Exposing the Truth: Why Sender ID Checking Fails to Stop SMS Phishing Attacks

Some people believe that it’s possible to stop SMS phishing campaigns and targeted SMS phishing attacks on companies and government agencies by verifying the identity of individuals and companies who send SMS messages.

For the vast majority (99.9%) of my network who may not have in-depth knowledge about SMS infrastructure and the immense revenue streams generated from SMS traffic, let me shed some light. While I spearheaded technical and acceptance testing for major SMS and MMS infrastructure projects for numerous operators during the 2000s, I was oblivious to the following insights until I delved into SMS security. Phishing via SMS is relatively new, which is why no security company in the world offers a security solution to mobile operators, except for one — MetaCert. I now reside at the intersection of SMS cybersecurity and feel like my entire career has led me to this very point.

The knowledge I now possess is largely attributable to the valuable teachings of an old colleague and friend, Stuart Mitchell.

Brands, parcel delivery companies, and banks like Uber, UPS, and Bank of America use web apps to set up and manage their SMS text alerts and marketing campaigns so they can build relationships with customers. Most apps are built on top of Telco-led API companies like Twilio. Before Twilio, none of this was made possible by operators. As you might imagine, Twilio is now a valuable company because it charges a fraction of a penny for every SMS message sent by every customer.

Mobile operators benefit greatly because the more SMS messages people and entities send, the more revenue they make — and it’s VERY significant revenue. It’s so significant that they employ SMS firewalls to prevent freeloaders from building their own apps that use normal SIM cards inside mobile handsets or “SIM Farms” from operators, as those have unlimited texting. This is a major pain point for operators because it means they’re losing billions of dollars in revenue every year. The SMS firewalls should be able to detect who the senders are, provided they have had their identity verified.

So, what do you think smart cybercriminals use to send SMS phishing messages? If it’s faster, cheaper, and easier to send free messages with normal SIM cards that can’t be detected, then they will go down that route, obviously. Implementing an ID check for A2P traffic might detect and stop some unwanted spam, but it does nothing for the traffic that we should care about the most (P2P). I understand that protecting revenue for operators is important, but I believe it’s time they focused on protecting their customers as well as their revenue.