Why Telcos Need to Tackle Smishing

4 min read

In 2021, it’s almost impossible to find a company not using SMS marketing. In the right hands, it’s a powerful tool not only to ace potential client engagement but also to boost existing customer retention. The 8x higher engagement rate, when compared to emails, makes it practically a wand. Despite all its magical advantages, something should be rotten in the state of Denmark. The possibility of phishing is the dark side of any messaging channel. And smishing is the yang of SMS’ yin.

In the UK, SMS phishing increased by nearly 700% in the first six months of 2021 compared to the second half of 2020. Even the Royal Mail was not spared. The text, claiming to be from the postal service, arrived out of the blue and claimed that “your Royal Mail parcel is awaiting delivery. Please confirm the settlement of 1.99 (GBP) on the following link.” The message linked to a website mocked up to request personal and payment details, which scammers could use to steal someone’s identity. Even telco giants such as Vodafone are not immune from smishing malware. In April 2021, millions of similar text messages were sent across the company’s networks in many countries. This saw numerous Android devices being infected by FluBot — a type of malware. And now the latest menace — TangleBot — is just around the corner…

Smishing message example Why Telcos need to tackle smishing
Smishing message example

Considering all of the above, eliminating smishing and minimising its effects are not a desirable measure but a must. In this new article, we will take a look at how telecommunication companies can effectively fight back SMS phishing to preserve revenues and protect customers.

Smishing, also known as SMS phishing, is a cybersecurity attack carried out over mobile text messaging.

If phishing were the ancient bifacial god Janus, his second face would for sure be smishing. Janus is a master of all starts and ends, and the god of chaos. In the same fashion, the start of a smishing attack can depict the end of your business by throwing it out of existence.

Verizon reports that 85% of phishing attacks come from other channels beyond just email, like gaming, messaging, social and productivity apps. The absence of SMS senders’ authentication is the main reason why smishing attacks have been conquering the malware market so fast. Recipients can only, at best, assume that the phone number is from a trustworthy source. That’s not a solution, as many rogue applications allow senders to send SMS from spoofed or shared telephone numbers. Furthermore, SMS, by design, is unauthenticated. This means that anyone can send an SMS message — only the recipient’s phone number is needed. If the recipient hasn’t stored the sender’s number in their contact list, it will look like any other text message. On top of that, URLs from SMS messages are harder to inspect or verify as legitimate – most of them are shortened by common URL shorteners.

Why does SMS fishing of smishing work? Why Telcos need to tackle smishing


How to prevent smishing?

A mobile network operator’s reputation largely hinges on the security of its networks. To be sure your subscribers are protected from smishing attacks, follow these Three Anti-Smishing Commandments.

  1. Have a holistic view of the traffic reaching your network and subscribers. Also, be sure about how the whole process is happening. This ongoing task should be your priority #1 as malware types are constantly evolving. Day by day, spam and bypass mechanisms become more creative, sophisticated, and adjusted to current trends. According to the US Federal Trade Commission, in March 2021, Americans have been receiving text messages with a limited-time survey about vaccines in exchange for a “free reward,” for which they’re asked to pay shipping fees. Such SMS messages are true ticking bombs capable of destroying trust in the operator.

  2. There is no such thing as too much testing. A specialised testing solution will provide measurable results to continually refine and improve the blocking mechanisms of your network. GMS is always ready to help mobile operators prevent fraudsters’ potential behaviour by delivering comprehensive mobile ecosystem monitoring. By deploying such tools, you can protect not only your customers but also partners and third-party enterprises. For example, reliable mobile networks could have prevented the Bank of Ireland from losing €800,000 due to the 2020 SMS phishing attack.

  3. Be proactive, not reactive. Don’t wait until your subscribers complain or, even worse, migrate to your competitor. Protect your network before it becomes a headache for your subscribers. While blocking grey routes is essential for revenue assurance, blocking spam and smishing messages will uphold your reputation and ensure an excellent customer experience. As a mobile operator, it’s in your best interest to ensure that SMS remains a trusted channel for A2P traffic.


“Hold the door!”

Being proactive means being ready to face White Walkers fraudsters. A well-functioning firewall can perform this task fair enough. While SMS firewalls are tools for identifying and blocking spam, even the best of these warriors cannot automatically verify the security of a URL contained in the message. Since the real threat is the hyperlink, the firewall’s rules must be managed and constantly updated. The reasonable solution would be blocking all SMS messages that contain known malicious URLs. However, such hyperlinks are usually registered on the same day of the attack and can either expire, be replaced, or further altered down the line. This makes blacklisting these addresses inefficient.

Luckily, it’s possible to complement your firewall with our advanced anti-smishing solution that treats all hyperlinks as malicious unless proven safe, significantly decreasing the influence of a human factor and reliably protecting the subscriber data.


Salman Nayyar GMS Group Director – Products, Strategy and Innovation Why Telcos need to tackle smishing
Salman Nayyar
GMS Group Director – Products, Strategy and Innovation

At GMS, we analyse international traffic and have established rulesets for all the services using A2P authentication channels. We keep a watchful eye on all the latest developments of frauds and emerging threats to MNOs, and our anti-smishing solution has successfully proven to address these vulnerabilities.

Preventing the wound is always better than healing. The same applies to smishing and its outcomes. Contact our experts today to protect your network and be sure your subscribers and revenues are safe!

Add Your Heading Text Here