Three important things worth considering to protect your subscribers from smishing attacks

Smishing is the SMS equivalent of phishing. When cybercriminals ‘phish’, they do so by sending fraudulent emails to trick the recipient into opening an attachment that contains malware or clicking on a malicious link to collect some sensitive data (credit card account details, passwords, etc.). Smishing simply uses text messages instead of email.

Mobile operators have a responsibility to protect their subscribers by ensuring that this kind of traffic does not happen on their network. Smishing risks the privacy and security of subscribers which, in turn, can result in serious financial damages for subscribers and operators. Ultimately, smishing can lead to a decrease of trust in the operator (reputational damage), and an increase in subscriber churn.

There has never been anything quite like the turmoil that the Covid-19 pandemic is wreaking on every aspect of our lives. It has changed the way we live, communicate and work. We have transformed, over the course of one year, into a far more virtual world. Because we’re spending more time online for everything from work and shopping to banking and state services, this increases the risk of us becoming victims of smishing. We receive more OTP, confirmation and notification messages via SMS – probably the most ubiquitous and trustworthy channel.

I know this first-hand as my mom nearly fell victim to a smishing attack recently. After doing some online shopping, she received an SMS. The message included an alphanumeric senderID of her bank name, asking her to approve the purchase by verifying her credit card details using the URL in the message. This was a classic example of smishing. Luckily for my mother, she’d forgotten her glasses and asked me to do what was required, at which point I explained that this was a smishing attack. My mom subsequently changed her mobile operator because she was upset that they had not protected her, as a subscriber, from this kind of traffic.

Since the incident, out of curiosity, I have done my own test. This was quite easy to do using GTC’s broad testing capabilities. I simply sent a phishing SMS to my two mobile numbers from different operators, using the sender IDs that those networks are using to send their subscribers important messages. Guess what? Both messages were delivered. This might sound strange, especially for people in the messaging business, who know that mobile operators deploy expensive firewalls to protect their networks from unexpected A2P SMS. But is the firewall itself enough? Does the firewall know what to block and what to let through?

Blog - smishing attacks

If you’re a mobile operator, here are three important things to consider if you want to protect your subscribers from smishing attacks and safeguard your own reputation:

1.   Make sure you have a holistic view of the type of traffic that is reaching your network and your subscribers. And find out how this is happening. This is an ongoing task as cybercrime is constantly evolving. Bypass and spam mechanisms are becoming more creative and sophisticated.

2.   Invest in constant testing of the network. Specialised and independent testing solutions will provide measurable test results that will help to constantly refine and improve the blocking mechanisms of your network, by mimicking fraudsters’ current and potential behaviour.

3.   Be proactive and not reactive. Don’t wait until your subscribers complain or, even worse, drop using your services and go to your competitor. Protect your network and subscribers, before it becomes a problem for them. If blocking grey route and SIM box deliveries are important from the perspective of revenue assurance, blocking spam and smishing messages is important from the perspective of your reputation and great customer experience. As a mobile operator, it’s in your best interest to make sure that SMS remains a trusted channel for the A2P traffic.

At the end of the day, we are all mobile subscribers so we’re all at risk when it comes to smishing attacks. However, as a reputable mobile operator, you can and should protect your subscribers from getting this type of message. Do you want to know what is happening with your own network? Are you interested in seeing how open your network is and what unexpected messages can be or are already being delivered to your subscribers? We’re here to help. Visit our website.

Global Telco Consult (GTC) is a trusted independent business messaging consultancy with deep domain knowledge in application-to-person (A2P) business messaging. GTC provides tailor-made messaging strategies to enterprises, messaging service providers, operators and voice carriers. We have expertise in multiple messaging channels such as RCS, Viber, WhatsApp, Telegram and SMS for the wholesale and retail industry.

GTC supports its customers from market strategy through service launch, running the operations and supporting sales and procurement. The company started in 2016 with a mission to guide operators and telcos to embrace new and exciting opportunities and make the most out of business messaging. For more information or industry insights, browse through our blog page or follow us on LinkedIn.

Any questions?