HOW DO YOU STOP SMS PHISHING?

Is Africa the Tortuga of the modern world when it comes to SMS fraud? Most of us have long ago abandoned SMS as insecure, inefficient and very expensive. So why is this a growing problem in Africa?

After looking at this issue (I am sick and tired of my phone beeping every 5 minutes), the lack of regulation in Africa, too many stakeholders benefit from keeping the SMS system of communication in place, irrespective of the increasing levels of fraud. Additionally, there is a perception that everybody is doing business on their mobile phones, and that SMS is a completely valid business, marketing and security channel.

Whether we like it or not, SMS is a universal protocol and the SMS gateway attacking you might not even be located in the domain where you live.

How is it possible that the people who cannot afford security tools are failed so grossly by the legislative and political powers and are subject to this world of exploitation?

The SMS tower of evil benefactors

Firstly the banks and large corporations push messages over SMS to their clients for security, commercial and marketing purposes, completely ignoring the fact that not only is it very easy to spoof an SMS, but more importantly, they are desensitizing a whole population to the risk that these seemingly innocuous messages hold to the recipients.

And that is exactly how one of my friends’ bank accounts were emptied. She responded to an SMS at the moment when she did expect something from her bank, and within a few minutes, her accounts were emptied.

But of course, this layer of corporate comfort is facilitated by an SMS gateway layer who profit from sending these unauthenticated messages. They are unaccountable and nearly impossible to track down (there is no information in any SMS you receive to tell you where they come from, you have to contact your mobile provider to try and track these people down).

And then there are the mobile providers themselves that make money by carrying SMS messages on their network.

I analyzed the SMS’s I have received the last two years and was amazed at what I found.

1. None of the SPAMMERS ever respected an OPT OUT request. The majority of messages don’t even include an opt out option (that will cost you money if you reply by SMS), but many companies moved the OPT OUT to a web site. So now you have to click on an opaque link and hope that it results in you not receiving more spam from this company. This is exactly how smishing scams work.

2. The most prolific offender (RAILWAY FURNISHERS) don’t even include a URL or any way for me to buy from them other than to SMS them back and let them know I want to buy furniture from them. What do these people sell and to whom? They have been SMSing me daily for years now and somehow they just don’t get the message that I am not going to buy whatever they are selling.

3. Many of the financial services companies use SMS to do business with their customers, but at the same time send them SPAM on SMS. Naturally many criminals also then chime in and send phishing messages as those large banks themselves. How convenient.

4. Many companies included Personal Identifiable Information (PII) in the SMS which would violate GDPR laws in Europe.

5. The Government and Revenue Services were major users of SMS to bombard their stakeholders with SPAM, nearly always including PII data.

6. Phishing messages often contained PII data that meant this information was most likely acquired through data breaches.

7. Most providers encoded URLs in such a manner that there is no way to differentiate between phishing messages and legitimate SMS’s from service providers.

Conclusion

Clearly the SMS business is way too lucrative for the network operators or SMS gateway providers to effectively manage your interests. The only interests they have in this equation is a revenue stream and if you are phished along the way, too bad, so sad.

One thing you can do is report offending companies to the relevant authorities. In Europe for example, GDPR violations carry a hefty fine and consequently, most SMS spammers have calmed down here. Sadly in 3rd world domains like Africa, there is absolutely no protection against the abuse of SMS other than  voluntary industry associations (e.g. https://waspa.org.za/) which are toothless (as testimony by the stats included in this article).

We all have to stop doing business with large companies like DIRECTAXIS, AUDI, WESBANK, SANLAM, OLD MUTUAL  etc. who keep on making use of this service and who are completely ineffectual to protect themselves from phishing gangs exploiting their brand to defraud you.

Lastly, stop using SMS completely as a valid protocol. Don’t accept Multi Factor authentication via SMS and just reject all communication on SMS as it is 99% likely to be insecure or fraudulent.