What is SMS spoofing?
SMS spoofing is a technique in which the sender changes the address where an SMS message is sent from. Instead of seeing the real sender’s number, the person getting the message sees whatever alphanumeric text is defined.
SMS spoofing is not inherently illegal. There are many valid cases for sending SMS messages where the sender field contains information different than the sender’s number. These include:
- Bulk service messages: Messages sent to opted-in customers from a legitimate business, such as ‘Your monthly bill is available to download‘.
- SMS alerts: Important notifications from businesses or government agencies, such as ‘Tsunami alert – move to high ground‘.
- Whistle-blowing: Messages that expose wrongdoing by a person or business where the sender wants to remain anonymous.
However, spoofing is often done to mask a user who has connected to a foreign network and is sending messages back to their home network. This technique is commonly used in various types of fraudulent SMS activities, including smishing scams and spam messages. Therefore, understanding and preventing SMS spoofing is crucial for maintaining the security and integrity of mobile networks.
Examples of messages used for SMS spoofing fraud
A PayPal spoofing/smishing scam, with the sender’s name spoofed as PayPal UK. Source: paypal-community.com
Spoofed SMS messages impersonating Globe, a major provider of telecommunications services in the Philippines. The message invites users to click dubious links supposedly to claim their Globe Rewards. Source: Globe Warns vs Spoofed Messages for Rewards Claims
An SMS message spoofing NAB, an Australian bank. Source: Text scams: NAB stops text scams by working with telcos, Hi Mum scam, Toll Scam, ATO scam | news.com.au — Australia’s leading news site
How SMS spoofing fraud works
We differentiate two main types of SMS spoofing fraud:
- Sender-ID spoofing: This is when a scammer pretends to be someone else by changing the original address of the SMS. The person receiving the message is tricked into thinking the message came from the person or organization being impersonated.
- SMSC hijacking: Also known as MO (Mobile Originated) spoofing, this involves a scammer using special SS7 equipment to send a message through the roaming network to the Short Message Service Center (SMSC). They fake the original number and the visited MSC address. The SMS message might contain spam, phishing/smishing attempts, or malware, and it can be sent to a recipient in another domestic or international network with an SMS agreement with the victim’s operator.
How to detect and prevent SMS spoofing
For mobile operators, implementing an SMS firewall is the first step in safeguarding mobile networks and users against spoofing and other types of fraud.
An SMS firewall detects the type of SMS traffic and blocks certain types of messages to reach mobile users.
Using the example of our Anam Protect SMS firewall solution, it can automatically detect, identify, and block fraudulent SMS traffic on a network. At the same, it protects messages from legitimate businesses and organizations across partner networks.
Read more in our customer story:
There are also examples of governments working together with telecom providers to combat various types of fraud, including spoofing. Such is the Telecommunications Fraud Sector Charter in the UK, which lists coordinated actions and solutions to be implemented by telecommunications providers, like sharing suspicious URLs and phone numbers with the National Cyber Security Centre (NCSC) and National Fraud Intelligence Bureau (NFIB). Telecom providers will then be able to restrict access to URLs and numbers confirmed by the NCSC as used for fraud, in accordance with legal and regulatory obligations.
NAB, an Australian bank, has taken an active approach in combating spoofing attempts by partnering with telecom providers: “NAB is now placing bank phone numbers on the ‘Do Not Originate’ list to help reduce scam calls impersonating NAB numbers. The bank has also added additional protections to reduce scam messages appearing in legitimate bank text message threads.” This has resulted in a 50% reduction in spoofing cases, leading to a 70% reduction in customer losses.
How to protect yourself against spoofing as a mobile user
- Watch out for odd phrases: If the text message uses unusual phrases like “delivery attempt,” “account deactivated,” or “immediate action required,” it might be a spoofed SMS.
- Check the phone number: If the sender’s ID looks like a regular phone number that you don’t recognize, it’s a good idea to look it up, even if the message says it’s from a well-known company.
- Look for spelling and grammar errors: Scammers often deliberately misspell words to get past spam filters. Be cautious if you notice spelling mistakes.
- Be wary of weird links: If a link in the message looks too long, too short, or just strange, it could be a sign of spoofing. Consider using an online tool to check the link before clicking on it.
- Check the sender field: In a spoofed SMS, the sender’s name and identity field won’t be clickable and will appear gray. In normal messages, this field is blue and clickable.
You can also block messages on Android and iPhone devices. If you think you have been spoofed, you should contact your mobile service provider and local authorities.
