The ongoing industry initiative by the Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance, supported by the NCSC, is helping to identify and block fraudulent SMS texts and safeguard messages from legitimate businesses and organisations.
Criminals will use advanced techniques known as “spoofing” to make scam text messages appear more convincing. Sometimes criminals will change the sender ID that appears at the top of a text message to mimic a genuine brand or organisation and trick the recipient into believing it is legitimate. For example, scam texts exploiting the government’s response to Covid-19 have been sent using +Gov_UK instead of the genuine UK_Gov. Criminals will also use technology to copy genuine sender IDs, making a fraudulent message appear in a chain of texts alongside previous genuine messages from that organisation.
As part of a cross-industry initiative, MEF has developed a “white list”4 which allows organisations to register and protect the sender IDs used when sending out legitimate text messages. The registry limits the ability of criminals to send messages using the same sender ID as a particular brand or government department, by checking first whether the sender is the genuine registered party. 50 bank and government brands, are currently being protected through the initiative with 172 trusted sender IDs registered to date
A blacklist has been established to block messages from sender IDs that have been used to send scam texts, or from unauthorised variations that could be used to impersonate trusted brands and organisations in future. Over 400 sender IDs have been identified so far on the ever-growing blacklist, including 70 related to Covid-19.
Dr Ian Levy, Technical Director at the National Cyber Security Centre (NCSC), said: “We are pleased to be supporting this experiment which is yielding promising results. The UK Government’s recent mass-text campaign on Covid-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kind of scams.”
Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Banks are joining forces with other industries and law enforcement to protect the public from cruel coronavirus scams. We would urge consumers to be on their guard against criminals exploiting the Covid-19 outbreak to commit fraud. Always follow the advice of the Take Five to Stop Fraud campaign and avoid clicking on links in any unsolicited text messages in case it’s a scam. Remember you can report suspicious texts by forwarding the original message to 7726, which spells SPAM on your keypad.”
Gareth Elliott, Head of Policy and Communications at Mobile UK, said: “Mobile companies work hard to protect their customers from fraud and the contribution from the industry to the Registry will help reduce the number of scam texts pretending to be from trusted brands. This gives much-needed protection against fraud, including for the most vulnerable customers.”
Mike Fell, Head of Cyber Operations HM Revenue and Customs, said: “This trial builds on the success of an HMRC pilot, conducted with telecoms providers, which resulted in a 90% reduction in reports of the most convincing HMRC-branded SMS scams. We are happy to collaborate with MEF and partners to take forward our work to safeguard the UK public from such SMS-related scams.”
Joanne Lacey, Chief Operating Officer of the Mobile Ecosystem Forum, said: “All stakeholders involved in business messaging have a responsibility to follow industry best practice and proactively work together to be one step ahead of the fraudsters. The SMS SenderID Protection Registry is a tactical solution to mitigate smishing and spoofing, backed by MEF’s A2P SMS Code of Conduct. Through the Registry, the industry has been able to support the UK government’s campaign and demonstrate the vital role of messaging not least in times of emergency and crisis.”