Earlier this year my bank sent me a text message about a problem with my account and directed me to log in and resolve it.
“Your account has been limited due to suspicious login attempts,” it read. “Follow the link below to restore your online access now.”
The text included a shortened link that took me to the bank’s login page. It had the bank’s name and logo at the top, a familiar-looking input box for the username and password, and a bland but pleasant background stock image depicting a beach. Nothing looked out of place and everything was identical to what I was used to seeing, down to the fonts on the page.
How to Avoid SMS Fraud
- Use text service platforms. Companies are carefully vetted before they can send mass emails.
- Use templates. Templates provide consumers consistency and can tip them off when something is wrong.
- Give consumers options. Give consumers the option to receive communications on more secure messaging apps.
- Educate consumers. Let customers know in advance what types of communications to expect — and what to beware — on SMS.
I didn’t enter my information on the page, of course. That’s mostly because my bank had previously warned me it wouldn’t ask for personal information through a text, so I knew the message was likely a scam. Sure enough, on closer inspection, the web address at the top was unfamiliar and the links for resetting the username and password didn’t work.
If I had entered my information, whoever was really on the other side would have been able to grab my credentials and gain access to my account.
SMS Scams Can Have Indirect Repercussions
Digital fraud is becoming more common, and falling victim to it can be as easy as clicking on the wrong link in an email or text message. In 2020, there were over 300,000 reported cases across the United States of scams from text messaging alone, adding up to a total of $86 million stolen from victims.
Beerud Sheth, co-founder and CEO of messaging platform Gupshup, thinks a lot about SMS scams. His company helps other companies, like banks and e-commerce retailers, send out text messages to their customers, usually to communicate information about recent transactions and delivery times. Although SMS scams don’t affect his company directly, the consequences from it being a widespread practice can indirectly affect his industry.
“The health of this messaging industry is very important to us,” Sheth said. “I think businesses and consumers need it to engage and connect, and we want to enable it as much as possible in as free a way as possible. So the only way to do that is to reduce these issues at the ecosystem level.”
In India, stock trading tip scams are a common SMS scamming method. Scammers send out fake stock trading tips and push users to purchase bogus stocks, forcing regulators to step in and place restrictions on enterprise messaging, Sheth said.
“These regulations come with stringent penalties,” he said. “The moment that happens, many banks and brokerages’ use cases get restricted. In general, that affects the whole ecosystem.”
Take Advantage of Text Service Platforms
Companies send out communications through SMS because getting updates through texts is convenient for most users. Although SMS scams don’t originate from companies themselves, scams do impersonate companies, which can affect their users and the company itself. Luckily, there are ways to make SMS scams less likely to affect a company and its users.
One change is to use texting service platforms to manage and send out texts to customers. Texting services have built-in protections that prevent malicious texts from getting to consumers.
“There’s very stringent compliance requirements to get an account on Gupshup,” Sheth said.
“Going through a platform like ours is really hard because of all the checks and balances, and even if somebody abuses that they can be traced back.”
Text services double-check that companies sending out mass texts are legitimate companies. Companies have to provide incorporation documents and go through a certification process before they are able to send messages.
“We do some additional checks and balances before the messages go through our system,” Sheth said. “Because even with large enterprises, sometimes there’s a software error. Imagine if some business sent 100 messages to one user — you’ve had issues like that in the past.”
Text service platforms also check for common scam keywords and block those messages as well as offensive messages. If they do get sent out, these platforms can look through their data and provide accountability for whoever originated those messages.
Give Customers Consistency by Using SMS Templates
As a result, SMS scams don’t usually originate from text services. Rather, Sheth said, they are sent from “SMS farms”—large collections of messaging accounts bought by scammers to send messages to a lot of people.
SMS farms exist because mobile operators put a limit on the number of messages a single account can send on its own.
“[Scammers] say, ‘Okay, we’ll have hundreds of mobile phones,’” Sheth said. “Actually, in some advanced tools out there you don’t even need the physical phone itself, you just need the SIM card.”
That kind of mass messaging technique is difficult to curb, and hundreds of SIM cards can together send thousands of messages, bringing scam operations to scale.
But companies can adopt messaging methods that train end users so they are harder to fool. A common industry practice is using templates to standardize the messages from each company, Sheth said, that way customers know what type of wording to expect from companies.
Templates usually work in conjunction with text services. After a company’s templates are approved, the company is only able to modify certain predetermined aspects, such as dollar amounts on bills and the names of purchased products. A typical template might start with, “Your account balance is...” and have placeholders where the company can later insert data.
When companies use standard formats, customers may be more aware when a message reads differently from usual. Companies can have multiple templates for different purposes, like billing notifications or confirmation emails after users make purchases online.
Send Texts Using More Secure Channels
Companies can also offer users the option to receive texts through messaging apps that offer more sophisticated security features. This step has the potential to add many layers of protection for consumers, but progress has been slow-moving so far.
“The messaging app on most devices is controlled by the device manufacturer,” Sheth said.
“If you think about the receiving app, generally it’s just a very basic default app that’s available on most mobile phones. And that app does not have any intelligence built in.”
As a result, very few users change the app they receive text messages on. That presents a significant barrier to the widespread adoption of alternate text messaging platforms.
That’s too bad because adding more security features to apps is one of the best ways to protect against the possibility of falling victim to text message scams. Some apps, like WhatsApp, which can be used for text messaging between users who both have WhatsApp accounts, have green tick marks to show that sender accounts are verified.
A more sophisticated text messaging app can also have its own built-in filters for detecting and blocking scam messages. That’s actually a capability Gupshup is in the process of developing. The company has partnered with device manufacturers such as Xiaomi and OnePlus to bring additional security features to text messaging, like AI capabilities to categorize different types of messages and weed out scams, Sheth said. Users’ increased adoption of security-conscious communication apps like Signal and Telegram hint that this may be the direction consumers are moving toward in the future.
Communicate With Customers About What Texts They Should Expect
Plenty of regulations already exist in the industry for mass communication using SMS, but many regulations focus on reining in spam rather than scams, Sheth said. Regulations vary according to country, but generally, messages are categorized into two types: transactional and promotional. Transactional messages, like updates on orders and shipment notifications, get a lot of latitude, while promotional messages, like those asking users to sign up for new products, have many more restrictions. Users generally have to opt in to receive promotional messages.
Whether it’s for transactional, promotional or other purposes, companies can still help their customers spot possible fraud by explaining in advance how and when they can expect to receive SMS communications. If customers know that their bank won’t send them login links through text, they will know to avoid those types of messages. Sheth said companies and consumers are already learning some conventions of SMS messaging.
“Businesses have learned from different countries and different telecom regulations,” he said. “So it’s a lot more manageable today than it used to be, but everybody has to stay very vigilant.”
