Open in app

Sign in

Write

Sign in

An Evaluation of SMS Phishing Defenses: How UK Mobile Operators Are Failing to Protect Banks, Payment Providers, and Their Customers from Fraud

Paul Walsh
8 min readJust now

Introduction

SMS phishing, or smishing, has now overtaken email as the leading cyber threat in the UK. Research by ProofPoint shows 86% of UK organizations faced attempted smishing attacks in 2022, the highest rate worldwide.

Smishing involves sending fraudulent text messages that impersonate trusted entities like banks, delivery services, or government agencies. Attackers aim to lure recipients into clicking malicious links, sharing sensitive data, or installing malware. Unlike spam, smishing is highly targeted and exploits the trust people place in SMS, making it one of the most effective phishing methods today.

The Scale of Smishing in the UK

Around 7.5 trillion SMS messages are sent globally each year — nearly 36 billion in the UK in 2022. This massive volume makes SMS a prime target for fraud. In summer 2023, about 45 million people in the UK reported receiving possible scam texts or calls. Of these, 82% noted suspicious messages via text, recorded voice, or live calls. These carefully crafted phishing attacks aim to steal logins, drain accounts, and compromise businesses.

Despite the ongoing threat since 2019, UK operators have not adopted an effective security model. They still rely on outdated, reactive approaches rather than proactive, preventive solutions. One key oversight is the failure to authenticate links in SMS messages, leaving countless organizations and their customers exposed.

Email Links Are No Longer the Primary Concern

For the first time in internet history, cybercriminals have shifted away from email toward SMS as the most favoured method of impersonating trusted contacts and brands. It’s fast, cost-effective, and easy to use, allowing both targeted attacks on businesses and large-scale phishing campaigns on consumers.

SMS Firewalls Aren’t What Most People Assume They Are

Mobile operators rely on “SMS firewalls” to detect suspicious bulk messaging patterns that might bypass billing systems. However, these firewalls do not stop smishing. Spam detection focuses on high-volume messaging, specific content, and known sender profiles, but phishing attacks are designed to look legitimate, making them appear identical to genuine messages. These attacks slip past simplistic filters meant to detect spam, not sophisticated phishing.

Proof That Traditional Anti-Phishing Security Is Fundamentally Flawed

Although some careless scammers reuse obvious templates, savvy criminals constantly test their own messages by sending them to their own devices. If blocked, they tweak the URL or reword the text until it bypasses detection. Once it’s successful, they proceed with massive campaigns, confident that every target will receive the fraudulent message.

For 20 years, anti-phishing security has centered on blocking known malicious links. MetaCert’s SMS testing now confirms this approach is flawed. Since attackers test and iterate in real time, relying on recognized threats is no longer viable. They only need a single working variant to succeed, and when they find it, they can launch widespread attacks across an operator’s entire network. Because SMS firewalls and other tools depend on historical threat intelligence, unknown phishing links easily evade detection.

Why Sender ID Verification Fails to Stop Smishing

Sender ID verification is often promoted as a way to solve SMS phishing. It offers little protection against the real threat. While it may reduce impersonation of specific brands through A2P (Application-to-Person) channels, most phishing activity doesn’t happen over A2P.

Cybercriminals avoid A2P service providers like Twilio and Sinch — which SMS firewalls monitor — and instead use standard SIM cards in phones or SIM banks to send messages via P2P (Person-to-Person). These communications are not monitored as closely. Because SMS firewalls were designed primarily to protect operator revenue rather than security, they focus on blocking unauthorized bulk traffic. Meanwhile, attackers keep rotating phone numbers to mimic genuine communications, so there’s no reliable way to block them or validate their sender details.

The 7726 Reporting System Also Fails to Stop Smishing

The 7726 (SPAM) reporting system is another weak response. It only takes action once a victim has already received a phishing message. By that time, it may be too late. Worse, most reported links aren’t categorized and blocked quickly enough because the system isn’t run by an SMS security-focused service that can swiftly intervene.

Why Stopping Smishing Should Be a Top Priority for UK Mobile Operators

Smishing is responsible for opening the door to over 90% of online fraud, identity theft, ransomware, espionage and state-sponsored attacks, and SMS is now more dangerous than email. It should top the priority list for major UK operators BT (EE), Vodafone, O2, and Three. However, they continue using ineffective SMS firewalls and claim to block more than 98% of “dangerous” messages, when they’re likely referring to spam that evades billing, not highly targeted phishing from criminals impersonating banks, payment providers, and trusted entities.

In January 2025, MetaCert ran comprehensive tests on EE (BT), Vodafone, O2, and Three to check whether they could stop harmful SMS messages from reaching consumers. The results confirm a widespread breakdown of existing defenses and highlight that only a Zero Trust approach to SMS links can effectively thwart smishing.

MetaCert’s Testing: How Every Operator Failed

Testing Methodology

MetaCert’s testing demonstrates that criminals don’t need to swap URLs or alter text to beat current filters. We sent 1,000 distinct, dangerous phishing URLs across the four main UK networks. Each link was embedded in a fraudulent SMS closely mirroring real-life scams, including fake parcel delivery notices, security alerts, unpaid tolls/fines, and generic phishing attempts like tax refunds or lottery wins.

Every phishing message was re-sent five times over three days to see if any operator would detect and block it later. The URLs used came from PhishTank, OpenPhish, and MetaCert’s own database — all verified malicious links used in past phishing attacks.

Findings

🚨 100% of phishing messages were delivered on all four networks.

🚨No dangerous link was ever flagged or blocked.

🚨Re-sending identical messages yielded the same results each time.

🚨No operator stepped in, proving their security measures don’t work.

The Only Real Solution: Zero Trust — The Gold Standard in Cybersecurity

Zero Trust works on the principle of “never trust, always verify.” It treats every request for access as untrusted by default and requires strict authentication and continuous validation. While most discussions of Zero Trust revolve around three pillars — users, devices, and network access — MetaCert adds a fourth pillar: URLs and IP addresses.

Applying Zero Trust to SMS

  • Treat every SMS link as dangerous unless verified.
  • Authenticate all URLs before they reach any device, just as Zero Trust demands user and device verification before granting network access.
  • If a link isn’t marked as safe, block it, flag it, or replace it with a safe redirect that explains why the original link was blocked.

This preventative stance stops phishing messages from ever reaching their targets, removing the need to rely on belated detection or user warnings.

Warning: Without Change, Smishing Will Remain Unstoppable

Cybercriminals have perfected methods to dodge current defenses. As long as operators focus on outdated measures, smishing will continue to accelerate. UK consumers, businesses, and financial institutions will remain at risk of fast-growing, highly effective SMS fraud. But it’s not their fault because aside from MetaCert, no cybersecurity company has offered a solution.

Where Is Cisco, ProofPoint, F5 and Palo Alto Networks?

MetaCert asked several leading UK and US operators to request a network-based solution from Cisco that would protect subscribers from smishing. They were told no such solution exists, despite Cisco’s claims of selling the industry’s leading anti-phishing security solution. In 2022, Cisco itself was breached when attackers impersonated Cisco’s own security alerts and branded login page via SMS-based phishing, exposing customer data and demonstrating that its current defenses failed to protect its own employees (Talos Intelligence).

If Cisco is being invited to solve one of the biggest global cyber threats — one that would both generate significant revenue and protect its own customer data — why isn’t it stepping up? It may be that Cisco, like F5, Palo Alto Networks, ProofPoint and others, recognizes that a decades-old approach to internet security is flawed, as shown throughout this report.

Cisco stands as a worldwide leader in network security and is also a major telecom vendor. Yet it remains conspicuously absent from addressing this crisis. Until the telecom sector partners with dedicated cybersecurity experts, smishing will stay an unstoppable threat.

Telecom’s Neglect of SMS Vulnerabilities and the Need for Dedicated Cybersecurity Expertise

Operators and industry bodies like the GSMA, MEF, and Ofcom (UK regulator) have overlooked or neglected crucial vulnerabilities in SMS infrastructure. Meanwhile, phishing has existed since 1996 when it was first noticed on the AOL network, and I was among the initial high-profile victims of impersonation inside email, chatrooms, and AIM. Since 2019, SMS has become the favoured channel for attackers, marking a pivotal shift in digital communications.

The telecom sector must accept it cannot address this alone. The cybersecurity industry handles protection against email threats, endpoint intrusions, and network compromises — it must also handle SMS protection. Just as email providers, computer manufacturers, and network operators rely on specialized security experts, mobile operators need the same cybersecurity expertise to combat smishing.

About MetaCert

MetaCert is a VC-backed US-based cybersecurity company spun out of an Irish mobile operator testing firm once on the preferred supplier list for most operators across the UK and Ireland. Several MetaCert team members involved in this SMS security evaluation previously oversaw SMS and MMS infrastructure testing at O2 UK and Vodafone Ireland. In the early to mid-2000s, I led O2’s launch of every MMS system and service across the UK, Ireland, Germany, and the Netherlands, equipping MetaCert with deep insights into messaging infrastructure and anti-phishing techniques.

MetaCert pioneered a Zero Trust SMS solution — validated on a live European operator’s network — that represents the first major security upgrade for internet security in nearly two decades. This real-world validation illustrates the effectiveness of treating all SMS-based URLs as dangerous until verified, underscoring the need for cybersecurity providers to pivot away from legacy detection methods and embrace a Zero Trust approach. Meanwhile, the same 2000s-era SMS infrastructure remains unchanged, presenting attackers with a static and predictable target.

International Testing: Same Results in the US, Spain, and Australia

MetaCert carried out comparable tests in the United States, Spain, and Australia, with identical outcomes. You can review MetaCert’s findings in the US here. Additional reports for Spain and Australia are forthcoming.

Smishing
Cybersecurity
Mobile
Sms

--

--

Paul Walsh
Paul Walsh

Written by Paul Walsh

1.9K Followers
37 Following

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams