Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Phishing sms text messages, an increasing problem

deanchapman
Tuning in

‎02-08-2021 10:25 - edited ‎02-08-2021 10:26

Over the last month or two, I have seen a significant increase is SMS phishing containing a URL impersonating a voicemail message, there are also many other variations of SMS scams that are a real problem. 

When are Virgin Mobile going to implement some central controls for this. It currently seems to be a free-for-all for the scammers to spoof numbers and include URLs which could easily be trapped by the carrier (ie Virgin Mobile)

If we wind the clock back a few years, then email had a similar problem where we all experienced an explosion of spam/phishing.  However the ISPs and email providers have implemented, over the years, highly advanced technical controls to block such messages and the global email systems.

Please can someone from VM comment on when some basic controls will be implemented to
- validate the identity of sender (ie avoid spoofing/impersonation)  
- validate and check URL reputation
- analysis of text content for spam 

Mobile providers should take lessons from the email providers, they should understand that the problem, the impact and the solution are conceptually, very similar

Unless some better controls of SMS are implemented, then SMS will remain a highly attractive vector for criminal activity.  It must be incumbent on the mobile providers to get their act together here and Offcom should start regulating and enforcing.

 

0 Kudos
11 REPLIES 11

BenMcr
Very Insightful Person
Very Insightful Person

‎02-08-2021 10:42 - edited ‎02-08-2021 10:48

@deanchapman wrote:

Please can someone from VM comment on when some basic controls will be implemented to
- validate the identity of sender (ie avoid spoofing/impersonation)  
- validate and check URL reputation
- analysis of text content for spam 

SMS doesn't work that way. There is no 'inbox' or server for those sorts of controls to be implemented on, unlike email.

All that a mobile provider runs is a message relay which stores a message addressed to a mobile number and then forwards it. These relays are not designed to be able or capable of doing anything more than that.

Any updates to SMS to include such features would require wholesale updates to technology and standards across the world, which won't happen. 

RCS was designed to be an industry replacement for SMS to include some newer features, but has never taken off as it came too long after other services like iMessage and WhatsApp, and Apple have no plans to support it. Android devices do but mostly only via direct Google support. Even then it doesn't include the security features mentioned as far as I can see.

Instead any of the features you suggest have to be part of your messaging client. For instance Google Messages on Android does check for known Spam and verified SMS senders - https://blog.google/products/messages/safer-conversations-messages-verified-sms-and-spam-protection/

**********************************
I work for Virgin Media - but all opinions posted here are my own
0 Kudos

enlli
Very Insightful Person
Very Insightful Person
In response to BenMcr

on ‎02-08-2021 11:04

@BenMcr 

Has posted useful information as to why this would be a nightmare to implement.

In truth SMS is an aincent technology, the concept being laid down in 1984. The first SMS was 1992.

At first it was never intended as a public messaging system but as a method of engineers and technicians communicating with each other. When it was opened up there was no roaming across networks let alone countries. I remember taking part in SMS trials with Orange before they fully opened up their network.

What you require is better served by the networks and manufacturers getting together and replacing SMS with new technology That won't happen in a hurry.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

deanchapman
Tuning in
In response to enlli

on ‎02-08-2021 11:55

Hi enlii, what you say is correct, but not dissimilar to the technical challenges that email faces because of the lack of controls and design flaws that failed to foresee some of the obvious vulnerabilities. 

It's odd that with all the other messaging mechanisms out there, SMS remains so well used; I guess because of it's low-level simplicity.  What is required is some joined-up thinking from the Network providers across the globe on how to solve this, and pressure from the likes of VM can help here. 

 

0 Kudos

enlli
Very Insightful Person
Very Insightful Person
In response to deanchapman

on ‎02-08-2021 12:10

@deanchapman wrote:

 

 What is required is some joined-up thinking from the Network providers across the globe on how to solve this, and pressure from the likes of VM can help here. 

 

What clout Virgin mobile will have as a Virtual network with just 3.5 million users is questionable. They will be better off when fully integrated into O2 who have 10 times as many, but as now they are a minnow.

Personally, most SPAM SMS messages I receive are sorted into my Spam inbox and any that aren't are easily reported. 

The only text messages I send these days are replies to the likes of my bank, doctor and NHS.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

BenMcr
Very Insightful Person
Very Insightful Person
In response to deanchapman

‎02-08-2021 12:11 - edited ‎02-08-2021 12:14

@deanchapman wrote:

Hi enlii, what you say is correct, but not dissimilar to the technical challenges that email faces because of the lack of controls and design flaws that failed to foresee some of the obvious vulnerabilities. 

It's odd that with all the other messaging mechanisms out there, SMS remains so well used; I guess because of it's low-level simplicity.  What is required is some joined-up thinking from the Network providers across the globe on how to solve this, and pressure from the likes of VM can help here. 

Again, the model between email and SMS technology is completely different. SMS is reliant on legacy ways of devices talking to each other compared with modern IP based messaging services.

No-one wants to develop SMS any further as far as I understand it. It only still works because it's pretty much 'baked in' to the way current mobile networks work i.e. it costs very little to keep enabled.

**********************************
I work for Virgin Media - but all opinions posted here are my own
0 Kudos

BenMcr
Very Insightful Person
Very Insightful Person
In response to BenMcr

‎02-08-2021 12:20 - edited ‎02-08-2021 12:21

I guess it is worth adding that mobile providers in the UK do run a reporting number where you can forward spoof messages

https://www.virginmedia.com/help/what-is-smishing

You can forward the message to shortcode 7726, you will then receive a response asking for the shortcode or long number that the spam message came from and Virgin Media will then investigate for you.

However my understanding is the way that these are resolved is working to find out where they're coming from in the first place and get that shut down, rather than any direct changes that Virgin Mobile do on their SMS relay.

**********************************
I work for Virgin Media - but all opinions posted here are my own

Serena_C
Forum Team (Retired)
Forum Team (Retired)

on ‎03-08-2021 12:23

Hi @deanchapman

 

Thank you for making the post regarding the SMS phishing texts you have been receiving. I understand how concerning it is to receive fraudulent messages on your phone. We appreciate your feedback regarding the basic controls you would like to see implemented - I will pass this on to the relevant team now.

 

We do what we can to help reduce fraudulent texts, but unfortunately scammers keep coming up with better and more complex scams. We have a dedicated page where we try and keep it updated with any known spam or phishing attempts we know of, please do check our Security Matters page if you are ever concerned about a text you have received.

 

Kind regards,

Serena

 

 

 

0 Kudos

deanchapman
Tuning in
In response to Serena_C

on ‎04-08-2021 12:07

Thanks Serena, BenMcr and Enlli for taking the time to reply.  I do always report the spams to 7726 as I know this helps with the central intel.

I also understand that fraudsters are ever-more inventive about finding new attack vectors, it is an arms race that I deal with every day as I work in Cyber Security Management.  The case is similar to the email problem, where one can check headers and IPs for reputation and content for patterns or URL reputation.  So whether a solution it is app-based or via a central gateway, there is more that can and should be done.

For me, it is more an annoyance that a threat, but there are so many people out there with less Cyber awareness that need protection.  I believe in many cases, CLID spoofing is being used and surely it is possible for providers to track and report the originations of these.
I get that there are longer term solutions that can be implemented globally, however at this point we need tactical, usable mitigations.  Maybe VM could look at producing a free SMS app which includes evolving features which can help remove this threat/annoyance of spoofed CLID, SMS spam & smishing.

0 Kudos

Serena_C
Forum Team (Retired)
Forum Team (Retired)
In response to deanchapman

on ‎04-08-2021 15:11

Hi @deanchapman

 

Thank you for expanding on the issue for me, security is our number one priority and I understand your concerns regarding the impact that phishing text messages may have on those with less cyber awareness.

 

I have raised your feedback and suggestions with the team. Thanks again for taking the time to highlight the issue with us.

 

Kind regards,

Serena

0 Kudos
Top