Industries unite to tackle SMS fraudsters exploiting COVID-19 text alerts

Press release – April 22, 2020

By Mobile UK.

The UK mobile, banking and finance industries along with the National Cyber Security Centre (NCSC) have joined forces to prevent fraudsters sending scam text messages that seek to exploit the Covid-19 crisis.

The collaboration is part of an ongoing industry initiative by Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance, supported by the NCSC, to help identify and block fraudulent SMS texts and protect messages from legitimate businesses and organisations.

Text messaging scams which trick consumers into sending money or sharing their account details with fraudsters are known as ‘Smishing’ (or phishing by SMS). Criminals send bogus texts which appear to come from a trusted sender, for example, in the case of the Government’s mass-text campaign UK_Gov.

These messages often contain links to fake websites or phone numbers using sophisticated social engineering techniques to trick the victim into revealing their personal and financial information or sending money. Criminals will also often use a technique called “spoofing”, which can make a message appear in a chain of texts alongside previous genuine messages from that organisation.

As part of the cross-stakeholder trial, MEF has developed the SMS SenderID Protection Registry which allows organisations to register and protect the message headers used when sending text messages totheir customers. The Registry limits the ability of fraudsters to send messages impersonating a brand by checking whether the sender is the genuine registered party.

50 bank and Government brands are currently being protected through the trial with 172 trusted SenderIDs registered to date. Over 400 unauthorised variants are being blocked on an ever-growing blacklist, including 70 senderIDs relating to the Government’s Coronavirus campaign.

14 banks and Government agencies including HMRC and DVLA are participating in the ongoing trial which is supported by BT/EE, O2, Three and Vodafone.

The trial also has the support of the UK’s leading messaging providers including BT’s Smart Messaging Business, Commify, Firetext, Fonix Interactive, HGC Global Communications Limited, IMImobile, mGage, OpenMarket, SAP Digital Interconnect a division of SAP, Sinch, TeleSign, Twilio and Vonage.

In the last six months, the cross-stakeholder working group has seen a significant drop in fraudulent messages being sent to the UK consumers of the participating merchants.

Dr Ian Levy, Technical Director at the NCSC, said: “We arepleased to be supporting this experiment which is yielding promising results. The UK Government’s recent mass-text campaign on Covid-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kind of scams.”

Mobile UK’s Head of Policy & Communications, Gareth Elliott added that “Mobile companies work hard to protect their customers fromfraud and the contribution from the industry to the Registry will help reduce the number of scam texts pretending to be from trusted brands. This gives much-needed protection against fraud, including for the most vulnerable customers.”

As part of the Coronavirus campaign, consumers have also been reminded to follow the advice of the Take Five to Stop Fraud campaign and remember that criminals are experts at impersonating people, organisations and the police. Customers can report suspected spam text texts to their mobile network provider by forwarding them to 7726.

Katy Worobec, Managing Director of Economic Crime at UKFinance, said: “This initiative shows how by working together with the government, law enforcementand other sectors, we are protecting the public from these cruel scams. We would urge consumers to remain vigilant of criminals exploiting the Covid-19 outbreak to commit fraud and report suspicious texts by forwarding the original message to 7726, which spells SPAM on your keypad. Always follow the advice of the Take Five to Stop Fraud campaign and avoid clicking on links in any unsolicited text messages in case it’s a scam.”

Mike Fell, Head of Cyber Operations HM Revenue and Customs, who were one of the first Government agencies to report Covid-19 text scams said: “This trial builds on the success of an HMRC pilot, conducted with telecoms providers, which resulted in a 90% reduction in reports of the most convincing HMRC-branded SMS scams. We are happy to collaborate with MEF and partners totake forward our work to safeguard the UK public from such SMS-related scams.”

MEF’s COO, Joanne Lacey summarised: “All stakeholders involved in business messaging have a responsibility to follow industry best practice and proactively work together to be one step ahead of the fraudsters. The SMS SenderID Protection Registry is a tactical solution to mitigate smishing and spoofing, backed by MEF’s A2P SMS Code of Conduct. Through the Registry, the industry has been able to support the UK Government’s campaign and demonstrate the vital role of messaging not least in times of emergency and crisis.”