These days, person-to-person (P2P) conversations rarely happen on SMS. Just look through your text messages; very few will be from friends and family.
Instead, most communications will likely be from businesses.
Why? Because people now use WhatsApp, Messenger, and social media as their predominant personal communication channels.
Mobile operators experienced a sharp decline in network traffic when this trend started. So, they asked: what can we do with our already huge network infrastructure?
Eventually, they marketed the channel to enterprises for application-to-person (A2P) messaging – and had significant success.
After all, open rates are much higher on SMS than email. Moreover, the channel has an enormous reach, so businesses can contact customers even when they’re on holiday and have their data roaming switched off.
Yet, go back to your phone. You may also notice that one or two messages are from fraudsters impersonating businesses – and that’s where the vulnerabilities of SMS begin.
Consumer SMS Vulnerabilities You Need to Be Aware Of
Many of us mock phishing scams for being so easy to spot, and lots of the “Prince of Nigeria” types of attacks still trickle into our inboxes.
Digital natives can spot these in a heartbeat. But, other times, it’s more tricky. For instance, the fraudster may follow up the phishing message with a deep-faked voice call to further convince the customer.
However, even without these additional touches, batch SMS phishing sprees may wield results for attackers, and – unfortunately – such sprees are not difficult or expensive to run, either.
Consider the market prices to send traffic from the US to the UK. It costs around £700 to send 50,000 SMS messages via official routes.
If just one percent takes the bait and follows the troublesome link, that’s 500 people in danger of being scammed in one fell swoop.
Moreover, as reports of massive data breaches continue to surge worldwide, these phishing attempts will only increase.
Yet, phishing is only one potential SMS vulnerability. There are many others, including SMS malware.
In this example, an attacker attaches malicious software to the target’s phone, which may send and receive text messages without knowledge or consent. The attacker may then send phishing messages to your contacts or access personal information stories on the device.
Another couple of common SMS vulnerabilities include:
- SMS Flooding – When an attacker sends you a batch of messages – one after another – often aiming to hide a malicious message within the flood. Sometimes, the objective is to instead disrupt your service or – more simply – just irritate you.
- SMS Interceptions – When an attacker intercepts your message as it travels between the device and the network. From there, they might modify the message or redirect it to their device or server for fraud.
While some of these attacks will evade the enterprise’s authority, there are many more vulnerabilities that businesses must keep their eyes on and guard against.
Enterprise SMS Vulnerabilities You Need to Be Aware Of
In 2021, the Mobile Economic Forum published the third edition of its Business SMS Fraud Framework, isolating further cases of fraud impacting consumers, mobile operators, and service providers.
Some cases also relate to the enterprise, with SMS interceptions (as introduced above) a particularly troublesome example.
For instance, an attacker may intercept an SMS message – typically containing sensitive data like a one-time password (OTP) or a two-factor authentication (2FA) message – while the user is roaming.
That interception could enable the malicious third party to access the user’s accounts – with some scammers able to access their bank account details and authorize payments without consent.
However, the framework also puts forward other examples of more niche SMS vulnerabilities that are difficult to spot.
The two fraudulent practices below are excellent examples, with the second highlighting the dangers of “inside jobs” caused by an enterprise’s network partner:
- Enterprise Identity Theft – When an attacker sends customers scam SMS messages that include the enterprise’s credentials, like sender IDs – i.e., shortened business names. Two prominent CPaaS players got in trouble last year for selling the tech that makes this possible in Australia without the proper checks.
- Message Trashing – When the messaging provider deletes a message before it reaches the operator and – therefore – customers. They may then send a fake delivery receipt to conceal the fraud while lowering the average cost of message delivery.
These two examples exemplify the importance of working with a trusted SMS provider like HORISEN.
Yet, other vendors will also claim that they offer a robust, reliable platform. As such, businesses must know how to spot the trusted players amongst the pretenders.
Picking a Partner to Navigate the Sea of SMS Vulnerabilities
The trusted SMS messaging vendor and CPaaS enabler HORISEN, meets the highest security standards, boasting the following features:
- GDPR compliance
- Data is hosted in a HORISEN cloud environment in Switzerland
- Servers are collocated in bank-certified data centers
- State-of-the-art layered security measures applied to protect the platform
- Redundant DDoS Protection on ISPs level (to receive only cleaned IP traffic)
- Connections are restricted by IP address, with only trusted IPs allowed
- VPN connectivity available on request
- IPSec and TLS connections for customers as a security best practice
Yet, the vendor also guides its clients by providing expert advice to secure the foundations for their SMS strategies to flourish.
Exemplifying this, HORISEN – which received recognition in the 2024 CX Marketplace for CPaaS – offered seven best practices to CX Today for ensuring businesses leverage a secure SMS messaging platform:
- Prioritize security as the foundation of the system.
- Utilize state-of-the-art security measures in bank-certified data centers.
- Implement strict access control with trusted IP addresses and VPN options.
- Ensure high availability with a 99.999% uptime policy and auto-rebinding.
- Maintain vigilant monitoring and swift resolution with the help of a dedicated support team.
- Establish an incident management protocol for prompt response and transparency.
- Adhere to industry standards like ISO 27001:2022, GDPR, OWASP, and NIST for robust security and compliance.
Such advice is golden across all industries. Consider telecommunications as a sector especially vulnerable to these risks. Failing to invest in robust messaging technology may render them vulnerable to cyber threats, potentially endangering both their users’ safety and the integrity of their operations.
To dive deeper into the weeds on each of the seven points, read HORISEN’s latest blog: Safeguarding the Integrity of Communication
Eager to learn more about how HORISEN can help bolster your enterprise communications strategy? Visit: www.horisen.com
