/ Scams

Why companies should adopt our guide to SMS Best Practice

48
Profile photo of Stephanie Borthwick Stephanie Borthwick Senior Policy Adviser
Comments 48

It’s often hard to know which text messages you can trust. We’re asking businesses to adopt our SMS best practice guide to help consumers spot scam texts and have more trust in business messaging.

We all know that text message scams, known as ‘smishing‘, are a big problem for consumers. The cyber security company Proofpoint has seen nearly a 700% growth in reports of smishing in the UK in the first six months of 2021 compared with the second half of 2020.

This is driven in large by more businesses using SMS to reach their customers – and more scammers mimicking their tactics. 

At Which?, we often share warnings about the smishing texts circulating and try to help people spot these so you can protect yourself. You’ve probably noticed that lots of scam texts try to get you to follow a URL, call back a phone number or reply to the message.

They can also include language that makes you feel panicked into taking a certain action. While scammers use these techniques, unfortunately some legitimate businesses do as well. As a result, some genuine texts end up looking suspicious.

Here are a couple of examples of legitimate text messages that could be mistaken by consumers for scams:

On the left, this legitimate text from a bank uses language that sounds urgent and requests that the receiver calls back a number included in the text: techniques that can be easily imitated and adapted by scammers.

To the right, a legitimate delivery text has come from a mobile number rather than a company name, and has instead included the company in the text itself. It includes not one but two URLs to follow. Again, these are common tactics of scammers.

Our tips for SMS best practice

We want businesses to use SMS in a way that helps protect consumers from SMS scams, so we’ve developed a best practice guide (PDF) for them. 

📱 Be clear and consistent – this is so customers can become familiar with the types of messages a company sends and know what to expect.

📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.

📱 Don’t include phone numbers to call back – businesses should instead ask consumers to look up the number independently to call back.

📱 Be careful with personal information – businesses should address you by name if possible as scammers usually use generic greetings, but any other personal information (such as email addresses, account numbers, postcodes) should be at least partially redacted so that your data is not at risk if anyone else sees the message.

📱 Be careful with tone and language – it’s important that businesses don’t use language and tone that creates a sense of urgency or panic as this is what scammers do as well.

Take a look at our full SMS Best Practice guide here

The businesses joining our call

The most common scam texts that get reported to us are pretending to be delivery companies or banks, so we’re pleased to say the following businesses from these sectors have already committed to following the points in our guide:

TSB

“We are signing up to the Which? SMS guide because we are firmly committed to tackling fraud together and to sharing industry expertise and advice to help people spot these scams. Fraud is the big consumer issue of the day, which is why we launched the UK’s only Fraud Refund Guarantee – to return our customers’ money should they ever innocently fall victim to bank fraud.

This guide provides a helpful framework for all businesses to rely on when developing customer communications and we hope it will drive continuous improvement across sectors”

Barclays

“SMS messages are a valuable channel to contact customers and provide great customer service. However, scammers will use any means possible to exploit the trust between a business and their customer and SMS messages are often used as a tool to do just this. It’s important that businesses across industries work to take these tools away from scammers by taking actions to distinguish between their SMS messages, from those of scammers, as much as possible.

We see this guide as a checklist of manageable steps businesses can take to help protect customers from being tricked by scammers, while maintaining what is a preferred method of contact for many. If all businesses followed the recommendations proposed in the guide, it would be much easier for customers to spot scam SMS messages and keep themselves safe, making SMS messages much safer as a whole”

DPD

“DPD is committed to tackling scams and working with other like-minded organisations to protect customers. As a result, we are very happy to support this Which? SMS initiative, which provides straightforward guidance for consumers and businesses.

Our long-term focus is on providing parcel recipients with a safe alternative to text and email notifications via the DPD app, which already means over 10 million users receive push notifications about their parcel, rather than texts. But we continue to raise awareness of best practice and safe links, where we still need to use traditional notifications.

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/”

Hermes

“We always advise consumers to be vigilant online and we’re committed to protecting the privacy and security of consumers and website visitors. Staying safe online can be tricky, which is why these handy guides are so important”

Our guide is also supported by a number of organisations, including Which? Conversation guests Friends Against Scams and Consumers International.

More work to be done

We want to see all UK banks and delivery companies adopting this guide, so there’s work for us to do yet.

Unfortunately, we know that scammers will keep sending fake texts out to the public. But as more businesses start following our guide, it will make it much easier for consumers to know what they can expect from legitimate messages and make the scams easier to spot.

Have you received good or bad examples of text messages from banks and delivery companies, or any other businesses?

What other sectors do you think we should target next? Let us know in the comments to help us apply pressure and get businesses to change their SMS practices.

Comments
48
Paul Burrowbridge says:
1 October 2021

PB: I have wondered for some time why Which? isn’t crusading for a clamp down on the scammers who are causing us all so much hassle and ruining our lives.
Which? is in a unique position to initiate a worldwide attack on scammers and fraudsters.
We are all conditioned into using passwords, codes, etc. to combat the cancer of the internet, when what we should be doing is getting to the heart of the problem, ie tracking down scammers and dealing with them once and for all, instead of being led down the ridiculous route of having to take more and more precautions at every turn.
Currently I know so little about what is being done at the heart of the problem and I hear almost nothing about caught scammers. Are there any? Let’s get all countries to round up these people – get to the crux of the crime instead of inventing temporary ways of dealing with the symptoms of it!
Tell us about what is being done to track down scammers and about punishments that are being dished out, severe enough to prevent them acting again – ever! …and disable their activities for good! Let’s name and shame these people, so that we can trust what we receive online. Rant done!

0
Vote up  |  Vote down
Share
ReportReply
Lou says:
1 October 2021

Feedback for Which;
The Which Email providing the latest information on Scams, includes a couple of “buttons” with hyperlinks within the email. Exactly the practise the latest Which newsletter is warning against ! If I log into the Which website, and use the search function, I am unable to find the latest notice regarding Scams in the website. The historic Scam notices can be found under “Which Services”, but not the latest notice. When I review and analyse the hyperlink file path (without clicking on the hyperlink), the hyperlink file path address bears no resemblance to the normal Which web address.

I would be interested in hearing a response from Which.

0
Vote up  |  Vote down
Share
ReportReply
Stephanie Borthwick says:
1 October 2021

Hi Lou. Thanks for your comment. To clarify, the guide we’ve developed for businesses is specifically for SMS communications, not email. However, you raise a good point about the hyperlinks in the emails and this is something we are aware of. You’ll notice when you hover over the links, they show an “e-activist” link. This is generated automatically as part of Engaging Networks, the software platform Which? uses to distribute our supporter emails. Quite a few organisations use Engaging Networks for similar purposes, and that we use the same software doesn’t imply any sort of affiliation. The links you’re seeing from e-activist direct people to the Which? website and allow us to understand whether people are clicking our emails so we can know whether we’re sending them information that is relevant and useful. In case you’re wondering if an email from Which? is genuine, you can check this in our Which? FAQs or our Which? Convo FAQs (under the email sections) at the following links: https://www.which.co.uk/help/faqs#headline_3; https://conversation.which.co.uk/frequently-asked-questions/#email

As for being unable to find the guide, you may have been looking for it under the latest Scam Alerts here: https://campaigns.which.co.uk/scam-alert-service/. We don’t cover every alert on this page, but it is included under ‘Latest scam news’ on our consumer rights site: https://www.which.co.uk/consumer-rights/scams#latest-news. You can also find the guide directly on our policy site: https://www.which.co.uk/policy/digital/8001/sms-best-practice.

Hope this helps.

0
Vote up  |  Vote down
Share
ReportReply
Katy Monaghan says:
1 October 2021

I have just suffered the effects of a fake text message from DHL. As I had just Tracked my delivery from Germany the last info read : “item has been picked up from depot” and immediately came off that I received a text message from “DHL” saying my delivery was on its way (or similar words) Please instal our app to track item with the link. I had NEVER done this before, because I had received many fake texts from various couriers. This one looked different, looked genuine and caught me out! This happened Sunday tea time, I knew almost immediately this was really dodgy, but could NOT access the app tried to uninstall it, but I could not. The next day I received a text message from my mobile provider, TalkMobile, with advice that some unusual activity on my account regarding many hundreds of texts being sent at one time, and to give them a call. I did and spoke to a lovely adviser who explained that the Fraud dept would give me a call to go through steps to try and sort out what has happened, within 48 hours, I waited until Wednesday morning for the call, which did not happen. I phoned them and spoke to another adviser who did not have any info on my issues and just said sim is secure carry on…! I was so upset and did not know where to turn. I finally took my phone into a PC Express shop where it still remains..the guy there has said he has never seen malware like this. I know this is ongoing I tried to inform PayPal etc but seeing as all my calls insisted on confirming via my mobile phone number with the infected malware…I have been running around like a headless chicken. No help whatsoever!

0
Vote up  |  Vote down
Share
ReportReply
malcolm r says:
2 October 2021

https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes

This 2 year old guidance for businesses suggests that the structure of SMS messaging is insecure, never was and was not designed as such. It is, however, an easy and wide reaching way of contacting people with mobile phones. Using it to transmit sensitive information is quite inappropriate; just use it for non-sensitive messages.

So the guidance to simply ask the customer to contact the sender is the only way to preserve security. Businesses should be required to send these free of any links and contact numbers.

0
Vote up  |  Vote down
Share
ReportReply
Larraine says:
3 October 2021

As there’s no fuel shortages why are people panic buying! I’ll walk more if possible anyway to save fuel, its nothing to do with panic buying. The government and forecourts should have stepped in quickly to stop this. The media should never have reported this in the first place.

0
Vote up  |  Vote down
Share
ReportReply
GrahamRuddock says:
11 November 2021

I have another concern, which is that some companies are sending out communications that look like scams (i.e have several characteristics that the scammers use):-
1. British Gas took over my gas supply from PFP Energy. They initially send me two “welcome emails” that included my name and informed me of the change and why (but not what I would then be paying). Three weeks later, BG sent me another email saying:-
“Reset your password
Hello
We’ve received a request to set up or change your password.
You can set your new password by following this link:
Reset and access your account
If you didn’t ask to reset your password, or you are accessing your account for the first time, don’t worry, your account is still secure.”
This was laid out with their logo etc, but as you see, did not give my name, provided a link and as I did not have an account with them (nor had received any details about my new account with them), made no sense and thus looked suspicious.

2. When renewing my Broadband & Telephone account with John Lewis, they would not give me the £75 gift card in their online advertisement because I was an existing customer (who therefore did not need a router, nor the admin to change supplier). I changed my account into my wife’s name so she was then a new customer and qualified for the deal (yes, it seems you can do this! – even though our address, phone number, email, bank details and so on stayed exactly the same ). They then wanted confirmation of her acceptance of the terms of the deal and sent her an email, not from John Lewis Broadband, but from Lightico (who I had never heard of). That read as follows:-

“[Edited] just sent you a request to connect for document collaboration.
Your sales advisor has just sent you a screen share request, please click the link to connect. If you did not request this, please do not click the link and disregard this message

Press To Connect

Do Not Share This Email
This email contains a secured link to Lightico. Please do not share this email or link with others.

About Lightico
Lightico lets you collaborate with your clients in real-time, exchanging documentation, electronically sign them and even collect payment while you’re on a call with your clients. It’s safe and it’s legally binded. No matter where you or your clients are, at the office, home or on-the-go — Lightico provides a professional and trusted sales productivity tool.

Questions about this document?
If you need to modify any detail in the documents that you will exchange in this interaction please reach out to the sender by emailing or calling them directly.”

Note, the instigator has a plus.net (not JL) email address and there is one of those links again. This went on to require access to my computer and while the content that followed did refer to John Lewis, was almost illegible. I only proceeded with this because I was trying to complete what had been a long a long contract renewal process on the phone at the same time, but afterwards felt a fool.

[Moderator: we’ve edited this comment to remove an email address. Please do not post personal contact details or other personally identifiable information – this is for everyone’s privacy. For more information see the Community guidelines]

0
Vote up  |  Vote down
Share
ReportReply
 

Related discussions