As the internet continues to grow and more people adopt it into their daily lives, a small minority of people view this as the perfect opportunity to take advantage of them and engage in cyber crime – a trend increasing worldwide.
Amongst universal increases, the UK seems to be hit the hardest. The UK’s cyber crimes per million internet users were the highest globally, at 4,783. This is a staggering 40% increase since 2020.
There are many forms of cyber crimes, such as hacking, phishing, identity theft, etc., and there’s a plethora of cybersecurity information available to prevent those. However, a term often associated with cyber crime but goes under the radar is SMS spoofing. In fact, there are plenty of people who have never even heard of it.
Therefore, this article will explore all things SMS spoofing-related, such as what it is, whether it’s actually illegal, the different types you may come across, if you can prevent it, and much more.
SMS spoofing – also known as ‘SMS originator spoofing’ – is when a text message sender alters their sender details to make it look like the message has come from a different number or name – i.e., a fake sender ID. Although this practice has legal uses, it's most commonly associated with malicious intent, such as fraud, scamming, and harassment.
In order to avoid suspicion and successfully dupe the victim, the sender’s details are typically spoofed to one that is trusted. This could be a friend, family member, or a business or organisation such as a bank. But how does it all work?
SMS spoofing typically involves the use of an SMS spoofing attack vector tool to change the sender’s phone number or name – and in some cases, both – and send a text message in the hopes of obtaining sensitive information, attacking them personally, requesting funds, or engaging in a phishing scam.
There are a variety of SMS spoofing apps and attack vector tools on the market, and many are relatively cheap to use. This is what makes this practice so dangerous as it's readily available to anyone on the internet for a small fee.
SMS spoofing as a practice is completely legal. Many businesses and organisations use it, but it becomes illegal when it's used for malicious intent. As such, what separates legal SMS spoofing from illegal spoofing is the intent for which it is being used.
SMS spoofing has a negative association, but there are legal uses, such as when broadcasting official messages, using bulk messaging services, or protecting your identity.
Broadcasting official messages
Companies and institutions such as the government, bank providers, private businesses, etc., often send out official messages. When doing so, they must use an identifiable sender ID to ensure their customers recognise them. Instead of using a mobile phone number, they will use SMS spoofing to change the sender ID to their company or institution name.
This is typically used for sending announcements, PIN-code login verification messages, marketing content, etc.
Bulk messaging services
Expanding on from the previous point, bulk messaging services allow you to send multiple SMS messages to multiple people simultaneously. Companies use these services all the time to keep in touch with their customers or clients without having to text them individually each time – which can be quite expensive.
As part of the bulk messaging service, companies can spoof their sender name or number to one that is recognisable to their recipients.
Protecting your identity
Suppose you are contacting emergency services to report a crime but do not want to reveal your identity. Or perhaps you are a whistleblower who is divulging information to a news outlet and wish to remain anonymous.
Whilst these are all perfectly legal use cases, SMS spoofing is also done illegally by fraudulent people. Let's take a look at what they are.
There are different types of spoofing, the most popular ones being SMS phishing scams, personal attacks, money transfers, and extracting confidential information.
SMS phishing scam (smishing)
This is the most common method by which malicious people use SMS spoofing. We mentioned how organisations use SMS spoofing to send out identifiable official messages. However, this same principle can be used by scammers to impersonate those exact companies.
For example, a scammer could change their sender name to ‘Post Office’ and pretend to be the delivery company. The text message may explain that there was an attempt to deliver your parcel, but nobody was home, and to rearrange an alternative delivery date, you must click on the link.
By clicking on the link, you will then be redirected to a website that looks exactly like the Post Office's, but it’s actually a fake website. Any information entered on it will be sent directly to the scammer, who can use your name, address, and contact details to commit identity theft.
You may recognise this tactic as there’s a good chance you’ve been a target for SMS phishing scams before. But this is just one example of how spoofed numbers are used, and it’s important to be sceptical of any text messages that come from a ‘reputable’ sender.
Under this disguise, recipients are more likely to click on the link and provide such information, thus falling victim to the scam. In some cases, the sender will also install malware and gain access to everything on the victim’s phone. This can then be used to send messages to their contacts under the victim’s name and spread the attack further, among other things.
There are instances where SMS spoofing is used to harass and attack individuals, whether that be through pranks, stalking, abuse, blackmailing, and intimidation.
For example, you may receive an SMS message from your own phone number. The text message will say that they have hacked your mobile phone and have access to all your messages, photos, and videos – the proof being that they have sent you a text message using your own number. They then expand that they will leak the sensitive contents of your phone to all your contacts if you do not perform a particular task or send money to them.
This is a classic form of blackmail used by fraudsters. The fact that the original text message was sent from their own phone number causes many people to panic and think it is real, and thus follow through with the scammer's demands. As such, these scare tactics are incredibly common.
Money transfer requests
SMS spoofing attacks often use fake money transfers to coax their victims into sending funds or providing their bank and card details to receive funds.
For instance, you may get an SMS stating that you have been selected to win a prize or you are entitled to a refund. To claim your gift, you must provide your bank and card details so they can deposit the funds into your account.
Another example is receiving a message from your bank provider warning you of a data breach and that you must open a new account and transfer your existing money there. After clicking on the link and ‘logging in’ to your online account, your login details will be sent to the scammer, who can then transfer your funds into their own account.
There are plenty of scenarios where you will be asked to send money or provide details to receive money. It’s important to always treat these as potential scams since most financial institutions – if not all – never ask you to send or receive funds via SMS.
Fraudsters will often pretend to be a trusted friend or family member and ask for confidential information such as bank statements and legal documents.
There are also instances where employees are sent text messages from people pretending to be their boss and asking for company platform login details or documents.
This is an increasingly popular one that scammers use to gain access to an individual’s or company's information, which they then use for malicious purposes.
It’s extremely difficult to detect the difference between a fraudulent spoof SMS and a regular text message. However, there are some red flags to be aware of that should set alarm bells ringing:
- Unsolicited – these types of messages are often unsolicited, meaning they come out of the blue. If you receive a random text message, always treat it with caution.
- Spelling and grammatical errors – For scammers, the name of the game is quantity over quality. As such, you may notice various spelling and grammatical errors. If you do, this is a surefire sign that the message is not from a legitimate person or business.
- Links – Most scam text messages will include a shortened link that takes you to a fraudulent website. If the link looks dodgy, chances are the entire message is as well.
- Urgency – Scammers want to instil panic and urgency in their targets to cause them to make a rash, illogical decision. It is a red flag if the text messages have a time constraint.
- Sounds off – You are familiar with how friends and family message you. The same goes for businesses. If the SMS message sounds off or is too good to be true, it is likely from a fraudulent sender.
- Alternative contact method – You cannot reply to spoofed messages. Therefore, if you’re asked to contact the sender via an alternative phone number, email, or through a link, this is a red flag.
Although most messaging apps have spam filters in place, mobile phone users can’t prevent SMS spoofing. All you can do is control how you respond when receiving one:
- Never open links – If you’re even 1% suspicious of a link, do not open it. By avoiding the website entirely, you significantly reduce the risk of being scammed. But what if you’ve already clicked on it?
- Assess website URL & security – Although fraudulent websites look like the company or business it's impersonating, the URL cannot be the same. Therefore, check the URL to see if it's a legitimate one. The second thing to check is website security. Is it secure? Meaning does it start with ‘https:/’, and is there a lock symbol next to the URL?
- Too good to be true – If it says you’re entitled to a prize or refund, and it sounds too good to be true, it’s likely that it is. Don’t let your emotions get the better of you.
- Don’t make a rash decision – On that same token, don’t fall for a message that invokes urgency. Take a deep breath, think it through, and take your time to determine whether it sounds legit or not.
- Double-check – If you receive a message from a company or bank, you can verify whether the text message is true or not by logging into their website through your browser. Alternatively, you can contact them directly through official channels to see whether the claims are true.
- Never give information – This advice is one of the best protection mechanisms you can follow and should be used for all text messages. Refrain from giving personal or sensitive information via SMS, regardless of who you think you’re messaging.
- Report – If you are suspicious of a text message, you can report it to the National Cyber Security Centre as a potential scam.
SMS spoofing is the act of altering the sender ID on a text message. On the other hand, smishing is the act of trying to scam a victim via text message, often by getting them to click on a link and divulge sensitive information or unknowingly download malware onto their device.
The main way in which smishing is done is by first spoofing the sender ID and impersonating a friend or business. Therefore, it can be said that SMS spoofing is used in smishing, hence why both terms are often used synonymously.
However, although both SMS spoofing and smishing involve text messages and are often done for malicious intent, as we’ve mentioned in this article, there are legitimate uses for SMS spoofing, whereas smishing is entirely illegal. As such, they are not the same thing.
SMS spoofing is when the sender alters the sender ID on a text message. This is done by changing the name or number. SMS spoofing as a practice is legal, but only when it’s not being used for malicious purposes.
Examples of legal uses are if you want to protect your identity, send bulk messages, or broadcast official messages. However, SMS spoofing is most commonly used for illegal purposes, hence why it has a negative connotation. Examples are SMS phishing scams, personal attacks, money transfer requests, and drawing out confidential information.
There’s not much you can do to avoid receiving spoofed text messages. Hopefully, after reading this article, you now know the various forms in which scammers use them, how to spot them, and what you can do to prevent falling victim to them.