Combatting SMS and phone fraud: UK government issues guidance

Combatting SMS and phone fraud: UK government issues guidance

The UK’s National Cyber Secuity Centre (NCSC) has published a guide to help make your organization’s SMS and telephone messages effective and trustworthy.

SMS and telephone calls represent an extremely effective means of mass communication. As such they are essential tools for most organizations, especially those that deal directly with the general public. Of course, they’re also great tools for cybercriminals.

Due to the many options that cybercriminals have for impersonating and spoofing, it is almost impossible to reliably tell the recipient whether the sender is who they claim to be. This means that cybercriminals are able to pose as legitimate organizations, and mimic the style of their communications.

And when email recipients receive a message that appears to be from a brand they know and trust, they might well be more tempted into clicking on a malicious link.

Important elements for communication

As a rule of thumb, the NCSC gives a few pointers to keep in mind when using SMS or phone calls.

  • Don’t ask for personal details
  • Don’t include weblinks, if possible
  • Where it is absolutely necessary to include weblinks, make sure they are human readable and easy to remember. Don’t use URL shorteners
  • Consistency is important across all channels
  • Avoid language that induces panic or implies urgency

These are exactly the points we have often given to our readers when explaining how they can recognize phishing messages. Phishers will often do the exact opposite. If you want your communication to have a positive impact on your customers or prospects, you do not want to come across as a scammer.

Speak with a single voice

As a general rule, you should make it easy for recipients to recognize the sender. Use only one or a few sender IDs, email addresses, and phone numbers, and ensure your messaging is consistent, It’s very important in larger organizations that all communications teams, including those involved in advertising, are aligned in their messaging.

Consistency has a number of benefits:

  • If your messages come from a single, well known source, it’s easier for recipients to distinguish between legitimate and fraudulent messages
  • Fewer communication channels can be better protected, making them harder for criminals to abuse
  • Official sources can list these contact details definitively, so that they become well known and searchable
  • Explaining the communications process to your customers. For example, detail the kind of information your organization would never ask for

Provide a way for your customers to independently check your communications and contact you independently, including guidance on how customers can report suspected scams impersonating your organization.

A specific tip for communications by telephone is that any service that only receives calls should be added to the Do Not Originate list. This helps prevent the number from being used to make outbound calls. In order to deal with the limitations of this protective measure, you should also make it clear that your customers will never receive a legitimate call from this number.

Planning ahead

The NCSC states that prior to starting SMS services, you should be able to answer these questions:

  • Do you plan to use SMS at all? If so, who is the supplier?
  • Does the service need two way communication?
  • What SenderID, if any, do you propose to use? (Note: a SenderID does not support two way SMS)
  • Are you planning to include weblinks?
  • Are you planning a bulk SMS campaign?
  • Is the message price lower than market rates or too low to be true? If it is, the supplier may be using ‘grey routes’ which can result in a customer data compromise.

Grey routes are basically fraudulent messaging. They’re A2P (application to person) messages, such as marketing or spam messages blasted to thousands of people, that are questionably riding on the dedicated P2P (person to person) connections of operators.

You should ensure your suppliers are signed up to the A2P Code of Conduct, take an active part in the MEF registry, and are transparent and willing to share all of their downstream providers. Unless suppliers provide data on the routing of the SMS, it is impossible to distinguish between legitimate and fraudulent SMS.

You should try to find a service provider who is as close to the operators as possible. The more suppliers between you and the operator, the more that can go wrong, including the loss or manipulation of customer data. And it also becomes harder to investigate any problems.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.