What is smishing?
Smshing, smishing or SMS phishing is a phishing technique using SMS. It is a scam that works like email phishing, but from a phone number. A cybercriminal tries to get personal or banking information or money directly from the recipient of an SMS message, using the identity of a brand or government service (bank, parcel delivery, CPAM, Ameli or any other well-known brand).
In 95% of cases, this fraudulent SMS contains a URL that redirects victims to a website that looks as similar as possible to the one of the organization that is supposed to be the sender, in order to inspire confidence. The victim is then asked to enter his or her banking information in order to withdraw a sum of money, sometimes on a recurring basis.
In other SMS phishing attempts, the fraud consists of offering to download an application "update", which is actually a copy of a trusted application, acting as a spyware on the phone.
In some rare, but increasingly common, cases, scammers invite you to call a number so that an accomplice on the other end of the line can obtain your information.
Scammers work hard to get the victim to take action, the supposed sender of the fraud is always a very serious company or a critical service, and by creating a sense of urgency in the victim.
Examples of smishing:
HEALTH INSURANCE: Your new card is available.
Fill out this form to stay covered: http:gros.spam.c
Pole Emploi: Your CPF balance is available.
Protect it before XX or it will be lost: http:encoreduspam.c
SMS phishing on the rise:
Since the beginning of the year, French mobile subscribers have been subjected to numerous smishing attacks. Operators and the AF2M (French Association for the Development of Multi-operator Multimedia Uses) have noticed an explosion of frauds. At the top of the list: CPF scams, social fraud, under the name of Ameli or CPAM, banks, Amazon or Chronospost delivery which would need a postage...
The trend has really increased in the last few months, to the point that French operators and aggregators, in consultation with the AF2M, have decided to implement new rules regarding the sending of Push SMS (A2P).
The new rules implemented by the operators :
All stakeholders (French operators, AF2M, A2C*, aggregators...) have agreed to change the rules for sending SMS messages, in order to protect the identity of "sensitive" brands that may be used and to guarantee more security for mobile users.
The main measure of this commission is the limitation of the use of OADC (Sender ID), otherwise known as personalized senders. All senders of so-called sensitive brands, or resembling a sensitive brand, are prohibited, a priori.
In the same way, too generic Sender IDs like "SMS Info" are forbidden.
SMS aggregators are responsible for implementing these measures, smsmode© in particular, have implemented a series of filters and an artificial intelligence system to whitelist or blacklist OADCs.
* Association of Independent CPaaS and CCaaS Actors
What about Sender Ids for real "sensitive" brands?
It is obvious that "sensitive" brands retain the right to use their name and its variations as a personalized transmitter. To ensure this in complete security, each aggregator is asked to provide operators with the list of permitted issuers, as they belong to the brands they represent. This authorization takes the form of a letter/form, addressed to the operators and signed by both parties, giving the subcontractor the authorization to use the Sender ID(s) of the brand concerned.
Once unlocked, the brand's outsourced platform can route the messages without the SMS being stopped by anti-spam filters.
smsmode© goes one step further in the fight against phishing:
To ensure maximum security for users, and to be proactive in tackling the real problem of SMS phishing, smsmode© has decided to go one step further.
Our finding: the overwhelming majority of SMS phishing attempts use a URL to redirect potential victims to a fraudulent site to capture the information.
smsmodeTo ensure a secure SMS experience for its customers,© has set up additional filters specifically for URLs.
What changes for you, our customers:
Sender ID changes:
Rest assured, personalized transmitters are still part of the smsmode© range.
To continue using your Sender ID, the first step is to have your account/organization validated by our services. You can then provide us with the list of Sender IDs you wish to use for your SMS campaigns.
If you have an organization (a parent account with multiple sub-accounts) and you pass the validation process, all your sub-accounts will be automatically validated.
Once your account is validated, you will be able to use the Sender IDs of your list. If however you send a message with an unknown sender, not included in your list of predefined senders, the message will not be sent and will be in error (visible on your space).
If your account is not validated, you will not be able to customize your Sender ID. If you attempt to do so, your sender will be overwritten and replaced by the default OADC (a shortcode in most cases).
This new mechanism has been added to all our services.
Changes related to URLs:
In order to continue integrating URLS into your campaigns, we invite you to let us know which legitimate URLs you wish to send to France, by sending your list to email@example.com.
All messages containing unverified URLs will be blocked by our platform.
Will these new rules be enough to stop smishing?
These protective measures are useful in protecting the A2P market, as they are able to guarantee that no fraud or scam will pass through a reputable aggregator as smsmode©.
On the other hand, most of the smsishing traffic goes through grey or low-cost routes (via classic SIM cards) where the SMS is sent by a 06 or 07 number, without Sender ID. This type of filtering is therefore not possible.
According to AF2M 98% of smishing attempts reported to 33 700 come from illegal routes (grey route or SIM farm).
On this subject, the ball is in the court of the operators, who must fight against these illegal routes that serve the market. Of course, smsmode© does not use any grey routes.
However, a solution to this problem has already been found by the operators. The dialogue between brands and customers will in the future only take place on numbers starting with 09. A radical solution that should make it possible to draw a definitive line on smishing.
These measures may seem restrictive, but they are truly necessary to (re)build trust within the A2P SMS. Choosing a partner who is committed to fighting fraud, who is directly connected to operators and who does not use any grey routes, is becoming more and more important. The SMS Push market is also moving towards more and more controls on the URLs used to limit the performance of these fraudulent marketing campaigns, so it seems imperative to turn to a partner that allows you to control the senders and be in good standing.