Our mobiles are now integral to our everyday lives, and SMS is one of the key channels we use to interact both with friends and the brands we buy from. Unfortunately, criminals and devious businesses know this and are always devising new ways of using SMS to extract money or personal information from us.
In this blog we cover all the possible ways that fraudsters can get at us via SMS, how to recognize threats, and what mobile operators can do to protect their customers.
We will cover:
- What is the impact of SMS fraud?
- Types of SMS fraud and how they work
SMS grey routes
- How mobile operators can combat SMS fraud
What is the impact of SMS fraud?
When it comes to the direct financial impact of fraud the stats speak for themselves unfortunately. The US Federal Trade Commission reported that in 2021 US consumers lost more than $5.8 billion to fraud. This represents a 70% increase on the previous year, with the biggest individual increase being in impostor scams, for example SMS smishing, which almost doubled from $1.2 billion in 2020 to $2.3 billion in 2021.
And it isn’t just in the US – studies in the UK show that SMS smishing attacks increased by a massive 700% in the first six months of 2021 alone. This spike can in part be attributed to Covid lockdowns and the increase in home deliveries and associated SMS notifications, but the trend is definitely on a steep upwards curve.
In addition to the direct monetary losses, there are other impacts that are less obvious.
- A general mistrust of SMS by consumers will lead them to abandon SMS as a channel in favor of other messaging options. This will erode revenues for mobile operators leading to price increases on the other services they provide.
- The cost of additional security measures will also be passed on to consumers in the long run, and these measures may affect the user experience of customers, for example through additional authentication steps.
Types of SMS Fraud
There are many ways that SMS can be used by criminals so we will concentrate on examples where SMS is the primary channel for facilitating the fraud. These include smishing, SMS spoofing, and SIM swapping.
Although it has less direct impact on mobile subscribers, grey route traffic is a type of SMS fraud which if left undetected, will affect end users in the long run through increased service charges and tariffs as mobile operators attempt to recover revenue lost to unmonetized grey routes.
Finally, although SMS spam may not have a direct financial impact on recipients, it is an annoyance requiring precious time to delete or block, it might mean that important SMS alerts are missed, and our phone numbers are often obtained fraudulently by spammers.
We have covered smishing in detail in a recent blog on the subject, but it is worth covering the basics, especially as smishing attacks usually include an element of spoofing, which we will cover next.
Smishing is a type of fraud where criminals contact potential victims by SMS to trick them into providing personal information or bank account information, or clicking on links that that download malware onto their phones.
Smishing is therefore the SMS equivalent of email phishing except the ‘bait’ message is delivered by SMS.
Sophisticated smishing attacks will use social engineering tactics to gather information about potential victims, including where they live, who they interact with online, and which banks and credit card companies they are customers of.
This information can then be used in the creation of very realistic spoof SMS messages that deceive the victim into believing that they are from a legitimate business or person.
SMS spoofing a way of changing the sender information on a text so that the recipient sees whatever alphanumeric text is defined, rather than a mobile number.
SMS spoofing is not actually illegal. There are many valid applications for it and there are even free SMS spoofing services on the internet (we won’t link to them, just in case).
Some valid applications include:
- Bulk service messages: Messages sent to opted-in customers from a legitimate business, for example ‘Your monthly bill is available to download‘.
- SMS alerts: Important notifications from businesses or government agencies, for example ‘Tsunami alert – move to high ground‘.
- Whistle-blowing: Messages that expose wrong-doing by a person or business where the sender wants to remain anonymous.
How SMS spoofing works
The problem is that SMS spoofing is often used by fraudsters to mimic messages from legitimate businesses as part of smishing attacks. They could pretend to be from a bank, a delivery company, a trusted institution like the tax office, or even the recipient’s own employer in the case of targeted ‘spear’ attacks.
Not realizing that the message is fake, recipients may drop their guard and click on links, which could download malware to their phone or take them to fake landing pages designed to extract private information from them.
Another sly tactic that criminals use is to use SMS spoofing to fake payment confirmations for the purchase of expensive items from individuals or businesses. They offer to pay for an item by bank transfer, but instead of actually making the payment, they fake a confirmation text message to the seller from their bank with the correct reference and exact amount of the sale for authenticity.
This fraud is particularly prevalent on buy-and-sell pages that don’t have stringent identity checks. A good tip if you are selling a valuable item like a car or appliance is to always log into your online banking to check that the funds are actually there before letting the buyer take it.
We shone the light on the dangers of SIM swapping back in 2019, and it is still a significant threat for the customers of telecom companies that have been slow to implement SIM swap detection solutions.
There are of course valid reasons to swap a SIM card – for example when a subscriber switches network provider and wants to move their mobile number from one SIM card to another. This process is now common enough that fraudsters can exploit it to take over a person’s mobile number by simply contacting the provider and employing some simple social engineering tactics to impersonate them.
Once the account has been taken over, the criminal will have access to all the person’s personal details and their message inbox to receive the 2FA notifications required to change banking and credit card passwords.
SIM swap detection services use a number of inputs to flag both attempted and successful takeover attempts, for example by checking the IMSI register for any changes to the SIM activation date. Mobile operators that implement these solutions are able to protect their subscribers from account takeover fraud and the stress of identity theft.
SMS grey routes
As we have mentioned, grey route traffic does not impact mobile users as directly as fraud, but it does upset the balance of the mobile eco-system leading to overall higher prices and a more disjointed customer experience due to the preventative measures that are required.
What is grey route traffic?
SMS grey routes represent a type of fraud committed by rogue mobile operators where A2P SMS messages, which should be charged at a premium rate, are passed off as P2P traffic for all or parts of their journey to benefit from reduced rates.
This results in the telecom providers, who facilitate the delivery of the messages through their network infrastructure, not being compensated for the services they provide.
There are three types of grey route fraud:
- Operator to Operator: In this scenario Operator 1 will have a roaming agreement with overseas Operator 2 for person to person (P2P) messages. The ratio of incoming and outgoing messages is usually the same, so the operators agree to not charge each other for the traffic. However (rogue) Operator 2 then deliberately masks commercial A2P traffic as P2P instead, so they receive compensation for the messages without having to pay anything to (law-abiding) Operator 1.
- A2P Aggregators: In this scenario, telecoms use local A2P aggregators in a foreign country to avoid paying premium roaming charges. For example Telecom A uses the aggregator, who has better SMS rates with Telecom B, to deliver A2P traffic over SMPP routes. Telecom A is the rogue here as they get to avoid paying the agreed market rate to Telecom B, who are the ones that actually deliver the message to the recipient.
- SIM Boxes: Also known as ‘grey route traffic machines’, these devices use prepaid P2P SIM cards to fraudulently handle premium A2P traffic. These cards have a price per SMS that is lower than direct A2P telecom prices or include a set number of free messages as part of the package. The difference between the two prices, which can be significant, is pure profit for the fraudsters.
There are several valid and useful reasons to receive unsolicited SMS messages – it may save you a heap of money by notifying you of a fraud on your account, or even your life if you are in the path of an extreme weather event. SMS spam will do neither, and it breaks compliance laws in almost every country globally. Unfortunately, this doesn’t stop unprincipled businesses from buying up lists of mobile numbers and bombarding them with irrelevant offers and promotions.
It is a problem that is only growing – with the introduction of both legislation and technology to combat robocalling, spammers are turning to SMS as a way of mass distributing their messages.
In the United States in August 2022 alone, 10.89 billion spam SMS messages were sent. That is 39 messages each for the whole population, in a single month! Compared to August 2021 this represents a 500% increase!
How to stop spam texts
From a mobile user perspective there is very little you can do to stop SMS spam completely. Spam text blocking and reporting may be satisfying, but it is largely ineffective. Spammers have a vast pool of numbers to choose from, and the number you report would probably have already been discarded.
For individuals the emphasis is usually on reducing the impact off spam texts. For example, if your phone supports it, you could switch off notifications from ‘unknown’ numbers or have these filtered into a separate inbox. However, in doing this you risk missing an important text alert from your bank about a possible fraud, or even an extreme weather warning from a local government agency.
So, the responsibility ultimately falls to telecom providers to cut off spam texts and other fraud attempts before they even make it to their subscribers.
But how can they do this without blocking genuine traffic?
Guardians of the mobile galaxy
Telecom providers have an ally in the war against spammers and SMS fraudsters. With the help of technology companies like Infobip they are now able to pull ahead in the arms race by implementing an array of solutions designed to detect and prevent SMS fraud. A key part of this defense is SMS firewalls which provide:
- Links to a continually updated database of malicious numbers and URLs that can be automatically blocked in real-time
- Proactive threat detection using machine learning to pre-empt fraud attempts
- Automated responses to identified threats
- Detection of MSISDNs that are not “real customers” based on SIM box detection that can provide MSISDN reputation analysis
In a recent report that we published we described how our SMS firewall was the first to detect a previously unknown type of fraud that was spreading globally. It identified an unusual SMS message content pattern that did not appear to be either A2P traffic, or legitimate P2P messaging. It wasn’t spam either as the messages were traced back to legitimate senders.
Investigations showed that the traffic was being routed via a particular third-party app that was able to bypass international message charges. Mobile operators were briefed so that action could be taken to protect both their business and subscribers from this new fraud threat.
Infobip’s SMS firewall was updated to automatically detect and block these messages, and the information about affected subscribers was passed to each mobile operator so that they could help them to deal with the problem.
The solution was shown to be extremely accurate with less than 0.1% false-positive cases.
This example shows conclusively that implementing an anti-fraud solution is not just a box ticking exercise for telecom providers. It is imperative that they join forces with an expert technology partner that constantly monitors and adapts to ensure its tools are effective against the latest threats. With its global presence and unrivaled team of SMS security experts, Infobip is qualified and willing to take on this role of co-guardian of the mobile eco-sphere.
Fraud Challenges in the Messaging Ecosystem