Stopping Illegal SMS Traffic
Have you ever received spam or phishing SMS messages?
It can be annoying. Fortunately, it does not happen that often, which can be attributed to the huge amount of work that the telecommunications industry is putting into stopping it.
Examples of scams
There are various SMS phishing scams out there – also referred to as ‘smishing’. These scams can trick users into downloading an infected file, clicking a certain hyperlink, or typing in sensitive information, which can result in identity theft. The information is either obtained when people enter it manually, or when malicious malware is automatically installed on the users’ phone. This can then collect all sensitive data typed in to the phone, which can be used for further attacks.
We have gathered examples below to illustrate the variety of strategies used:
- ‘Brand name’ phishing attacks such ‘Visa’, ‘Apple’, ‘PayPal’ etc. – this could for example be a scam pretending to be Netflix, where users are encouraged to update their login details or update their credit card. Details are then later sold on the black market.
- ‘The Postman’ – SMS messages notifying the user that their parcel is ready to be collected by clicking on an included phishing link.
- ‘Heist’ – SMS messages notifying the user that his or her bank account/Apple account/etc. has been locked due to an unauthorized login also accompanied with a phishing link.
- ‘Nigerian Prince’ phishing scams are still floating around. I received an SMS myself, stating: “My name is Mr Gatan, I work with Medirect Bank in Malta. Can i trust you with a business worth $21.3 millions? reply ONLY to my email….”. Not exactly convincing, but nevertheless, it is still happening so it must be working on someone.
- ‘Lucky Winner!’ – Even local movie theaters and similar places are used as the sender ID, where recipients are told that they have won some kind of competition. Generally, there are a lot of different “you have won this or that competition” phishing attacks.
The examples clearly show that this is a widespread and growing problem. The criminals are also getting more cunning, which probably explains why there are still many people who fall for the scams.
How do we stop them?
1. Verification process
Luckily, scammers can’t just create their own SMS gateway and start sending phishing attacks to millions of users.
At GatewayAPI, we go to great lengths to prevent criminals from using our SMS gateway to send out spam or phishing. New users must go through a verification process, so we are certain that they represent legitimate companies – and more importantly, that they actually represent the companies they claim to represent.
2. Brand new scanning system
We have just released a new scanning system that automatically slams on the brakes of SMS broadcasts if something looks suspicious.
Our new system uses a filter that rejects SMS messages containing links – unless the domain or the URL have been whitelisted in advance. Technically speaking: Our system continuously checks for links, compares them with the whitelisted URLs and domains, then either approves or rejects the link based on whether it presents on the list.
This is another step toward eliminating spam and phishing. In the manual process where URLs and domains are checked, toxic URLs will obviously be rejected by our team. This additional safety measure is in line with the overall development in the telecommunication industry, where there is an increasing focus on stopping spam and phishing, e.g. many telecommunication companies today send out hefty fines to SMS gateways if scammers have been allowed to broadcast through them.
How to get your URLs whitelisted
To learn how to get your URLs whitelisted with us, check out our guide here. Within normal working hours, we will process your application quickly and efficiently. Free of charge. For all countries (except Norway) the following applies:
- You can whitelist an entire URL, a domain or subdomain e.g. gatewayapi.com or maps.google.com (note whitelisting google.com will not whitelist this address due to the subdomain) or specific, static URLs such as gatewayapi.com/docs.
- The domains for the links must be registered.
- If it is a dynamic link, please point out the part of the link that is autogenerated.
- A short description of the content of the SMS messages must be included.
- The sender ID that will be used must be included.
- No personal names (e.g. Elisa, Alex etc.) as the sender ID.
If you wish to send traffic to Norway containing URLs, the following applies:
- No public URL shorteners (URL shorteners are subject to review, please include content or sender ID info with any submittal for approval) unless it’s a specific link and not the whole domain.
- No possibility to change the target of the short link.
- Brand name as sender required.
- Private URL shorteners are allowed if under company control.
- URL without extension needs to be a valid URL that points to the customer site.
- No redirects to other domains. Exception: URL shorteners.
- Content of website needs to be accessible for review.
- No blank pages.
- No login only pages (unless login is provided).
- The sender of the message needs to be associated with the website content.
- Ideal case: Sender Google, URL: google.com.
- Also okay: Sender YourBank, URL: horriblylongbankname.com.
- No personal names (e.g. Elisa, Alex etc.).
- Subdomain wildcards need to prevent hijacking via similar domains.
Who are behind the attacks?
Who exactly profits from the phishing attacks? Is it hackers sitting in basements wearing balaclavas? According to Verizon’s annual DBIR (Data Breach Investigations Report) in 2016, roughly 89 percent of the attacks come from organised crime syndicates and about 9 percent come from state-affiliated actors. The main motivation being money and espionage. With this in mind, it doesn’t seem like a problem that will be going away anytime soon, unfortunately.
In SMS we trust
Mobile users should not be subjected to spam or phishing SMS messages. Additionally, it is extremely important that mobile users can rely on the SMS messages they receive. This way the SMS industry can continue to play a significant role in many different contexts.
In other words, the SMS cannot share the same fate as the email, where the current opening rate is only about 20-30 percent today.
To learn more about how to protect your GatewayAPI account against scammers, check out our blog post on the matter here.
You can also read more about smishing in our blog post here.
Global SMS Gateway
GatewayAPI has some of the lowest prices in the majority of the world combined with an intuitive interface, world class support and a rock-solid uptime of 99.99 % in average. If you don’t have an account yet, you can create a free account in less than two minutes here: Go to GatewayAPI or contact email@example.com
If you have a concept or business that could benefit from employing SMS communication, contact us. We will help you get started, contact us today!