The UK’s mobile and finance industries have teamed up with GCHQ’s National Cyber Security Centre (NCSC) to better detect and block SMS phishing attempts designed to capitalize on the COVID-19 crisis.
Known as smishing, these attacks use similar social engineering and spoofing techniques as phishing emails but arrive as texts, tricking users into clicking on malicious links and/or divulging personal and financial information.
The current initiative is part of an ongoing NCSC-backed project by the Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance centered around the MEF-developed SMS SenderID Protection Registry.
Organizations that sign up to the registry can protect their text message headers, making it difficult for fraudsters to impersonate their brand in fake SMS phishing attempts. The system will check to see if a message is being sent by a genuine organization and block it if not.
According to Mike Fell, head of cyber-operations at HM Revenue and Customs (HMRC), the current project builds on an HMRC trial which resulted in a 90% reduction in reports of the most convincing HMRC-branded SMS scams.
Some 50 banks and government organizations have signed up to have their text messages protected, with 172 SenderIDs registered to date. Over 400 unauthorized text variants are being blocked thus far, but the blacklist is growing all the time.
All of the UK’s major operators — BT/EE, O2, Three and Vodafone — have signed up, as have leading messaging providers including BT’s Smart Messaging Business, Commify, Firetext, Fonix Interactive, HGC Global Communications Limited, IMImobile, mGage, OpenMarket, SAP Digital Interconnect, Sinch, TeleSign, Twilio and Vonage.
“We are pleased to be supporting this experiment which is yielding promising results,” said NCSC technical director, Ian Levy. “The UK government’s recent mass-text campaign on COVID-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kinds of scams.”
The news comes as the NCSC claimed an early win in its suspicious email reporting service which was officially launched this week.
It said more than 80 malicious web campaigns were taken down in a day after 5000 suspicious emails were flagged to the automated service for investigation.