Open in app

Sign in

Write

Sign in

The Failure of U.S. Mobile Carriers to Protect Consumers from SMS Phishing

Paul Walsh
6 min readJust now

Executive Summary

SMS phishing, or smishing, has now surpassed email as the #1 cyber threat in the U.S, according to ProofPoint. For the first time in Internet history, SMS has become the preferred attack vector for cybercriminals, driven by its speed, low cost, and ease of execution. Given that phishing is the entry point for over 90% of all cyberattacks worldwide, one can only conclude that SMS is now the most dangerous communication channel on the internet, and smishing has become society’s biggest cyber threat. This should make it the carrier’s single biggest problem as it’s their customers’ single biggest problem — yet they continue to rely on ineffective security measures. 🤷🏻

MetaCert conducted extensive testing across the four major U.S. carriers — Verizon, AT&T, T-Mobile, and Boost Mobile — to measure their ability to stop dangerous SMS messages before they reach consumers and business customers. The findings expose the complete failure of existing defenses, proving that only a Zero Trust approach to web links inside SMS messages can stop smishing.

Introduction

With 7.5 trillion SMS messages sent globally each year2 trillion in the U.S. alone — the SMS ecosystem has become a hunting ground for cybercriminals. In September 2023 alone, Americans received 19.2 billion spam text messages, a significant portion of which were highly targeted phishing attacks aimed at stealing credentials, draining bank accounts, and compromising businesses.

The telecom industry has failed to implement an effective security model, focusing on outdated, reactive measures instead of proactive, preventative solutions. Mobile carriers do not authenticate URLs inside SMS messages, leaving hundreds of millions of consumers and countless organizations vulnerable.

MetaCert’s Testing: How Every Carrier Failed

MetaCert is a U.S.-based cybersecurity spin-out company from the Irish telecom testing company Segala, which means the team behind this research has deep expertise in both SMS infrastructure and services as well as anti-phishing security. This unique combination of knowledge allowed MetaCert to design and execute an industry-leading test to measure the effectiveness of U.S. mobile carriers’ SMS security measures.

Testing Methodology

To assess the ability of U.S. carriers to detect and block SMS phishing attempts, MetaCert conducted a structured testing approach covering a broad range of scam types that are commonly used by cybercriminals in the U.S. We sent 1,000 unique dangerous phishing URLs across the four major mobile networks.

Each phishing link was embedded within a fraudulent SMS message designed to replicate real-world scam tactics. The messages were carefully crafted to mimic common smishing attacks, including:

  • Parcel Delivery Notifications: Messages impersonating courier services like FedEx, UPS, and USPS, claiming a package is awaiting delivery and requiring the recipient to click a link to confirm their details.
  • Security Alerts: Fake notifications from banks and financial institutions warning users of suspicious activity, prompting them to verify their accounts via a provided link.
  • Toll Charges and Unpaid Fines: Messages appearing to be from state transportation agencies requesting immediate payment for unpaid tolls or fines to avoid additional penalties.
  • Generic Phishing Messages: Broadly applicable scams, such as fake lottery winnings, IRS tax refund notifications, and requests for urgent action related to personal accounts.

Each message containing the same phishing link was resent 5 times over 3 days to determine whether any of the carriers would eventually detect and block it.

The phishing URLs were sourced from PhishTank, OpenPhish, and MetaCert’s proprietary database — all of which contain verified dangerous links used in real-world phishing attacks.

Findings

100% of phishing messages were delivered successfully across all four networks.

  • Not a single dangerous URL was detected or blocked.
  • Resending the same messages multiple times produced the same results.
  • No carrier intervened at any point, proving their security measures are ineffective.

How Criminals Exploit This Security Gap

Cybercriminals know exactly how to bypass SMS security measures. Their process is simple, effective, and unstoppable without a Zero Trust approach:

1. Test the New Dangerous URL

  • A criminal sends their new phishing link to their own phone number using a prepaid SIM card on the target network.
  • If the message is delivered, they know with 99.9% confidence that it will reach all victims on that network.

2. If the URL is Blocked, Swap It

  • If, by rare chance, the phishing link is detected, they change the URL and resend it.
  • hey repeat this until one gets through — which typically happens in minutes.

3. Mass Distribution or Targeted Attack

  • Once a working phishing URL is confirmed, the criminal launches the full attack, sending messages to thousands or millions of people on the same network. Or they might target specific employees like they did at companies like Twilio, Microsoft, Cisco, Okta, and Uber.
  • Every single mobile user on that network will receive the phishing message because the carrier has already proven it won’t block it.

Why Current Security Measures Are Useless

1. SMS Firewalls Protect Carrier Revenue, Not Consumers

SMS firewalls exist to detect and prevent spam — not phishing. Their primary goal is to stop unauthorized bulk messaging that affects carrier revenue, not to block dangerous SMS messages impersonating banks, payment providers, or government agencies.

SMS firewalls are only designed to intercept messages that are sent via service providers like Twilio and Sinch via Application-2-Person (A2P) routes. Messages sent via regular SIM cards aren’t checked by these firewalls, so it’s impossible for them to protect consumers — obviously.

Even if an SMS firewall eventually blocks a phishing link, criminals already tested and validated their attack beforehand, making the block meaningless after damage has been done.

2. Sender ID Verification Is Easily Bypassed

Sender ID verification is completely ineffective at stopping smishing for three reasons:

  • Most phishing messages come from regular SIM cards, not short codes.
  • Criminals constantly change phone numbers by acquiring regular pre-paid SIM cards, where verification is irrelevant.
  • Sender ID verification does nothing to verify URLs, which is how all smishing attacks succeed.

3. The 7726 Reporting System Fails to Stop Smishing

  • The 7726 (SPAM) reporting system is another ineffective measure. It relies on victims to report phishing messages after they’ve been received — which means the scam has already reached consumers and done harm.
  • Even worse, reported links are rarely classified and blocked because the system isn’t maintained by an SMS security company with the ability to take real action.

The Only Real Solution: Zero Trust for Web Links in SMS Messages

Unlike ineffective firewalls and Sender ID verification, Zero Trust SMS authentication applies a preventative approach that criminals cannot bypass:

  • Assume all URLs in SMS messages are dangerous until verified.
  • Authenticate every URL before it reaches a consumer’s device.
  • If a link hasn’t been explicitly verified as safe, it should be blocked, flagged, or replaced with a safe link that directs consumers to a warning page explaining why they were protected from the original web link.

This model prevents phishing attacks from reaching consumers in the first place, eliminating the need for reactive detection.

Final Warning: Without Change, Smishing Will Continue Unstoppable

Cybercriminals have perfected their techniques to bypass current defenses. As long as ineffective security measures remain the focus, smishing in the US will continue to grow — faster and more effectively than ever before.

The telecom industry must acknowledge that it cannot solve this problem alone. The cybersecurity industry is responsible for protecting businesses and individuals from digital threats, just as it has done for email security, endpoint protection, and network defense. Email providers didn’t develop their own security solutions — they relied on cybersecurity companies to do it for them. The same must happen with SMS security. Where is Cisco, a leader in network security, to help address this growing crisis? Until the telecom industry partners with cybersecurity experts who specialize in phishing prevention, smishing will remain an unstoppable threat.

The only question left: Will the telecom industry take action before it’s too late?

Mobile
Cybersecurity
Sms
Phishing
Smishing

--

--

Paul Walsh
Paul Walsh

Written by Paul Walsh

1.9K Followers
37 Following

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams