The Fight Against Smishing - How Our Extremely Effective Security Measures Work

SMS phishing, or smishing, is a growing problem. Several reports indicate a substantial increase over the past few years in Europe as well as globally. 

The race between fraudsters on the one side and telecom operators and SMS platforms on the other has been going on for many years, and there is no prospect of a final solution any time soon.  

In the GatewayAPI team, we take the challenge of smishing very seriously and do everything we can to prevent as many smishing messages as possible from reaching the recipients. Below you can read more about the actions we have taken and how effective they have been (spoiler: they have been very effective!). 

Note that our security measures are the first line of defense, and that most telecoms also have their own filters or requirements, e.g. Sender ID registration or a requirement to use a virtual number, as seen in North America. 

What is smishing?

Smishing is a type of financial fraud where scammers use SMS messages to lure information out of the recipients. For individuals, smishing is a serious threat that requires extra caution when receiving suspicious SMS messages.

Over 1 million smishing messages blocked in the last 6 months 

We are proud to report that all our security mechanisms combined have stopped no less than 1,051,345 smishing messages (and potential smishing messages) in the last six months.

Our efforts include a verification process as well as a URL and Sender ID filter. Maintaining these filters is no easy feat, and they require a lot of continuous work to keep them up to date to adapt them to the ever-changing threat landscape. 

Verification process

The first step of our defense consists of a verification process of new users to make sure they represent legitimate businesses – and more importantly, that they actually represent the businesses they claim to represent.

Occasionally, phishing messages also come from GatewayAPI accounts that have been customers of ours for some time, for example if the API keys have been passed over an insecure medium and intercepted by a hacker. We therefore also encourage all our customers to follow the recommendations in this blog post and here so that their GatewayAPI accounts, as well as the systems linked to our SMS API, are further protected from being exploited by fraudsters.

URL filter

To counter the use of links to pages where scammers can either trick the recipient into providing information or install malware, we have a URL filter that stops any message containing a URL that has not been whitelisted by our team beforehand. 

This basically means that you can only get through this part of our defense by sending a message without a link, in which case it will probably be spam instead. While SMS spam can undoubtedly be annoying, it does not carry the same serious societal costs as phishing. 

Read more about URL whitelisting here, as well as how the process works if you want to include a link to your website.

Sender ID filter

Scammers will often try to send a message with a Sender ID from a well-known brand or organization that people know and trust and include a link in the text. See examples of different types of phishing attacks at the bottom of the blog post.

Our Sender ID filter compares the Sender ID in the message with a list of typical Sender IDs as well as typical patterns of phishing attacks. Sender IDs containing for example the words “bank”, “Apple”, “IRS” or “GLS” will often be blocked – unless they have been approved by our team in advance.

The societal benefit of curbing SMS phishing

Our blocking of over a million smishing messages is a significant achievement with many positive outcomes.

Let us explore this further. 

The success rate of SMS phishing can vary greatly depending on the specific attack and the propensity of each target audience to fall for scams. Scammers rarely share data on the success rate of their attacks (for obvious reasons), so it mostly boils down to educated guesses.

What we do know is that people generally have a high level of trust in SMS, that scammers can easily craft an SMS phishing message – it’s much easier than email, for example – and that open rates for links in SMS are up to eight times higher than for links in email. With all this in mind, it can be assumed that a significant proportion of the recipients click on the link in the smishing message and that the success rate is significantly higher for SMS phishing than for email phishing.

Preventing financial losses, spreading of malware and identity theft

First and foremost, by preventing smishing from getting through our SMS gateway, we help prevent financial losses for individuals and organizations.

Second, blocking smishing prevents malware from spreading. Some smishing messages are used to trick people into installing malware on their devices, which can then be used to steal information or gain unauthorized access to networks and systems. 

Third, it prevents damage to the reputation of organizations. When smishing messages impersonate an organization, often by using a similar Sender ID, and succeed in conning a number of recipients, it can be damaging to the brand of the organization the message is impersonating.

By blocking over a million SMS messages, the filters have clearly demonstrated their effectiveness, almost certainly saving thousands of citizens from a total loss of hundreds of thousands of euros.

Examples of different types of SMS phishing attacks 

In the examples below, financial gain is usually the objective. Smishing messages are often used as a means to get information, which can then be used to commit fraud or identity theft.  

See examples below of the different strategies used by fraudsters:

• Brand phishing attacks: Such as ‘Visa’, ‘Apple’, ‘PayPal’, etc. The information is often sold on the black market afterwards.
• Parcel service: SMS messages notifying the user that their package is ready to be collected. Users just have to click on a link first.
• Scare tactics: SMS messages informing the user that their bank or Apple account has been locked due to an unauthorized login, accompanied by a phishing link.
• Nigerian Prince: An example that landed in one of our employees’ inboxes looked like this: “My name is Mr. Gatan, I work with Medirect Bank in Malta. Can i trust you with a business worth $21.3 million? reply ONLY to my email….” and then a link. Not exactly convincing, but it must work on someone, since this type of message is still being sent out.
• You’ve won: Even local cinemas and restaurants are now used as sender IDs, letting recipients know they’ve won a competition. In general, there are many different “you’ve won” phishing attacks. By making the messages hyper-local, it helps lower people’s guard.

A look to the future

Recent reports of smishing attacks around the world are not exactly encouraging, and in the US alone there has been a massive increase in the last few years, partly due to the COVID-19 pandemic and the resulting growth in use of information technology. In addition, studies show that smishing is currently the most common form of mobile-based fraud.

As mentioned at the outset, it’s been a long uphill battle for the telecoms industry and it is going to take a lot of effort to curb it. At GatewayAPI, we have a number of additional initiatives in the pipeline, as well as upgrades to existing initiatives, so we can continue to do our part to stop smishing.

Global SMS Gateway

We have made it simple to implement SMS services into your business by offering some of the best prices worldwide as well as easy integration, world-class customer support, an intuitive interface and a rock-solid uptime of 99.99%. If you don’t have an account yet, you can create a FREE account in less than two minutes here: Go to GatewayAPI or contact sales@gatewayapi.com.