The telco industry has been cracking down hard on insidious SMS scams over the last 12 months — but not every provider is pulling their weight. Australia’s communications and media regulator has busted three companies for breaking compliance rules by allowing dodgy text messages to be sent unchecked.
The Australian Communications and Media Authority (ACMA) has taken action against messaging platforms Sinch and Infobip, and international call card supplier Phone Card Selector, after finding all three brands guilty of breaching industry anti-scam codes. ACMA investigations found that Sinch and Infobip let thousands of non-complaint SMS messages to go through to Australian numbers, while Phone Card Selector failed to have the systems in place to comply with scam prevention policy.
Telco industry rules state that all carriage service providers must perform sufficient checks on any text-based sender IDs to ensure they’re legitimate. However, Sinch, Infobip and Phone Card Selector have each been called out for dropping the ball.
How are companies failing to stop scam SMS?
The ACMA’s investigation found that between July 12, 2022 and February 17, 2023, Infobip had allowed its customers to send 103,146 non-compliant text messages using Alpha (alphanumeric) IDs — these are messages that use a company or brand name as a sender ID, rather than an actual phone number. This in itself isn’t a breach, but Infobip hadn’t performed the required checks to ensure each Alpha ID comes from a valid business or outlet.
Because of this, Infobip users could add or change Alpha IDs at any time without seeking authorisation, leaving the service open to use by scammers impersonating legitimate brands or organisations. Similarly, Sinch was found to have allowed 14,291 unchecked and non-compliant texts to go through between July 12, 2022 and January 31, 2023, again through the use of unverified Alpha IDs. Some of the SMS messages originating from Sinch’s platform included Medicare and Australia Post impersonation scams.
Phone Card Selector was also called out by the ACMA, for not implementing sufficient checks to ensure any Alpha IDs issued are valid. While the company required users to submit an application form before receiving Alpha ID approval, the ACMA stated this alone did not provide enough evidence for a ‘legitimate’ reason for using specific Alpha IDs.
So in conclusion, and without the jargon: all three brands failed in their duty to prevent users from sending scam or spam text messages that used fake sender IDs to impersonate real businesses and government agencies, including banks and road toll companies.
“While there is no suggestion the telcos were involved in scam activity themselves, scammers have used their failures to prey on Australians. This wouldn’t have happened if the companies had adequate processes in place and complied with the rules,” ACMA Chair Nerida O’Loughlin said.
“Scams that impersonate reputable organisations can be particularly hard for consumers to recognise and there’s no telling how much damage could have been done as a result of these scam texts.”
While none of the three companies have been fined for the breaches, the ACMA has given Sinch and Infobip a formal direction to comply with telco code obligations, and Phone Card Selector has been given a formal warning.
If telcos refuse to comply with ACMA directions, they could face penalties of up to $250,000.
#scamalert scammers are tricking victims into providing one time passwords to authorise what they think are small payments to settle fake overdue accounts when they are really authorising other payments that can drain their accounts. Never click links or give anyone your passcode pic.twitter.com/68AUNnk30p
— ACCC Scamwatch (@Scamwatch_gov) May 12, 2023
How to stay safe against scammers
The ACMA has made the fight against phone and SMS scams a priority for 2023-24, after introducing tough new anti-scam telco rules in 2022. Telcos themselves must now publish info to help their customers identify, manage and report SMS scammers, and are also required to report identified scams both to authorities and to other providers. The Federal Government has also announced plans to establish an SMS sender ID register to stop offshore scammers from impersonating businesses and agencies.
Most of us have received more than our fair share of scam texts. In 2021, the ‘Flubot’ SMS scam targeted Aussies by sending out millions of messages containing links to malware (that’s software that allows scammers to access the personal information on your phone).
Some of the signs of a scam SMS include:
- An unexpected SMS from an unfamiliar number asking for personal information.
- An SMS that asks you validate your details, collect a prize, accept a job offer, etc. by clicking an included link.
- An unexpected SMS from an overseas number, or one beginning with 19 or 190.
- Any unsolicited text messages that promise something too good to be true, such as money, a job or a prize.
- An unsolicited text message claiming to be from a legitimate organisation, such as a bank or the ATO, that includes suspicious links or wording — look for spelling mistakes, bad grammar or other inconsistencies.
If you receive an SMS that doesn’t seem quite right, your best bet is to delete it — don’t reply, call the number, or click any links. If you are concerned that you’ve been scammed, you can take the following steps:
- Do not enter any passwords or log into any accounts on your phone, especially online banking or government services.
- Contact your bank or financial institution immediately to report the scam. Your bank may be able to stop or reverse a transaction, and close your account or credit card if necessary.
- Contact IDCARE online or by calling 1800 585 160. This is a free, government-funded service that can support you through identity theft if your personal info has been stolen.
- Change any online passwords that may have been compromised, including banking, email, social media, etc.
- You may also wish to report the scam to the ACCC here.
For more information on common telco and cyber scams targeting Australians, visit the ScamWatch hub.