Leading UK mobile networks EE, O2, Three and Vodafone have teamed up to launch a new initiative dubbed “SMS Phishguard”, through which they will be able to eradicate the menace of SMS-based phishing tactics that result in a large number of authorised push payment scams.
In September, research carried out by UK Finance revealed that the UK saw as many as 43,875 cases of authorised push payment scams last year that impacted a total of 42,837 UK consumers. Such scams involved scammers tricking consumers into authorising payments to them by sending them messages by masquerading as banks themselves.
It added that losses due to unauthorised fraud totalled almost £732 million last year and combined with £236 million lost to authorised push payment scams, total losses incurred by UK citizens and businesses because of phishing scams almost touched £1 billion last year.
SMS PhishGuard will authenticate genuine text messages
In order to prevent millions of their customers from falling victim to text message based phishing scams, leading mobile networks EE, O2, Three and Vodafone will soon launch a new initiative dubbed SMS PhishGuard. The initiative is being led by Mobile UK, Mobile Ecosystem Forum and UK Finance and will launch at Messaging and SMS World 2018 early next year.
In a press release, Mobile UK, the trade association for EE, O2, Three and Vodafone, said that SMS PhishGuard will not only reduce the number of SMS-based phishing attacks but will also raise awareness of phishing by SMS and help consumers report such scams.
The initiative will involve the setting up of a new SMS SenderID Protection Registry next year which will allow banks and other customer-facing organisations to register and protect the message headers they use in SMS communications to consumers. The registry will ultimately allow all merchants and other public sector bodies to register themselves, thereby helping consumers differentiate between genuine text messages and fraudulent ones.
Mobile UK added that the registry would also “significantly reduce the ability for fraudsters to send messages impersonating a brand in the message header by checking whether the sender using that sender ID is the genuine registered party and block any messages that are fraudulent”.
“Protecting customers is a top priority for mobile operators and SMS PhishGuard ups the ante in the fight against fraud. Through this new initiative the four MNOs, together with MEF and the banking sector, will have in place the tools to significantly reduce the ability for fraudsters to send messages impersonating a brand and block any messages that are fraudulent. This will ensure SMS remains a trusted communication channel for brands and consumers alike,” said Hamish MacLeod, Director at Mobile UK.
Banks must secure push-based authentication technology
Commenting on the announcement of the SMS Phishguard initiative, Frederik Mennes, Senior Manager Security and Market Strategy at OneSpan, said that considering UK banking customers lost £500m to fraud in the first half of 2018, of which £145m was through authorised push payment fraud, the announcement of the initiative is a welcome move.
“It’s therefore great to see mobile networks joining the cause to fight fraud with SMS Phishguard, the latest in a number of initiatives, including name checks on bank transfers and banks integrating Google Maps to track payments. Such changes illustrate the collaboration needed across all involved industries to face today’s threats and protect customers.
“But that isn’t to say that SMS-based authentication will now be invincible to attack. Even when combined with static passwords and pins, SMS has well-known security weaknesses and SMS codes are susceptible to interception by the likes of malware or weaknesses in the SS7 networking protocol. To avoid this, organisations should move to more secure push-based or app-based mobile authentication technology, complemented by other intelligent and adaptive authentication methods, for the best chance at preventing fraud,” he added.