Simply put, preventing fraud is the underlying reason for our SMS sender ID application protocol.
But because it’s easy to apply for a sender ID (or sender name) out of Messente’s online dashboard, it seems like it should be pretty straightforward to get it approved right?
Well, not really. Our operations team has a thorough process of validating alphanumeric sender IDs and all sender IDs are monitored for a period of time to be sure that our customers are abiding by our service’s terms and conditions.
To understand why we’re strict about sender IDs, we need to zoom out a bit and look at how SMS fraud occurs. If you’re interested, the Mobile Ecosystem Forum (MEF) has an in-depth report on preventing fraud in the A2P messaging industry. However, this blog will focus on fraud pertaining to SMS sender names.
SMS originator spoofing
“SMS originator” is another industry term for SMS sender ID or sender. Spoofing occurs when someone (usually a scammer or hacker) sends SMS messages to people with a sender name of a well-known brand or a locally reputable company.
A third of respondents to an MEF survey said that they’ve received an SMS from someone who claimed to be someone else.
The fraudulent sender’s ultimate goal is typically financial gain, which can be achieved several ways.
- SMS phishing, also known as SMiShing, occurs when a scammer poses as a reputable brand to extract user credentials. For example, a scammer posing as a bank sends a message to mobile users with a link to a fake banking website, asking users to log in to change their passwords. This can similarly happen with email accounts.
- SMS malware messages are sent to mobile devices with a link, similar to SMS phishing. The link in this case triggers a download of malware that is installed on the device.
- Social hacking occurs when scammers pose as popular social media websites, linking users to a fake login page to extract login credentials. Once the credentials are obtained, hackers can use real social media accounts to further access a person’s digital life and financial information.
With a spoofed sender name, these attacks become easier to do. It’s obvious when someone is trying to register Apple or Barclays Bank, but scammers take advantage of small, local brands as well.
Spoofers can do damage in other ways as well. Outside of attacks, a spoof can damage businesses and brands as SMS messages can be sent in their names to send spam and abusive content to mobile users.
Also, scammers send fraudulent messages in mass quantities, so they’re working the numbers. They only need a small percentage of users to fall for the scam to be effective.
The same goes for short code registration
The attacks mentioned above don’t necessarily require a link to a spoofed website. With two-way SMS, scammers can receive responses from users. These could range from answers to secret questions required to log in or change passwords, passwords themselves, to PIN codes.
Along with sender ID registrations, short codes (and long codes) for two-way SMS have to be verified and checked across the entire SMS messaging value chain –all the way to specific mobile network operators (MNOs,) within specific countries.
The global SMS messaging ecosystem is not uniform, including the enterprise A2P ecosystem. While the industry works to improve networks and SS7 to innovate further, messaging is complex, because rules and laws have developed over the years to keep pace with technology. And regulations vary by country.
Thus, the process of appropriately registering a sender ID or short code becomes more complex as a business or brand operates in more countries –even if the sender ID should be the same in every geographical market. Some countries have a lengthy registration process through MNOs and hubs, while others don’t even allow alpha-sender IDs.
SMS is the most trusted messaging platform
Mobile users trust SMS more than any other messaging platform, according to MEF. And the industry, as well as our customers, are working hard to keep it that way.
Messaging fraud costs the world $2bn annually (MEF.) Part of that is within the industry itself (like grey routes,) part of it to mobile users, and part of it to brands and businesses. That’s a big number –and if the industry as a whole doesn’t tackle problems like SMS originator spoofing, A2P messaging adoption could fizzle out and innovation could be blunted.
As a participant in this industry, we’re striving to provide the utmost service to those brands sending business-critical messages. In parallel, we’re working to protect our customers’ brands and our customer’s customers from fraud.
And as we’re transparent about how we do things as a company, we hope the same from our customers, which is why we ask questions about SMS message volumes, geographical markets, and SMS content expectations.