SMS scams purporting to be from banks and telcos could be stopped dead in their tracks thanks to new government rules. Will it prevent all scams?
Scammers could have their lives made a little more difficult thanks to rules the set to arrive from late next year.
Announced this week by the Australian government, the Australian Communications and Media Authority (ACMA) will be able to instruct telcos to check whether messages being sent under the guise of a brand name are linked to a legitimate sender connected to the government’s SMS Sender ID Register.
The idea effectively means scammers using SMS spoofing to send messages to look like known and trusted entities will be rejected by telcos, preventing those messages from going through to Australian phone owners in the first place.
It means messages by Australia Post under the “AusPost” name will be let through, but messages from unknown providers attempting to use the “AusPost” sender ID will be stopped because they’ll lack the legitimacy.
For large and trusted institutions, the result could mean less obvious scams coming in under their names.
Scam messages purporting to be from myGov, Linkt, banks, and telcos would likely be the obvious targets, but the Sender ID Register could also hold details to supermarkets and retailers, known targets for scammers in recent years.
“We’ve all received scam messages on our phones purporting to be from reputable sources – and it’s costing Australians millions of dollars every year,” said Michelle Rowland, the government’s Minister for Communications.
“This mandatory Register will enable these messages to be blocked or flagged as a scam – better protecting consumers from being cheated,” she said.
“In this way, the Register will also help restore trust in communications received from legitimate organisations and make Australia an even harder place for scammers to operate.”
The move is one that the government says will “restore public confidence in SMS as a communications channel” and “make Australia a much harder target for scam activity”, all the while increasing “protections for legislate brands”. Will it work?
Where the protections will likely work: known entities
For a large number of SMS scams, the government’s plan could make a massive dent, particularly where spoofing is concerned.
It’ll mean scammers trying to convince you that their text message is actually from myGov or Telstra or any number of Australian banks will be blocked at the point of entry, preventing these from going through.
That’ll be a win for the SMS inbox of every phone owner, because it means they’ll be able to trust the official names of services when they arrive to be checked.
Where the protections will likely fail: spelling errors and nameless messages
The downside of leaning on this process will be approaches scammers are already employing, with things the government’s Register may not account for.
For instance, the Sender ID Register works on the basis of joining the dots between company names and a legitimate entity. But there’s little to no information on whether this will necessarily work for deviations and variations in spelling.
Right now, scammers can pretend to be Australia Post by spoofing “AusPost” and coming in under that name, making life difficult for regular people. But before spoofing was popular, scammers could also take advantage of rules on protected names with intentional spelling changes.
In this example, “AusPost” might be “AussPost” or “AusP0st”, or even “OzPost” or “AuPost”. These clearly aren’t the same as “AusPost”, but to a passing glance, particularly late at night when users aren’t expecting a message, these could be easily misinterpreted and clicked on without warning.
It’s not yet known whether the government’s Sender Registration system will automatically tie misspellings to the system, but if it doesn’t, there’s one loophole scammers will be able to exploit.
The other more obvious one sees scammers doing something they already do now: sending SMS without an ID. This approach to scamming just sends the message as a mobile phone number, be it one that’s completely unknown to you or one that is very, very similar to your own.
In this situation, the government’s scam rules wouldn’t apply because criminals would be sending texts exactly as anyone else does. No sender ID means you just get a phone number and a message, which is the same way text messages normally get sent out.
Right now, plenty of scams go out this way, and this legislation would have no effect on those at all.
More needs to be done
Clearly more needs to be done, and while the government’s step is one step in the right direction, it only addresses one avenue of problems.
In recent weeks, the government has stepped up its approaches on technological legislation, with scammers and illegitimate advertising requiring investigation by banks, telcos, and social media services, as well as the government’s social media age assurance system.
At least one of these appears to have been rushed (social media), even though more time, effort, and research needs to be undertaken to find more paths to deliver better outcomes.
In terms of dealing with SMS scams, the government may want to consider requiring all telcos to coordinate efforts, as opposed to the singular approach currently going on.
Telstra’s Cleaner Pipes is a solid program that is beginning to seriously cut down on scams sent on the Telstra network, affecting both Telstra subscribers and those who subscribe to Telstra services used by virtual operators, such as Woolworths, Boost, and Mate. However, the research and approaches aren’t shared between the other major telcos, Optus and Vodafone, with Telstra largely going at it alone.
It’s a similar predicament for some of the clever banking and phone call tracking technology, which at the moment is limited to Telstra customers who have Commbank accounts. If the technology was shared between more banks and more telcos, it’s possible the tracking would improve and fewer scam losses would occur.
Both are examples of how the government and service providers could work together beyond blocking scammers at the point of entry. That is definitely a welcome start, even if it’s not on the cards until late 2025, but perhaps we’ll see more cooperation to improve the technology further.
