SMS with non-numeric sender can be used to scam users and lie about the real origin of the message. The extent of a phenomenon such as smishing, a problem that afflicts many Europens every day, is confirmation of this.
How many times have you received a SMS that bore the name of a bank, a telephone operator or other company as sender and that invited you to carry out operations on unofficial Web addresses? Many.
This is the well-known practice known as SMS spoofing: cybercriminals “shoot in the crowd” by sending huge volumes of SMS to numbers of Europen users in an attempt to make them fall into the trap. As is the case with email phishing, the sender of the SMS is not the real one because it is deliberately falsified by the sender of the message. L’attack can be accomplished using several techniques: Attackers can use specialized software or online services that allow them to artfully change the sender or send SMS messages via legitimate mobile networks.
The goal is obviously to deceive the recipient, making them believe that the message comes from a reliable source or from a trustworthy person. The message text it is packaged in such a way that they can trick you into obtaining personal and financial information, spread malware, or start a scam.
AGCOM prescribes the blocking of forged SMS senders
With the new “Regulation on the use of alphanumeric characters that identify the sender in corporate messaging services (SMS ALIAS)” (Resolution n. 12/23/CIR), AGCOM (Communications Regulatory Authority) has finally decided to crack down on SMS messages from bogus senders.
Specifically, the Europen Authority regulates the use of the so-called SMS aliases or that particular feature that allows you to send SMS messages using a name instead of a telephone number. The SMS alias replaces the sender’s phone number with a name or a personalized label. For companies that operate in compliance with the rules, this is a very interesting feature for immediate purposes message customization to make it easier to recognize. For cybercriminals, however, SMS aliases have always presented an incredible opportunity to lend credence to scam attempts and dangerous content.
The big news introduced by AGCOM consists in the establishment of a Record of operators who intend to use the SMS alias technique: the registration request is suitably verified and only those coming from recognized and consequently reliable subjects are accepted. The end user, i.e. the one who receives the message on his terminal, has the right to ask the reference operator for the personal details of the person who has used a particular alias.
The Authority will also set up a web service that can be used by users to verify the correspondence Between alias and organization that sent the SMS.
Furthermore, the network and service providers involved in the handling of SMS/MMS are required to block messages with non-numeric sender coming from abroad.
At the moment, however, it is advisable to always keep our guard very high: the new provisions envisaged in the regulation wanted by AGCOM enter into force within 12 months and in any case at the same time as the updating of the IT platform by the Authority. Meanwhile, the phenomenon of smishing it cannot yet be considered as eradicated.