In July 2016, mobile phones lit up across Australia. It was a SMS, apparently from Medicare, claiming the Government planned to privatise healthcare. But of course, Medicare had nothing to do with it.
“Mediscare” was a key controversy of the last federal election campaign. Yet it also indicated another problem: It is “embarrassingly easy” to impersonate trusted brands via SMS.
That was in the back of Josh’s* mind when, in early February, he received a text that appeared to be from Apple, encouraging him to click a website link.
It dropped into the same thread as real messages from the technology company, so if he hadn’t looked twice, he would have been sent to a scam site attempting to steal his personal details.
Josh happens to use a Swedish online text message service called 46elks — one of many such tools available online — to communicate with clients for work. It’s a legitimate business, but unscrupulous users could exploit tools like those offered by the company to spoof text messages.
To demonstrate the risk, Josh sent test messages that sat right next to existing SMS from Apple, Vodafone and Qantas.
“I can send you a text message from any word,” he said. “So, I can say Qantas, I can say ANZ, I can say Apple and you just type it in.”
The head of 46elks Johannes Ridderstedt said the backend was “incorrectly configured”, allowing the test message spoofing Apple to slip through. (The ABC does not suggest 46elks was used to send the scam Apple message, or is being used to scam Australians.)
Variations of “Apple” like “appie” and “app1e” as well as some other international trademarks like Google and Facebook should be protected on his platform, according to Mr Ridderstedt, but local brands are not.
And while companies like 46elks offer SMS bill reminders or boarding passes, the internet abounds with tools that set out explicitly to allow the sender’s identity to be spoofed.
It’s unclear whose job it is to stop them.
Phishing is an email technique where a scammer impersonates a trusted identity to get someone to share sensitive information, such as banking passwords. This also works on SMS and through scam calls.
In 2018, Australia’s competition regulator received almost 6,000 reports of phishing via text message — often from scammers impersonating trusted brands — with over $34,000 in losses.
A spokesperson said the organisation has seen attempts “in the form of special deals, promotions, mystery box offerings, buying frequent flyer points, free flights and surveys”.
To explain how it works, you need to get a little technical: using a method known as “over-stamping”, the calling line identification (CLI) can be changed so that the number that appears on your screen during a phone call or on a text message is different from the actual caller.
Remember that, as well as phone numbers, SMS messages support Sender IDs with letters rather than numbers, which is why ticketing details from Qantas appear in a message thread called “Qantas”.
Companies can use services that allow messages to be sent from a company name, rather than a phone number. And a scammer does the exact same thing.
“Your phone receives it, and groups the message based on the Sender ID, so it appears in the same thread as other messages with the same Sender ID,” explained Pelin Nancarrow, the Asia Pacific lead for IBM’s X-Force Incident Response and Intelligence Services.
She said it can be troublingly simple to get people to click on links they shouldn’t via mobile phone.
We are distracted, she suggested, by the abundance of communication coming our way throughout the day. “It is less likely that mobile phone users will apply the right level of scrutiny.”
If you’re used to getting text messages from an airline or your bank, for example, you might fail to closely examine the URL the message wants you to tap.
No one’s responsibility
If you use an email service like Gmail, phishing emails are often blocked by its spam filter. SMS, on the other hand, has few barriers aside from the cost per message.
Pretending to be a company like Qantas breaches 46elks’ acceptable use policy, yet Josh’s test demonstrates the difficulty of addressing this risk across dozens of such services globally — and of deciding whose job it is to do so.
John Stanton, chief executive of the Communications Alliance, which represents Australian telecommunication companies, said there are limits to what service providers can control.
Carriers don’t monitor the content of messages, due to privacy obligations, and if legitimate messages are displayed alongside scam ones, that’s up to whoever made the handset.
“The way that messages are arranged into threads on a smartphone is a function of that smartphone’s operating platform and features,” he said.
A Vodafone spokesperson said the company tries to reduce fraudulent SMS activity, including by looking for unusual patterns and increased SMS volumes.
In general, while some carriers can block a number being used improperly, they typically need to be alerted by users or authorities.
Mr Ridderstedt said his company would be open to protecting Australian brands like it does Apple, if notified their name was being abused.
He also pointed out that in some countries, including Vietnam, alphanumeric sender IDs must be pre-registered, which helps prevent some forms of spoofing.
The phenomenon shows how “low security” SMS can be, according to Josh, who questioned the reliance of some brands on text messages.
“It’s a terrible way for really important information to be communicated,” he said.
Apple declined to comment.
* Josh declined to use his last name for privacy reasons.