/ Scams

Why companies should adopt our guide to SMS Best Practice

It’s often hard to know which text messages you can trust. We’re asking businesses to adopt our SMS best practice guide to help consumers spot scam texts and have more trust in business messaging.

We all know that text message scams, known as ‘smishing‘, are a big problem for consumers. The cyber security company Proofpoint has seen nearly a 700% growth in reports of smishing in the UK in the first six months of 2021 compared with the second half of 2020.

This is driven in large by more businesses using SMS to reach their customers – and more scammers mimicking their tactics. 

At Which?, we often share warnings about the smishing texts circulating and try to help people spot these so you can protect yourself. You’ve probably noticed that lots of scam texts try to get you to follow a URL, call back a phone number or reply to the message.

They can also include language that makes you feel panicked into taking a certain action. While scammers use these techniques, unfortunately some legitimate businesses do as well. As a result, some genuine texts end up looking suspicious.

Here are a couple of examples of legitimate text messages that could be mistaken by consumers for scams:

On the left, this legitimate text from a bank uses language that sounds urgent and requests that the receiver calls back a number included in the text: techniques that can be easily imitated and adapted by scammers.

To the right, a legitimate delivery text has come from a mobile number rather than a company name, and has instead included the company in the text itself. It includes not one but two URLs to follow. Again, these are common tactics of scammers.

Our tips for SMS best practice

We want businesses to use SMS in a way that helps protect consumers from SMS scams, so we’ve developed a best practice guide (PDF) for them. 

📱 Be clear and consistent – this is so customers can become familiar with the types of messages a company sends and know what to expect.

📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.

📱 Don’t include phone numbers to call back – businesses should instead ask consumers to look up the number independently to call back.

📱 Be careful with personal information – businesses should address you by name if possible as scammers usually use generic greetings, but any other personal information (such as email addresses, account numbers, postcodes) should be at least partially redacted so that your data is not at risk if anyone else sees the message.

📱 Be careful with tone and language – it’s important that businesses don’t use language and tone that creates a sense of urgency or panic as this is what scammers do as well.

The businesses joining our call

The most common scam texts that get reported to us are pretending to be delivery companies or banks, so we’re pleased to say the following businesses from these sectors have already committed to following the points in our guide:

TSB

“We are signing up to the Which? SMS guide because we are firmly committed to tackling fraud together and to sharing industry expertise and advice to help people spot these scams. Fraud is the big consumer issue of the day, which is why we launched the UK’s only Fraud Refund Guarantee – to return our customers’ money should they ever innocently fall victim to bank fraud.

This guide provides a helpful framework for all businesses to rely on when developing customer communications and we hope it will drive continuous improvement across sectors”

Barclays

“SMS messages are a valuable channel to contact customers and provide great customer service. However, scammers will use any means possible to exploit the trust between a business and their customer and SMS messages are often used as a tool to do just this. It’s important that businesses across industries work to take these tools away from scammers by taking actions to distinguish between their SMS messages, from those of scammers, as much as possible.

We see this guide as a checklist of manageable steps businesses can take to help protect customers from being tricked by scammers, while maintaining what is a preferred method of contact for many. If all businesses followed the recommendations proposed in the guide, it would be much easier for customers to spot scam SMS messages and keep themselves safe, making SMS messages much safer as a whole”

DPD

“DPD is committed to tackling scams and working with other like-minded organisations to protect customers. As a result, we are very happy to support this Which? SMS initiative, which provides straightforward guidance for consumers and businesses.

Our long-term focus is on providing parcel recipients with a safe alternative to text and email notifications via the DPD app, which already means over 10 million users receive push notifications about their parcel, rather than texts. But we continue to raise awareness of best practice and safe links, where we still need to use traditional notifications.

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/”

Hermes

“We always advise consumers to be vigilant online and we’re committed to protecting the privacy and security of consumers and website visitors. Staying safe online can be tricky, which is why these handy guides are so important”

Our guide is also supported by a number of organisations, including Which? Conversation guests Friends Against Scams and Consumers International.

More work to be done

We want to see all UK banks and delivery companies adopting this guide, so there’s work for us to do yet.

Unfortunately, we know that scammers will keep sending fake texts out to the public. But as more businesses start following our guide, it will make it much easier for consumers to know what they can expect from legitimate messages and make the scams easier to spot.

Have you received good or bad examples of text messages from banks and delivery companies, or any other businesses?

What other sectors do you think we should target next? Let us know in the comments to help us apply pressure and get businesses to change their SMS practices.

Comments
Paul Burrowbridge says:
1 October 2021

PB: I have wondered for some time why Which? isn’t crusading for a clamp down on the scammers who are causing us all so much hassle and ruining our lives.
Which? is in a unique position to initiate a worldwide attack on scammers and fraudsters.
We are all conditioned into using passwords, codes, etc. to combat the cancer of the internet, when what we should be doing is getting to the heart of the problem, ie tracking down scammers and dealing with them once and for all, instead of being led down the ridiculous route of having to take more and more precautions at every turn.
Currently I know so little about what is being done at the heart of the problem and I hear almost nothing about caught scammers. Are there any? Let’s get all countries to round up these people – get to the crux of the crime instead of inventing temporary ways of dealing with the symptoms of it!
Tell us about what is being done to track down scammers and about punishments that are being dished out, severe enough to prevent them acting again – ever! …and disable their activities for good! Let’s name and shame these people, so that we can trust what we receive online. Rant done!

Feedback for Which;
The Which Email providing the latest information on Scams, includes a couple of “buttons” with hyperlinks within the email. Exactly the practise the latest Which newsletter is warning against ! If I log into the Which website, and use the search function, I am unable to find the latest notice regarding Scams in the website. The historic Scam notices can be found under “Which Services”, but not the latest notice. When I review and analyse the hyperlink file path (without clicking on the hyperlink), the hyperlink file path address bears no resemblance to the normal Which web address.

I would be interested in hearing a response from Which.

I have just suffered the effects of a fake text message from DHL. As I had just Tracked my delivery from Germany the last info read : “item has been picked up from depot” and immediately came off that I received a text message from “DHL” saying my delivery was on its way (or similar words) Please instal our app to track item with the link. I had NEVER done this before, because I had received many fake texts from various couriers. This one looked different, looked genuine and caught me out! This happened Sunday tea time, I knew almost immediately this was really dodgy, but could NOT access the app tried to uninstall it, but I could not. The next day I received a text message from my mobile provider, TalkMobile, with advice that some unusual activity on my account regarding many hundreds of texts being sent at one time, and to give them a call. I did and spoke to a lovely adviser who explained that the Fraud dept would give me a call to go through steps to try and sort out what has happened, within 48 hours, I waited until Wednesday morning for the call, which did not happen. I phoned them and spoke to another adviser who did not have any info on my issues and just said sim is secure carry on…! I was so upset and did not know where to turn. I finally took my phone into a PC Express shop where it still remains..the guy there has said he has never seen malware like this. I know this is ongoing I tried to inform PayPal etc but seeing as all my calls insisted on confirming via my mobile phone number with the infected malware…I have been running around like a headless chicken. No help whatsoever!

https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes

This 2 year old guidance for businesses suggests that the structure of SMS messaging is insecure, never was and was not designed as such. It is, however, an easy and wide reaching way of contacting people with mobile phones. Using it to transmit sensitive information is quite inappropriate; just use it for non-sensitive messages.

So the guidance to simply ask the customer to contact the sender is the only way to preserve security. Businesses should be required to send these free of any links and contact numbers.

As there’s no fuel shortages why are people panic buying! I’ll walk more if possible anyway to save fuel, its nothing to do with panic buying. The government and forecourts should have stepped in quickly to stop this. The media should never have reported this in the first place.