smsmode© combating smishing
Romain Didelot
Share :
Introduction
Faced with an ever-increasing number of cases of smishing, the authorities, operators and telephone aggregators have decided to take action. New rules have been introduced to protect telephone subscribers from costly SMS scams. The most important: strict control of Sender IDs (customized transmitters). smsmode© has decided to go one step further in prevention, by filtering the common point of 95% of phishing attempts via SMS : The URL contained in SMS. Find out why smsmode© is committed to and what this means for you, our service users.
What is smishing?
Smshing, smishing or SMS phishing is a phishing technique via SMS. It's a scam that works like email phishing, but from a telephone number. A cybercriminal attempts to extract personal or banking information, or money directly, from the recipient of a SMS message, using the identity of a brand or government service (bank, parcel delivery service, CPAM, Ameli or any other well-known brand).
In 95% of cases, this fraudulent SMS contains a URL that redirects victims to a website that looks as similar as possible to that of the organization purporting to be the sender, in order to inspire confidence. Victims are then asked to enter their bank details in order to withdraw a sum of money, sometimes on a recurring basis.
In other SMS phishing attempts, the fraud consists of offering to download an application "update", which is in fact a copy of a trusted application, acting as a spyware malware on the phone.
In some rare, but increasingly common, cases, scammers invite you to call a number so that an accomplice on the other end of the line can obtain your information.
Scammers redouble their efforts to incite the victim to action, the supposed sender of the fraud is always a very serious company or a critically important service, and by creating a sense of urgency in the victim.
Example of smishing
35780
HEALTH INSURANCE: Your new card is now available.
Fill in this form to stay covered: http:gros.spam.c
35780
Pole Emploi: Your CPF balance is available.
Protect it before XX or it will be lost: http:encoreduspam.c
Phishing on the rise at SMS
Since the beginning of the year, French mobile subscribers have been subjected to a large number of smishing attacks. Operators and the AF2M (Association française pour le développement des usages Multimédia Multi-opérateurs) have noted an explosion in fraud. Top of the list: CPF scams, social fraud under the name of Ameli or CPAM, banks, Amazon or Chronospost deliveries requiring postage...
The trend has really taken off in recent months, to the point where French operators and aggregators, in consultation with AF2M, have decided to introduce new rules for sending SMS Push (A2P).
The new rules introduced by operators
All stakeholders (French operators, AF2M, A2C*, aggregators, etc.) have agreed to change the rules for sending SMS, in order to protect the identity of "sensitive" brands likely to be used, and guarantee greater security for mobile users.
The committee's key measure is to restrict the use of OADCs (Sender IDs), otherwise known as personalized senders. All senders of so-called sensitive brands, or those resembling a sensitive brand, are banned, a priori.
Similarly, overly generic Sender IDs such as " SMS Info" are prohibited.
To ensure the implementation of these measures, aggregators SMS, smsmode© in particular, have implemented a series of filters and an artificial intelligence system to whitelist or blacklist OADCs.
*Association of Independent CPaaS and CCaaS Players
What about Sender Ids for real "sensitive" brands?
It goes without saying that "sensitive" brands retain the right to use their name and its variations as a personalized transmitter. To ensure this, each aggregator is asked to provide operators with a list of authorized issuers, as they belong to the brands they represent. This authorization takes the form of a letter/form, addressed to the operators and signed by both parties, giving the subcontractor authorization to use the Sender ID(s) of the brand concerned.
Once unlocked, the brand's outsourced platform can route messages without SMS being stopped by anti-spam filters.
- smsmode© goes one step further in the fight against phishing:
To ensure maximum security for users, and to be proactive with regard to the real problem of phishing via SMS, smsmode© has decided to go one step further.
Our findings: the overwhelming majority of SMS phishing attempts use a URL to redirect potential victims to a fraudulent site to capture information.
smsmodeFor this reason,© has implemented additional filters, specifically for URLs, to guarantee its customers a secure SMS experience.
What's new for you, our customers
Sender ID changes:
Rest assured, the personalized sender is still part of smsmode©.
To continue using your Sender ID, the first step is to have your account/organization validated by our services. You can then provide us with the list of Sender IDs you wish to use for your SMS campaigns.
If you have an organization (a parent account with multiple sub-accounts) and you pass the validation process, all your sub-accounts will be automatically validated.
Once your account is validated, you will be able to use the Sender IDs of your list. If however you send a message with an unknown sender, not included in your list of predefined senders, the message will not be sent and will be in error (visible on your space).
If your account is not validated, you will not be able to customize your Sender ID. If you attempt to do so, your sender will be overwritten and replaced by the default OADC (a shortcode in most cases).
This new mechanism has been added to all our services.
URL changes :
To be able to continue integrate URLS into your SMS campaignscampaigns, we invite you to let us know which legitimate URLs you wish to send in France by sending your list to smsmode
All messages containing unverified URLs will be blocked by our platform.
Will these new rules be enough to stop smishing?
These protective measures are useful in protecting the A2P market, as they are able to guarantee that no fraud or scam will pass through a reputable aggregator as smsmode©.
On the other hand, most smsishing traffic is sent via low-cost or gray routes (using standard SIM cards), where the SMS is sent by an 06 or 07 number, without Sender ID. This type of filtering is therefore not possible.
According to AF2M, 98% of smishing attempts reported to 33 700 come from illegal routes (gray routes or SIM farms).
On this subject, the ball is in the court of the operators, who must fight against these illegal routes that serve the market. Of course, smsmode© does not use any grey routes.
However, a solution to this problem has already been found by the operators. In future, dialogue between brands and customers will only take place on numbers beginning with 09. A radical solution that should make smishing a thing of the past.
Conclusion
These measures may seem restrictive, but they are really necessary to (re)establish a climate of trust within the A2P SMS . Choosing a partner who is committed to fighting fraud, has a direct connection with operators and doesn't use any grey routes, is becoming increasingly important. The SMS Push market is also moving towards more and more controls on the URLs used to limit the performance of these fraudulent marketing campaigns, so it seems imperative to turn to a partner who allows you to control the senders and be in good standing.
Try out our SMS platform and benefit from 20 free test credits, with no obligation.