Mobile devices have shaped the way we communicate in unprecedented fashion. The small form factor and ease of portability of mobile devices keeps us constantly connected wherever we may be. This benefit is not being lost on consumers. According to the International Telecommunications Union, there are now over six billion global mobile subscribers for an average global penetration rate of 87%. Counter to logic, phone calls aren’t the primary communication taking place on mobile devices — instead it is SMS text messaging. In total, mobile subscribers send in excess of 200,000 SMS text messages every second, according to the ITU.
SMS text messaging offers important benefits over phone or email. The ease and convenience of texting enables its use in nearly every environment without disrupting those around you. SMS texting also leads to near instantaneous response from recipients. Indeed, SMS marketers claim SMS message open rates are higher than 90% and opened within 15 minutes of receipt. Contrast that to the open rate in email of only 20-25% within 24 hours of receipt.
In today’s mobile-centric world, companies are also increasingly using SMS to interact with their customers. Banks are entrusting Mobile Network Operators (MNO) with the delivery of payment authorization confirmations and other financial updates; doctors, dentists and hairdressers use SMS to send appointment confirmations and reminders, and restaurants are adopting it so diners can track wait times. With any interaction, trust is a factor and it appears that most consumers do consider SMS to be a safe and trusted channel of communication.
Unfortunately, always-on communications, inherent trust in the channel, high open rates, and six billion subscribers are not lost on those with ill intent. Just as SMS provides a successful avenue for legitimate businesses to correspond with its customers, those hoping for illicit profits are also trying to cash in.
Spam is defined as indiscriminate unsolicited messages sent in bulk without opt-in or authorization of the recipient. Spam is ubiquitous and appears in many forms, including email, blog comments, forums, and even poisoned search results. Increasingly, however, spammers are turning to SMS as a means to reach recipients and elicit illicit revenue. As a result, the number of unique SMS spam campaigns quadrupled in the first half of 2012 and the overall rate of receipt grew by 300% from 2011 to 2012.
The majority of SMS spam falls into the category of scam or fraud, defined as a campaign to entice the recipient into taking some action that unwittingly results in information disclosure or financial loss. Cloudmark analysis reveals that as much as 92% of SMS spam falls into the scam/fraud category. Social engineering factors heavily in scam and fraud campaigns and, as a result, the exact pitch, or hook, used by the scammer varies by geographical region.
As an example, scams offering free Walmart or Best Buy gift cards abound in the U.S. where the Walmart and Best Buy chains are prevalent and well known. Conversely, SMS recipients in the UK are more likely to receive scams that use PPI compensation or accident claims as the primary hook. Following are examples of the types of concentrated SMS spam abuse experienced in the U.S. and the U.K. in May 2012.
Scammers seldom work alone. Just as legitimate companies engage in third party partnerships to facilitate their business needs, scammers likewise leverage complex layers of affiliate relations. As a result, the typical SMS text scam is seldom single-purposed; rather each click through or response from the recipient leads to another possible angle to the scam.
For example, a free gift card spam may begin with “just” a survey. However, not only is personal information collected (and sold in aggregate), but the often obscured terms of service for the survey spell out insidious actions such as the inability to cancel the account or an unwitting agreement to send SMS texts to premium rate numbers.
Additionally, the ‘free’ offer often requires the participant pay a variety of fees in order to continue progressing towards the final ‘giveaway’ – to the point that even if actual merchandise is ever ‘won’, the participant has at that point spent more in upfront fees and unanticipated SMS charges than the actual merchandise is worth.
In Australia, the courts recently convicted a fraudster who conned subscribers into making AUS $4m worth of premium rate calls using a fake dating service scam. 1.8million SMS messages were sent, giving a return of AUS $2.40 per message.
In many western countries, mobile subscribers view unsolicited messages via SMS as an intrusion of their privacy. Their mobile device often contains their most personal information – contacts, photos and, perhaps most importantly, private text messages. Receiving unsolicited and potentially malicious messages often incenses subscribers, compelling them to call their MNO to complain.
Consumers are increasingly opting into mobile services that use SMS as a messaging channel. However, if SMS spam levels in western countries rise to the level experienced in Asia (where as much as 50% of all SMS messages are spam), then subscribers will have difficulty in determining which messages are genuine and may stop responding to any of the SMS they receive.
At best, SMS spam is an occasional irritation to the subscriber. At worst, it can cause a significant financial impact, with bank accounts compromised and premium rate services charged to a subscriber’s bill.
By safeguarding the network against SMS spam, mobile operators can increase subscriber confidence, reduce bandwidth consumption, and protect legitimate marketing and business use of mobile devices.
To achieve this goal and counter the rise of SMS spam, the GSMA and Cloudmark collaborated to create the GSMA Spam Reporting Service (SRS), a global initiative that enables subscribers to forward SMS spam to their mobile network provider. The MNO automatically forwards the reported message to the GSMA service where it is analyzed using Cloudmark’s advanced message fingerprinting technology. The data is then corroborated and an analysis of attacks within the reporting MNO’s network is produced. The MNO can then use this information in their policy management and filtering systems to address the spam in their network.
Collaboration is also key. To counter the global SMS spam problem, MNOs should collaborate as an industry and share details of attacks, enabling all operators to take the appropriate action. SRS provides detailed reporting capabilities that facilitate knowledge sharing both internally and, if desired, externally with partners.
Cloudmark is the most trusted leader in security, protecting traffic, data and infrastructure for service providers, enterprises and consumers worldwide. Cloudmark’s patented solutions deliver immediate, adaptive and predictive protection from ever-evolving network threats with proven, carrier-grade scalability and operability, assuring business continuity while lowering infrastructure costs. Cloudmark leverages big data analytics from locally collected data and from our Global Threat Network—the world’s most comprehensive repository of global threat intelligence. Cloudmark protects more than 120 tier-one customers and 70,000 enterprise customers through partners, including Cisco, McAfee, and Microsoft. Key customers include AT&T, Verizon, Swisscom, Comcast, Cox and NTT and more than 1 billion subscribers worldwide.