Coronavirus: Banking and mobile sectors collaborate to stop text scams

The UK’s banking and finance sector has linked up with the mobile industry in a new bid to block scam text messages exploiting the Covid-19 coronavirus pandemic from reaching their targets, and make sure legitimate messages get through.

The initiative is a project of the Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance, with support and assistance from the National Cyber Security Centre (NCSC). It builds on the recent success of a pilot conducted by HM Revenue & Customs (HMRC) which saw a 90% cut in reports of HMRC-branded text scams.

It aims to protect 50 genuine brands and government organisations from being impersonated by cyber criminals, and has already compiled a blocklist of 400 unauthorised sender IDs to prevent them from being used to mimic such organisations – 70 of them are related to Covid-19 specifically.

“We are pleased to be supporting this experiment, which is yielding promising results,” said NCSC technical director Ian Levy. “The UK government’s recent mass-text campaign on Covid-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kind of scams.”

Scam texts such as the ones referred to by Levy – which include an example seen by Computer Weekly in which recipients were informed that they had been seen leaving their homes more frequently than the lockdown regulations permit and would therefore by fined by the police – are frequently spoofed to make them seem more convincing.

Criminals can, for example, change the sender ID that appears at the top of a text message to mimic a genuine organisation. In the case of texts exploiting the UK government response to coronavirus, these have been sent using +Gov_UK instead of the genuine UK_Gov.

It is also possible to copy genuine sender IDs, making a fake message pop up in a chain of texts alongside genuine messages from the legitimate sender.

In the new initiative, the MEF has introduced a white list that allows legitimate organisations to register and protect their sender IDs, which limits cyber criminals’ ability to send text messages using the same sender ID. At the time of writing, 172 trusted sender IDs have been registered.

“All stakeholders involved in business messaging have a responsibility to follow industry best practice and proactively work together to be one step ahead of the fraudsters,” said Joanne Lacey, COO at the MEF. “The SMS SenderID Protection Registry is a tactical solution to mitigate smishing and spoofing, backed by MEF’s A2P SMS code of conduct.

“Through the registry, the industry has been able to support the UK government’s campaign and demonstrate the vital role of messaging, not least in times of emergency and crisis.”

Mobile UK policy and communications head Gareth Elliott added: “Mobile companies work hard to protect their customers from fraud and the contribution from the industry to the registry will help reduce the number of scam texts pretending to be from trusted brands. This gives much-needed protection against fraud, including for the most vulnerable customers.”

Katy Worobec, managing director of economic crime at UK Finance, said that in spite of the new initiative, it was still incumbent on end-users to some extent to be on their guard against cyber criminals exploiting the pandemic to commit fraud.

“Always follow the advice of the Take Five to Stop Fraud campaign and avoid clicking on links in any unsolicited text messages in case it’s a scam,” she said. “Remember, you can report suspicious texts by forwarding the original message to 7726, which spells SPAM on your keypad.”