Email Phishing vs SMS Phishing And Why We Should Stop Blaming Mobile Operators for SMS-Led Attacks

Why I wrote this article

Published in

METACERT

6 min readJul 15, 2021

Nobody blames email service providers for email-led phishing, yet everyone blames SMS service providers for SMS-led phishing. I’d like to explain why this is wrong, and how we should manage our expectations accordingly.

Let’s first look at what Email and SMS have in common, and what sets them apart from the perspective of marketing, and therefore, phishing — phishing is just a name given to well executed marketing campaigns.

Email and SMS have similar characteristics:

Messages can contain text and URLs.
They’re both open channels — anyone can send a message to any other person in the world, no matter who their service provider is.
Senders don’t need to be connected to recipients — unlike other channels such as Slack, Messenger, Social Networks, Skype, WhatsApp et al.
It’s easy for social engineers to find a person’s email address or phone number.
It’s easy to broadcast one message to many at lost cost.
Many brands and financial institutions use email and SMS more than any other channel to build better relationships with customers.
When sending a message, it’s easy to impersonate a person or entity.
When opening a message, it’s hard to know if it’s from a legitimate person or entity, or from a threat actor impersonating them.
It’s fast and easy to create a lookalike sender ID to spoof a legitimate sender.
Blocking an email address or phone number doesn’t stop threat actors — at all.
It’s easy to trick recipients with lookalike URLs that are deceptive.
Both email and SMS have anti-spam filters but neither are effective or reliable for detecting phishing URLs.

The striking differences make SMS more attractive to marketers…. and attackers who find it easy to impersonate marketers

The average open rate for email sits between 28% and 33% according to data from Hubspot. The average open rate of a text message sits at about 99%, with 97% of messages being read within 15 minutes of delivery.
The click through rates between email and SMS are very different, email marketing tends to generate a rate of between 6–7%. Whereas SMS generates rates around the dizzying heights of 36%. In this plugged in, ‘always on’ marketing landscape, levels of engagement on any mobile platform are far higher than they are with non-mobile marketing platforms and are only growing.
Emails can contain many danger signals that help people to avoid links from people they don’t know. SMS has room for a few words and one URL — making it harder for people to avoid links from people they don’t know. There’s certainly not enough text for AI to be meaningful enough for SMS-led phishing messages — “Install our app to track your parcel delivery” — are those words from a legitimate delivery company, or an impersonator? The only right answer is, you and I don’t know.
Brands and banks use branded URLs when sending emails, but they use very different, non-branded URLs when sending SMS messages. This means marketers are unaware of the potential this has on security. Criminals who specialize in phishing, have a very deep understanding and appreciation for all of this, and more.
An email sender ID is hard to verify but 100x easier than trying to identify a phone number — the world outside of telco does not care to look at the sender ID whenever they trust a text message. Therefore, verifying the sender ID is great for reducing spam related traffic but completely useless for anti-phishing security.

About email service providers

Most of the world’s email is powered by a small handful of service providers — such as Google and Microsoft. For the sake of simplicity, let’s focus on Google. Google provides Gmail as a free service for consumers, while G Suite is a paid service for business and enterprise customers. Even if your email is name@companyname.com it’s likely your organization routes all traffic through G Suite.

Google should be able to stop email-led phishing attacks

Google is one of the biggest cybersecurity vendors in the world.
Google owns an anti-spam filter for email.
Google owns one of the world’s biggest cyber threat intelligence systems that most security vendors rely on for their own products and services.
Google owns an email client for Android, iOS, Windows, Mac OS and the web.
Google owns the browser (Chrome) that many people use to access webmail. And if they use a desktop client, all links will open inside the default browser — which is Chrome for the vast majority of the world.
In summary, Google owns almost the entire technology stack along with one of the world’s most widely adopted URL threat feeds built-in.

We NEVER blame Google

I’m not saying we should blame Google — I’m merely making an observation. Whenever there’s a security incident that involves a phishing email, we blame the organization and their inability to protect their corporate network and customer data.

We NEVER blame Google for failing to detect deceptive URLs inside emails that pass through their tech stack as described above.

Why do we treat SMS service providers differently?

About SMS service providers

In the context of SMS and this article, mobile operators are “SMS service providers” — such as BT and Vodafone. For the sake of simplicity, let’s focus on Vodafone.

Why Vodafone should NOT be able to stop SMS-led phishing attacks

Up to now, the cybersecurity industry hasn’t had a category for SMS — the market isn’t big enough to warrant an investment in possible solutions. No category = no security products or services. ZERO cybersecurity for SMS. Until MetaCert pioneered the first URL-based security service for mobile device OEMs, mobile apps, and then Slack, no security solution existed, and no stakeholder cared enough to discuss it. SMS today is the very same.

Today, MetaCert is the ONLY cybersecurity company in the world that is offering an anti-phishing security solution for mobile operators who want to protect subscribers from SMS-led attacks like FluBot. Other security vendors are offering an endpoint or network-based solution for detecting “FluBot” — there’s nothing that will prevent a person from opening a link to an app which contains malware. Please correct me as soon as you find a security vendor with an SMS-led solution.

Anti-spam filters for SMS (i.e. SMS Firewalls) are similar to anti-spam filters for email — they are very effective at blocking unsolicited sales and marketing messages from spammers.
Anti-spam filters are not reliable or effective at detecting deceptive URLs — unless they are already classified as “dangerous”. And assuming they are working with at least 1 anti-phishing threat intelligence provider — this is not something that should be built internally — most security vendors license threat feeds from companies like Google, MetaCert, Akami and Symantec.
Almost every successful phishing attack uses a URL that is not yet classified as “dangerous”.
Most threat actors use phishing URLs in the same way that most people treat single-use water bottles. They’re used once and then discarded.

Traditional anti-phishing security won’t work for SMS, unfortunately. It’s no longer reliable or effective to…

Assume every URL is safe… until… confirmed… as… dangerous.

Whenever there’s a successful SMS-led phishing attack, subscribers take their concerns to social media. For this reason, it’s easy to test the security posture of every network in the world — for you, me, and for criminals who know these systems better than most.

The solution for SMS phishing

A Zero Trust strategy.

Assume every URL is dangerous, unless verified.

Summary

We should stop pointing the finger at mobile operators for SMS-led attacks. It’s not their fault, and it’s a hard problem to solve. In fact, if email security was effective and reliable, 2020 wouldn’t be the worst year on record for phishing, with 2021 on target to be worse. Email security sucks but nobody talks about that because security incidents happen behind closed doors.