ability of fraudsters to impersonate a brand, as the Registry automatically checks whether the sender is the genuine authorised party.

Sometimes fraudsters create an exact copy or ‘spoof’ of a genuine merchant sender ID. These messages, when received by consumers, can be placed into existing message threads or conversations from the same target merchant on the customer's smartphone - giving more credibility to the fraudulent message. The Registry works to reduce spoofing by registering the legitimate and authorised message sources.

Aside from using the Wholesale Messaging (Aggregator) delivery channels operated by mobile network operators, scammers also send messages in bulk using ‘SIM farms’ that utilise normal SIM cards as used in mobile phones. These SIM farms are devices that operate several SIM cards at a time and can be programmed to exploit the ‘Unlimited Text’ capabilities offered on consumer tariffs – despite being in breach of the T&Cs of use for such consumer offerings. Messages sent from these devices can be easily identified and blocked by the Registry as they always originate from a regular mobile number, rather than from a merchant or brand using alphabetic characters.

One of the most common scams over the last few months has been fake text messages pretending to be from Royal Mail. The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website where victims are then asked to give their bank details. These fake texts can also spread harmful malware, which once downloaded gives the fraudster access to sensitive information on the customer's device.

With the Mobile Ecosystem Forum’s SMS Protection Registry, everything stays the same for the consumer – all that changes is the reduction in smishing texts. There are no additional steps for consumers to take. However, consumers are strongly advised to stay vigilant and to react only to texts if they are expecting to be contacted, e.g. when requesting a one-time PIN code to verify identity.

Consumers should be particularly wary of clicking on embedded links within texts and should contact their bank or merchant via the contact number on the back of their card if they are in any doubt before reacting to a text request.

Whilst the brands (such as postal services) suffer adverse PR, the banking groups often bear the brunt of the financial losses experienced by consumers, as well as adverse PR. By reducing smishing, the Registry provides benefits for the merchant, as well as the consumer.

The MEF (Mobile Ecosystem Forum) is a global trade body, established in 2000 and headquartered in the UK with members across the world.