Simply put, preventing fraud is the underlying reason for an SMS Sender ID application protocol.
But because it’s easy to apply for a Sender ID (or sender name) out of Messente’s online dashboard, for example, it seems like it should be pretty straightforward to get it approved right?
Well, not really. Our operations team has a thorough process of validating alphanumeric Sender IDs and all Sender IDs are monitored for a period of time to be sure that our customers are abiding by our service’s terms and conditions.
Wish to know more about messaging through APIs? Read our ultimate guide to SMS APIs!
To understand why we’re strict about Sender IDs, we need to zoom out a bit and look at how SMS fraud occurs. If you’re interested, the Mobile Ecosystem Forum (MEF) has an in-depth report on preventing fraud in the A2P messaging industry. However, this post focuses on fraud pertaining to SMS sender names.
What is an SMS Sender ID?
Firstly, let's make it clear what an SMS Sender ID is exactly.
A Sender ID (or sender name) is the displayed value of who sent the message on your handset. For example, the Sender ID of your friend is their phone number. It can also be a shortcode, such as 12302. Or contain a limited number of characters, e.g. CoffeeShop.
The different types of Sender IDs are usually the first points touched upon when starting to use the SMS API service.
There are three types of Sender ID:
- Long numbers
Long numbers are the numerical Sender IDs, which are the
same length as the national mobile numbers (up to 15 digits long, not including
the + symbol). For example, 3725953854.
An example of a long number Sender ID
Shortcodes are special numerical senders that are shorter than the regular numeric senders. These types of senders may have different uses depending on the region the messages are being sent. Generally, in Europe, such numbers are used for things like customer support, voting, premium rate services, etc. Whereas in Latin America, shortcodes are the most typical types of Sender IDs. For example, 12302.
Alphanumeric Sender IDs are sender names that compose of letters from the alphabet (A-Z), and numeric characters. This sender represents the brand name and is displayed as such when you receive a message (e.g. new text message received from Messente). This is for single-way communication with your customers.
It is important to note, however, that not all countries and operators offer all these Sender IDs for use even if the SMS service provider supports them.
SMS originator spoofing
“SMS originator” is another industry term for SMS Sender ID or sender. Spoofing occurs when someone (usually a scammer or hacker) sends SMS messages to people with a sender name of a well-known brand or a local reputable company.
A third of respondents to a MEF survey said that they’ve received an SMS from someone who claimed to be someone else.
The fraudulent sender’s ultimate goal is typically financial gain, which can be achieved in several ways:
- SMS phishing, also known as SMiShing, occurs when a scammer poses as a reputable brand to extract user credentials. For example, a scammer posing as a bank sends a message to mobile users with a link to a fake banking website, asking users to log in to change their passwords. This can similarly happen with email accounts.
- SMS malware messages are sent to mobile devices with a link, similar to SMS phishing. The link, in this case, triggers a download of malware that is installed on the device.
- Social hacking occurs when scammers pose as popular social media websites, linking users to a fake login page to extract login credentials. Once the credentials are obtained, hackers can use real social media accounts to further access a person’s digital life and financial information.
With a spoofed sender name, these attacks become easier to do. It’s obvious when someone is trying to register Apple or Barclays Bank, but scammers take advantage of small, local brands as well.
Spoofers can do damage in other ways, too. Outside of attacks, a spoof can damage businesses and brands as SMS messages can be sent in their names to send spam and abusive content to mobile users.
Also, scammers send fraudulent messages in mass quantities, so they’re working the numbers. They only need a small percentage of users to fall for the scam to be effective.
The same goes for shortcode registration
The attacks mentioned above don’t necessarily require a link to a spoofed website. With two-way SMS, scammers can receive responses from users. These could range from answers to secret questions required to log in or change passwords, passwords themselves, to PIN codes.
Along with SMS Sender ID registrations, shortcodes (and long codes) for two-way SMS have to be verified and checked across the entire messaging value chain – all the way to specific mobile network operators (MNOs,) within specific countries.
The global SMS messaging ecosystem is not uniform, including the enterprise A2P ecosystem. While the industry works to improve networks and SS7 to innovate further, messaging is complex, because rules and laws have developed over the years to keep pace with technology. And regulations vary by country.
Thus, the process of appropriately registering a Sender ID or shortcode becomes more complex as a business or brand operates in more countries – even if the Sender ID should be the same in every geographical market. Some countries have a lengthy registration process through MNOs and hubs, while others don’t even allow alpha Sender IDs.
SMS is the most trusted messaging platform
Mobile users trust SMS more than any other messaging platform, according to MEF. And the industry, as well as our customers, are working hard to keep it that way.
Messaging fraud costs the world $2bn annually (MEF.) Part of that is within the industry itself (e.g. grey routes) part of it to mobile users, and part of it to brands and businesses. That’s a big number. And if the industry as a whole doesn’t tackle problems like SMS originator spoofing, A2P messaging adoption could fizzle out and innovation could be blunted.
As a participant in this industry, we’re striving to provide the utmost service to those brands sending business-critical messages. In parallel, we’re working to protect our customers’ brands and our customer’s customers from fraud.
And as we’re transparent about how we do things as a company, we hope the same from our customers, which is why we ask questions about SMS message volumes, geographical markets, and SMS content expectations.