Have you ever experienced receiving spam or phishing SMSes?

It is annoying but fortunately does not happen that often, which can be attributed to the huge amount of work that the telecommunications industry is putting into stopping it.

Examples of scams

There are various phishing scams out there - also referred to as smishing. Honestly. We are not making it up. The scams can trick users into downloading an infected file, clicking a certain hyperlink, or typing in sensitive information, which can result in identity theft. The information is either obtained when people enter them manually or when malicious malware is automatically installed on the users’ phones that collect all sensitive data that is typed in on the phone, which can be used for further attacks.

Example of an phishing SMS where Apple is ued

We have gathered some examples below to illustrate some of the different strategies that are used:

  • Brand name phishing attacks such ‘Visa’, ‘Apple’, ‘PayPal’ etc. Currently there is a Netflix scam circulating where users are encouraged to update their login details or update their credit card. Details are then later sold on the black market.
  • SMSes notifying the user that his or hers parcel is ready to be collected included with a link.
  • SMSes notifying the user that his or hers bank account/Apple account/etc. has been locked due to an unauthorised login also accompanied with a link.
  • There are still ‘Nigerian Prince’ type of phishing scams floating around. I recently received a SMS with the text: “My name is Mr Gatan, I work with Medirect Bank in Malta. Can i trust you with a business worth $21.3 millions? reply ONLY to my email….”. Not exactly convincing but nevertheless there are still people out there who will fall for that.
  • Even local movie theaters and similar places are used as the sender ID where recipients are told that they have won in some kind of competition. Generally there are a lot of different “you have won in this or that competition” phishing attacks.

The examples clearly shows that it is widespread and growing problem. The criminals are also getting more cunning, which probably explains why there are still many people who fall for their scams.

Verification process

Luckily, scammers can’t just create their own SMS gateway and start sending phishing attacks to millions of users.

At GatewayAPI we go to great lengths to prevent criminals from using our SMS gateway to send out spam or phishing. New users must, among other things, go through a verification process, so we are certain that they represent legitimate companies - and more importantly that they actually represent the companies they claim to represent. It usually arouses suspicion when a person claims to represent a certain company but is writing from a public email address.

Brand new scanning system

We have also just released a new scanning system that scans the content of the SMSes we broadcast worldwide and slams the brakes if something looks suspicious.

We have done this by setting up a filter that automatically rejects SMSes that contain links - unless the domain or the URL have been whitelisted in advance.

Technically speaking: Our system continuously checks for links, compare it with the whitelisted URLs and domains and either approves or rejects the link based on whether it figures on the list.

This is another step toward eliminating spam and phishing. In the manual process where URLs and domains are checked, toxic URLs will obviously be rejected by our team.

This additional safety measure is in line with the overall development in the telecommunication industry where there is an increasing focus on stopping spam and phishing. E.g. many telecommunication companies today send out hefty fines to SMS gateways if scammers have been allowed to broadcast through them.


How to get your URLs whitelisted

To get your URLs whitelisted, simply go to “URL Whitelist”, which is located in the main menu. You will then be able to submit the URLs you wish to use.

You can always apply for new URLs. Within normal working hours, we will process your application quickly and efficiently. Free of charge.

For all countries (except Norway) the following applies:

  • You can whitelist an entire URL, a domain or subdomain e.g. gatewayapi.com or maps.google.com (note whitelisting google.com will not whitelist this address due to the subdomain) or specific, static urls such as gatewayapi.com/docs.
  • The domains for the links must be registered.
  • If it is a dynamic link, please point out the part of the link that is autogenerated.
  • A short description of the content of the SMSes must be included.
  • The sender ID that will be used must be included as well.
  • No personal names (e.g. Elisa, Alex etc.) as the sender ID.

Norway SMS

If you wish to send traffic to Norway containing URLs, the following applies:

  • No public URL shorteners (URL shorteners are subject to review, please include content or sender ID info with any submittal for approval) unless it’s a specific link and not the whole domain.
  • No possibility to change the target of the short link.
  • Brand name as sender required.
  • Private URL shorteners are allowed if under company control.
  • URL without extension needs to be a valid URL that points to the customer site.
  • No redirects to other domains. Exception: URL shorteners.
  • Content of website needs to be accessible for review.
  • No blank pages.
  • No login only pages (unless login is provided).
  • The sender of the message needs to be associated with the website content.
  • Ideal case: Sender Google, URL: google.com.
  • Also okay: Sender YourBank, URL: horriblylongbankname.com.
  • No personal names (e.g. Elisa, Alex etc.).
  • Subdomain wildcards need to prevent hijacking via similar domains.


Who are behind the attacks?

Who exactly profits from the phishing attacks? Is it hackers sitting in basements wearing balaclavas? According to Verizon’s annual DBIR (Data Breach Investigations Report) in 2016 roughly 89 percent of the attacks come from organised crime syndicates and about 9 percent come from state-affiliated actors. The main motivation being money and espionage. With these things in mind, it doesn’t seem like it is a problem that will be going away anytime soon unfortunately.

In SMS we trust

Mobile users should not to be subjected to spam or phishing SMSes. Additionally, it is extremely important that mobile users can rely on the SMSes they receive. This way the SMS can continue to play a significant role in many different contexts.

In other words, the SMS must not share the same fate as the email where the opening rate is only about 20-30 percent today.

Global SMS Gateway

GatewayAPI has some of the lowest prices in the majority of the world combined with an intuitive interface, world class support and rock-solid uptimes on 99,99 % in average. If you don’t have an account yet, you can create a free account in less than two minutes here: Go to GatewayAPI or contact sales@gatewayapi.com