SMS spoofing is a technology which uses the short message service (SMS), available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating mobile number (sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, product). This can also send "mysterious" messages that look like they are from legitimate numbers or contacts.
SMS Spoofing occurs when a sender manipulates address information. Often it is done in order to impersonate a user that has roamed onto a foreign network and is submitting messages to the home network. Frequently, these messages are addressed to destinations outside the home network – with the home SMSC essentially being “hijacked” to send messages into other networks. In advanced cases they can even hijack existing contacts in a phone. In other words, the hijacker's message can appear to be coming from any number.
The impact of this activity is threefold:
The home network can incur termination charges caused by the delivery of these messages to interconnect partners.
These messages can be of concern to interconnect partners. Their customers may complain about being spammed, or the content of the messages may be politically sensitive. Interconnect partners may threaten to cut off the home network unless a remedy is implemented. Home subscribers will be unable to send messages into these networks.
While fraudsters normally used spoofed-identities to send messages, there is a risk that these identities may match those of real home subscribers. The risk therefore emerges, that genuine subscribers may be billed for roaming messages they did not send. If this situation occurs, the integrity of the home operator’s billing process may be compromised, with potentially huge impact on the brand.
The legitimate use cases for SMS spoofing include:
A sender transmits an SMS message from an online computer network for lower more competitive pricing, and for the ease of data entry from a full size console. They must spoof their own number in order to properly identify themselves.
A sender does not have a mobile phone, and they need to send an SMS from a number that they have provided the receiver in advance as a means to activate an account.
A sender adopts the default network gateway identifier provided by an online service, in order to send an anonymous sms, rather than specifying a number of their own choosing.
A third party sends a message to a virtual number, which then forwards (resends) the message to one or more recipients in such a way that the true originator address (rather than the virtual number) appears as the sender ID and the recipient(s) can reply, call, sort, save, or otherwise process the message in the expected way.
An SMS spoofing attack is often first detected by an increase in the number of SMS errors encountered during a bill-run. These errors are caused by the spoofed subscriber identities. Operators can respond by blocking different source addresses in their Gateway-MSCs, but fraudsters can change addresses easily to by-pass these measures. If fraudsters move to using source addresses at a major interconnect partner, it may become unfeasible to block these addresses, due to the potential impact on normal interconnect services.
Legality
In 2007, the UK premium rate regulator, PhonepayPlus (formerly ICSTIS) concluded a public consultation on anonymous SMS, in which they stated they were not averse to the operation of such services.[1] However, in 2008 PhonePayPlus introduced new regulation covering anonymous SMS, requiring anonymous SMS service providers to send a follow-up message to the recipient stating that a spoofed SMS has been sent to them, and operate a complaints helpline.
Protecting users from SMS spoofing
If a user can prove that their SMS sessions have been spoofed, they should contact both law enforcement and their cellular provider, who should be able to track where the SMS messages were actually sent from. A user may also modify the phone's settings so that only messages from authorized numbers are allowed. This is not always effective since hackers could be impersonating the user's friends as well.
To mitigate the risk of falling victim to such scams, several precautionary measures are recommended:
Verification of communications: Legitimate government agencies do not request usernames, passwords, or similar credentials through unsolicited communications. Individuals should independently verify the authenticity of any contact by consulting official sources rather than relying on information provided in the message.
Caution with digital correspondence: Recipients should avoid clicking on links or opening attachments contained in unexpected emails or text messages. When in doubt, official contact information should be obtained directly from the organization’s verified website.
Scrutiny of sender details: Spoofing attempts frequently involve minor alterations to email addresses, URLs, or domain names. Careful examination of these elements may help identify fraudulent correspondence.
Safe handling of downloads: Files or attachments from unknown sources should not be opened, as they may contain malicious software. Even forwarded attachments from trusted contacts should be treated with caution.
Implementation of multi-factor authentication: The use of two-factor or multi-factor authentication enhances account security and should be enabled wherever available.
Limitation of personal disclosures: Excessive sharing of personal information on social media—such as names of family members, pets, educational institutions, or birthdays—can provide scammers with clues to guess passwords or answer security questions.[2]
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
