Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Phishing sms text messages, an increasing problem

deanchapman
Tuning in

‎02-08-2021 10:25 - edited ‎02-08-2021 10:26

Over the last month or two, I have seen a significant increase is SMS phishing containing a URL impersonating a voicemail message, there are also many other variations of SMS scams that are a real problem. 

When are Virgin Mobile going to implement some central controls for this. It currently seems to be a free-for-all for the scammers to spoof numbers and include URLs which could easily be trapped by the carrier (ie Virgin Mobile)

If we wind the clock back a few years, then email had a similar problem where we all experienced an explosion of spam/phishing.  However the ISPs and email providers have implemented, over the years, highly advanced technical controls to block such messages and the global email systems.

Please can someone from VM comment on when some basic controls will be implemented to
- validate the identity of sender (ie avoid spoofing/impersonation)  
- validate and check URL reputation
- analysis of text content for spam 

Mobile providers should take lessons from the email providers, they should understand that the problem, the impact and the solution are conceptually, very similar

Unless some better controls of SMS are implemented, then SMS will remain a highly attractive vector for criminal activity.  It must be incumbent on the mobile providers to get their act together here and Offcom should start regulating and enforcing.

 

0 Kudos
11 REPLIES 11

enlli
Very Insightful Person
Very Insightful Person
In response to Serena_C

on ‎04-08-2021 15:46

With regards to calls, OFCOM published this

Why do they do this?

Sometimes there's a good reason for a caller to modify the Caller ID (for example, a caller who wishes to leave an 0800 number for you to call back if you want).

However, with spoofing callers deliberately change the telephone number and/or name relayed as the Caller ID information.

They do this to either hide their identity or to try to mimic the number of a real company or person who has nothing to do with the real caller.

For example, identity thieves who want to steal sensitive information such as your bank account or login details, sometimes use spoofing to pretend they're calling from your bank or credit card company.

What is being done?

Calls with spoofed numbers can and do come from all over the world and account for a significant and growing proportion of nuisance calls.

That's why Ofcom is working with the international regulators – as well as the telecoms industry – to find solutions to the problem.

Voice over IP (VoIP) technology – the type of technology used to make internet calls – is often used in spoofing. The Internet Engineering Task Force (IETF), which helps to develop internet standards, has created a group specifically to tackle this issue.

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

deanchapman
Tuning in
In response to enlli

on ‎04-08-2021 16:19

Hi enlii, I think we're on the same page, we've been though the loop with email and sender spoofing/impersonation
- sometimes it is desirable or allowed where an external agency is required to send emails 'as' another company.
- sometimes it is a nefarious actor wanting to impersonate some other person/domain to mislead
... enter DKIM and DMARC/SPF where 'allowed' senders are registered and allowed, but it's not properly implemented everywhere even after all this time

What we need is something similar for SMS and whilst I am not an expert in SMS technologies, I gather that STIR/SHAKEN is the protocol initiative that will allow some authentication, permission and traceability to CLID changes - But not any time soon

So notwithstanding the previous comments, we just need some tactical mitigation (like for email spam checking centrally by ISP,  or on a client basis by various email applications)

0 Kudos
Top