Why companies should adopt our guide to SMS Best Practice

PB: I have wondered for some time why Which? isn’t crusading for a clamp down on the scammers who are causing us all so much hassle and ruining our lives.
Which? is in a unique position to initiate a worldwide attack on scammers and fraudsters.
We are all conditioned into using passwords, codes, etc. to combat the cancer of the internet, when what we should be doing is getting to the heart of the problem, ie tracking down scammers and dealing with them once and for all, instead of being led down the ridiculous route of having to take more and more precautions at every turn.
Currently I know so little about what is being done at the heart of the problem and I hear almost nothing about caught scammers. Are there any? Let’s get all countries to round up these people – get to the crux of the crime instead of inventing temporary ways of dealing with the symptoms of it!
Tell us about what is being done to track down scammers and about punishments that are being dished out, severe enough to prevent them acting again – ever! …and disable their activities for good! Let’s name and shame these people, so that we can trust what we receive online. Rant done!

Lou says:

Feedback for Which;
The Which Email providing the latest information on Scams, includes a couple of “buttons” with hyperlinks within the email. Exactly the practise the latest Which newsletter is warning against ! If I log into the Which website, and use the search function, I am unable to find the latest notice regarding Scams in the website. The historic Scam notices can be found under “Which Services”, but not the latest notice. When I review and analyse the hyperlink file path (without clicking on the hyperlink), the hyperlink file path address bears no resemblance to the normal Which web address.

I would be interested in hearing a response from Which.

Stephanie Borthwick says:

Hi Lou. Thanks for your comment. To clarify, the guide we’ve developed for businesses is specifically for SMS communications, not email. However, you raise a good point about the hyperlinks in the emails and this is something we are aware of. You’ll notice when you hover over the links, they show an “e-activist” link. This is generated automatically as part of Engaging Networks, the software platform Which? uses to distribute our supporter emails. Quite a few organisations use Engaging Networks for similar purposes, and that we use the same software doesn’t imply any sort of affiliation. The links you’re seeing from e-activist direct people to the Which? website and allow us to understand whether people are clicking our emails so we can know whether we’re sending them information that is relevant and useful. In case you’re wondering if an email from Which? is genuine, you can check this in our Which? FAQs or our Which? Convo FAQs (under the email sections) at the following links: https://www.which.co.uk/help/faqs#headline_3; https://conversation.which.co.uk/frequently-asked-questions/#email

As for being unable to find the guide, you may have been looking for it under the latest Scam Alerts here: https://campaigns.which.co.uk/scam-alert-service/. We don’t cover every alert on this page, but it is included under ‘Latest scam news’ on our consumer rights site: https://www.which.co.uk/consumer-rights/scams#latest-news. You can also find the guide directly on our policy site: https://www.which.co.uk/policy/digital/8001/sms-best-practice.

Hope this helps.

Katy Monaghan says:

https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes

I have just suffered the effects of a fake text message from DHL. As I had just Tracked my delivery from Germany the last info read : “item has been picked up from depot” and immediately came off that I received a text message from “DHL” saying my delivery was on its way (or similar words) Please instal our app to track item with the link. I had NEVER done this before, because I had received many fake texts from various couriers. This one looked different, looked genuine and caught me out! This happened Sunday tea time, I knew almost immediately this was really dodgy, but could NOT access the app tried to uninstall it, but I could not. The next day I received a text message from my mobile provider, TalkMobile, with advice that some unusual activity on my account regarding many hundreds of texts being sent at one time, and to give them a call. I did and spoke to a lovely adviser who explained that the Fraud dept would give me a call to go through steps to try and sort out what has happened, within 48 hours, I waited until Wednesday morning for the call, which did not happen. I phoned them and spoke to another adviser who did not have any info on my issues and just said sim is secure carry on…! I was so upset and did not know where to turn. I finally took my phone into a PC Express shop where it still remains..the guy there has said he has never seen malware like this. I know this is ongoing I tried to inform PayPal etc but seeing as all my calls insisted on confirming via my mobile phone number with the infected malware…I have been running around like a headless chicken. No help whatsoever!

malcolm r says:

2 October 2021

This 2 year old guidance for businesses suggests that the structure of SMS messaging is insecure, never was and was not designed as such. It is, however, an easy and wide reaching way of contacting people with mobile phones. Using it to transmit sensitive information is quite inappropriate; just use it for non-sensitive messages.

So the guidance to simply ask the customer to contact the sender is the only way to preserve security. Businesses should be required to send these free of any links and contact numbers.

Larraine says:

3 October 2021

As there’s no fuel shortages why are people panic buying! I’ll walk more if possible anyway to save fuel, its nothing to do with panic buying. The government and forecourts should have stepped in quickly to stop this. The media should never have reported this in the first place.

GrahamRuddock says:

11 November 2021

I have another concern, which is that some companies are sending out communications that look like scams (i.e have several characteristics that the scammers use):-
1. British Gas took over my gas supply from PFP Energy. They initially send me two “welcome emails” that included my name and informed me of the change and why (but not what I would then be paying). Three weeks later, BG sent me another email saying:-
“Reset your password
Hello
We’ve received a request to set up or change your password.
You can set your new password by following this link:
Reset and access your account
If you didn’t ask to reset your password, or you are accessing your account for the first time, don’t worry, your account is still secure.”
This was laid out with their logo etc, but as you see, did not give my name, provided a link and as I did not have an account with them (nor had received any details about my new account with them), made no sense and thus looked suspicious.

2. When renewing my Broadband & Telephone account with John Lewis, they would not give me the £75 gift card in their online advertisement because I was an existing customer (who therefore did not need a router, nor the admin to change supplier). I changed my account into my wife’s name so she was then a new customer and qualified for the deal (yes, it seems you can do this! – even though our address, phone number, email, bank details and so on stayed exactly the same ). They then wanted confirmation of her acceptance of the terms of the deal and sent her an email, not from John Lewis Broadband, but from Lightico (who I had never heard of). That read as follows:-

“[Edited] just sent you a request to connect for document collaboration.
Your sales advisor has just sent you a screen share request, please click the link to connect. If you did not request this, please do not click the link and disregard this message

Press To Connect

Do Not Share This Email
This email contains a secured link to Lightico. Please do not share this email or link with others.

About Lightico
Lightico lets you collaborate with your clients in real-time, exchanging documentation, electronically sign them and even collect payment while you’re on a call with your clients. It’s safe and it’s legally binded. No matter where you or your clients are, at the office, home or on-the-go — Lightico provides a professional and trusted sales productivity tool.

Questions about this document?
If you need to modify any detail in the documents that you will exchange in this interaction please reach out to the sender by emailing or calling them directly.”

Note, the instigator has a plus.net (not JL) email address and there is one of those links again. This went on to require access to my computer and while the content that followed did refer to John Lewis, was almost illegible. I only proceeded with this because I was trying to complete what had been a long a long contract renewal process on the phone at the same time, but afterwards felt a fool.

[Moderator: we’ve edited this comment to remove an email address. Please do not post personal contact details or other personally identifiable information – this is for everyone’s privacy. For more information see the Community guidelines]

Liz Thompson says:

I have received not only emails about my account being “suspended” from banks I do not have an account with, but also allegedly from PayPal. Easily recognised by me, since I use that account regularly enough to know it isn’t true. But I also regularly get emails from computer security companies telling me my protection subscription has run out, the latest from McAfee alleging I have 23 viruses on my computer! The regularity with which I receive “reminders” is enough to demonstrate that they are scams, although the fact that I have never subscribed to them also helps! Not at all sure everyone would realise this. I’ve had DPD ones too, not many, asking for payment, and even a Royal Mail attempt (I don’t know why they wasted time on that one).

John Hodgins says:

constant phone calls claiming to be Amazon or BT

Anthony Edmund Deaves says:

I am a disabled person and I have found once firms like DPD delivery drivers get to know me,
ninety-nine percent of the time things are great the only time it goes wrong is when there is a new person cover the round. that goes for Hermes, Amazon and the other firms deliver to me.

Ken Martin says:

I use the internet but have not a moble phone so get late emails but no text.I want get an email in good time not it was delivered an hour ago!

Ken Martin says:

Banks set rules about emails and phone then make to hard use them with high cost calks long waits or information you have lost.

Aileen Harris says:

My husband and I both received messages from NHS test and trace stating that we had been in contact with someone who had tested positive for Covid. The messages had our middle name as our surname, something I have seen done on scam texts and emails and would never expect to happen with an NHS text. This was the only personal ID on the text. Additionally their website says they will call you, it doesn’t mention emails or texts. As we had not been anywhere together since we returned from holiday a week previously, had not downloaded the test & trace app, knew no one who had Covid and had taken day 2 PCR tests a few days previously it seemed obviously a scam.
After the third text however I phoned the helpline and they confirmed that it was genuine. They also said that the name switch happened regularly.
Given that Covid scams are common they need to be more careful when sending out texts and emails
And also ensure that their website is updated to show that they may contact you by text or email and what it will look like. They could also include some additional personal information such as the last part of your NHS number like banks do with account numbers

Lorcan Farrelly says:

We have recently experienced a couple of new (to us) scam type emails.

1) emails from addresses on an old school friend group, asking for a favour, and to be called back.

2) emails enclosing a voice message to be played (which we didn’t), one sent just to us, and the other with several recipients, including at least two from the old school friend list.

Richard Ernest Rattey says:

I really don’t think that companies, especially banks and finance companies are doing enough about this situation. Too often the onus is on the customer, when they have been taken in by seemingly legitimate sounding texts or e-mails and have lost money as a result. The banks try to make the customer feel stupid and that it is all their fault. I speak from personal experience here. It seems that if you, as a result of a fake text or e-mail, no matter how seemingly genuine, authorise a payment from your account, you are solely responsible for your financial loss. That to me is completely wrong and unacceptable, it is about time that this practice is looked at. it seems that there is nothing to stop a former or current employee of a bank or finance company from using their inside knowledge to con someone. When I once complained to my bank and showed the offending communication to a member of the branch staff, they told me that even they too would have been fooled. That fact still did not convince my bank that I was not an idiot for being fooled in the first place! Subsequently I was compelled in writing to close my account and transfer my money elsewhere. The banks make billions and can and should easily, collectively do far more to sort the problem. They are almost as culpable as the crooks themselves.

malcolm r says:

Richard, I agree with the part of your comment about the convincing nature of some emails and texts that lead to some customers being defrauded. But I do not see it follows that the bank must refund them if they had no way of knowing the transaction was fraudulent and all they did was obey their customer’s instructions to transfer money to another account. We can all make mistakes.

I would like some explanation as to what more the banks, and other bodies, can do to identify potential fraudsters and scams before they are perpetrated. One view as to why banks should refund money is because they have more money than those defrauded. That money is, of course, effectively their own customers and will be retrieved by higher charges on loans and lower savings interest.

However, if the banks can be shown to be negligent I would look at “refunds” differently. I would look to see the receiving bank taking responsibility as it is they who host the fraudsters’ accounts and should, maybe, take more care in who opens accountsand how those accounts are monitored for questionable activity.

John Ward says:

Richard — I agree with Malcolm that there are limitations to what it is reasonable for banks to take responsibility for. We live in a world where communication via e-mails, text messages and social media contact is regarded as trustworthy despite plenty of evidence to the contrary. As a consequence of this misplaced trust scammers are intercepting communications and pretending to be friends or relatives asking for money.

The banks should certainly educate and inform their customers about the best way to stay safe in this new uncertain and fraudulent world, and about the risks of responding to texts and e-mails without verification. I feel they should also do more to identify which customers might need additional help or protection in the management of their money. Banks should make it clear that they cannot be held liable for the loss of money if customers give transfer instructions without a simple checking process. However, I don’t think banks should accept responsibility for their customers’ negligence.

You say “seemingly genuine” but nothing is genuine until you can prove it to be so, person-to-person. If someone has a phone that can send a text they can make a phone call to inform their mother of a new number and ask for money, and then voice recognition, vocabulary and dialogue content would prove their credentials. On receipt of such a message people must stop and think – Why didn’t he or she speak to me?

We all have a responsibility to adapt to the new reality and to learn that a text, e-mail message or social media contact does not, by itself, have guaranteed reliability. There is no inherent reason to trust someone you cannot see or speak to directly at the time.

wavechange says:

If I have a debit or credit card stolen or simply lose it, my understanding is that my loss is limited to £50 providing I report the problem promptly. I have not tested this. The bank would not be responsible if had acted irresponsibly, for example by writing the PIN on the card or if I had allowed someone to use the card and PIN. I have long believed that this is rather generous protection but equally it has made me comfortable about carrying around my cards.

Neither my bank or credit card company has done anything to assess my abilities to avoid fraud yet I have the ability to transfer thousands of pounds. A great deal of fraud could be avoided if the banks – collectively – acted more responsibly. The intended subject of this discussion is the Which? Guide to SMS Best Practice. The reason that we have this Conversation is that banks are not following established best practice. The banks could have put in place what we now know as Confirmation of Payee from the start rather than simply ignoring the name of the payee, thus allowing payments to be misdirected for years. Before computer systems were in place there was the possibility of contacting our bank to request to have a cheque stopped for good reason. Now we have the ability to transfer large sums of money so quickly that it may not be recoverable, a system that facilitates fraud. It seems logical that payments to new payees should be delayed to allow time for suspected fraud to be reported to the bank and investigated before the transaction is completed. Banks should be working together to tackle crime and if customers losses are restricted to £50, as with cards, that would provide an incentive. Banks need to be able to recover money transferred to recipient banks in event of fraud.

Banks can protect themselves by restricting what their customers can do with their money, whether these are young and inexperienced people, old people with declining abilities, and anyone who has not acted responsibly in the past. As Richard has said, the banks should collectively do far more to sort out the problem.

John Ward says:

I suspect that in the final analysis this will all come down to the question of negligence and what tests are applied to justify a reimbursement claim on the banks.

It would not surprise me if the Confirmation of Payee procedure has dramatically reduced the Authorised Push Payment [Payment Diversion] scam but, with many banks, and presumably all or most foreign ones, outside the scheme, significant risks remain.

It is possible that some people do not read the warnings on the transfer instruction pro forma and do not take any notice of a statement that there is not a match between the payee’s name and the account number specified for the payment. If people press the ‘continue’ button the deed is done. I don’t know what can be done about that other than, in the case of new payees, to have a mandatory stay of execution of the transfer, but even that is not guaranteed to lead to a cancellation unless there is direct communication between the bank and their customer.

I do not know what happens if the customer over-rides a mismatch warning and proceeds with the payment transfer anyway. I feel there should be a bold red warning on the screen and a bank message to say they will not process the transfer until the customer has telephoned to confirm it. That would be in the bank’s interest as much the customer’s.

wavechange says:

I don’t expect we will be given full details of how claims are handled, John. This information could help those of us who are interested in the subject but also aid exploitation by fraudsters.

I do not understand why it is possible to proceed with a transaction when CoP shows ‘no match’ with the payees name. Why not require the customer to contact their bank rather than allowing the customer to ignore the warnings?

After Ian commented on problems with CoP, I spoke to friends and they have had problems too.

If, as you say, CoP is not possible with foreign banks then that needs to be addressed. The customer still needs to be protected from being the victim of crime.

A great deal has been said about negligence of customers and perhaps attention should now focus on the failings of the banking system. I have no personal grouse against my bank or others but feel that we are very much let down by the banking system.

malcolm r says:

Responsibility rests with customers as well as banks.

Confirmation of Payee has been discussed ad infinitum inclding why it might not have been introduced earlier and why not all banks are included, although Phase 2 should deal with that. See other Convos.

It would be useful if informed proposals were sumnarised from time to time that would advance protection rather than continually blaming banks, or anyone else.

Restricted account facilities have been suggested a number of times to protect those less capable from making expensive mistakes.

I think no communications in this context -SMS or text – should include links or phone numbers. Just point the customer to the official site.

As far as “standardised” SMS formats are concerned I would have thought fraudsters would simply adopt the same style, wouldn’t tbey?

wavechange says:

I wonder if there is a case for eliminating links from SMS messages. DerekP has pointed out that they are convenient for resetting passwords but many organisations avoid using links for this purpose.

Ian says:

wavechange says: Today 12:06

This is actually what I had to do, simply because I wasn’t prepared to override the COP warnings. But what’s interesting is that the banks actively promote one of the advantages of switching to them is faster payments between banks.

For me, anyway, the answer is simple: the banks are made responsible for all fraudulent APPs unless they can definitively prove their own systems were in perfect working order and the customer was adequately warned.

wavechange says:

I agree, Ian, but I want to see the banking system run in a way that allows all payments to fraudulent accounts to be recoverable by reverse payment – from the receiving bank to the customer’s bank. In my view, rapid payments seem to have facilitated fraud by removing the time needed to report and cancel any transaction if it would be fraudulent.

I have given the example of customers liability being limited to £50 if they lose their providing that they do not contribute to fraud by divulging their PIN or delay reporting the loss. If we buy products online, we are legally entitled to return them for a refund without having to provide a reason. I don’t see complaints that this is unfair on the companies ‘that have done nothing wrong’ to borrow a phrase. I have only done this once and that was when a company contacted me to substantially delay a delivery without even asking whether the new date was acceptable.

malcolm r says:

Online returns are permitted because you have not had the opportunity to
examine the product, so it is effectively on approval. That is not, I suggest, the same as instructing your bank to carry out their obligation to transfer your money.

In principle, as I and some others have repeatedly suggested, I think the payee’s bank should refund not the payer’s. I would like to see informed input as to the possibilities and difficulties of this.

But tbis Convo is about SMS Best Practice. Perhaps a discussion of the banking system should be moved to another Convo?
https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/

Ian says:

malcolm r says: Today 14:21

Online returns are permitted because you have not had the opportunity to examine the product, so it is effectively on approval. That is not, I suggest, the same as instructing your bank to carry out their obligation to transfer your money.

Perhaps strictly speaking, not; but it does place more responsibility on the retailer than the customer. I wrote a topic some time ago in which I highlighted the behaviour of some less scrupulous retailers. In that instance it became very clear that some retailers wield an arrogance in respect of their customers, which would leave those same customers unable to respond were it not for the current legislation, much of which was pioneered by Which?.

wavechange says:

I am not arguing against the legislation that allows us to return unwanted products or the protection offered to holders of debit and credit cards, but these privileges are obviously paid for by all customers. Banks have obligations under the current CRM Code and Which? has found that claims are treated differently by different banks, demonstrating the need for legislation. The solution is for the banks to work together and ensure that payments to accounts run by scammers etc. are returned promptly to the customers’ banks. In my view, the CRM Code provides an incentive to tackle the problem.

Perhaps it is debatable whether we should be arguing for diminished consumer protection and leave that up to the companies. That would be a good topic for discussion elsewhere.

Colin says:

6 December 2021

Maybe there is something I don’t understand, but it seems to me that where money has been electronically transferred to a fraudster’s account, the bank hosting this account is more than culpable. At somer point in time they will have allowed the fraudster to open an account without fully verifying who they are hence allowing the banking system to act as a conduit for illegal money transfer. I can understand that a major difficulty in detecting fraudsters lies in their hiding behind stolen identities and hence in actually identifying who they are. But surely, in this age of technology, it must be possible for an individual’s true identity to be verified beyond any doubt using, for example, previously recorded personal information such as passport details, National Insurance number, NHS number, etc, etc, and surely here the banks have an ideal opportunity to fight crime.

wavechange says:

I agree, Colin. In my view, the fraudster’s bank should be responsible for returning the stolen money even if they were not aware that the account was going to be used for fraud. When this is not done it makes fraud worthwhile. Nowadays, transfer of money between banks is fast and introducing a mandatory delay would provide time for suspected scams to be reported and investigated before the transaction was completed, so that the payment can be blocked. That would only be necessary for payments to new payees and not ones we have used before.

Fraud is lucrative and the banks can work together to help prevent it.

malcolm r says:

I agree Colin that if a bank has opened an account without reasonably checking the applicant’s credentials then, if that account has been used to perpetrate a fraud the bank should be held liable.

However if they have made all reasonable checks, or if, as has been reported, legitimately-opened accounts are sold to criminals ( e.g by foreign students returning abroad) and the bank could have had no knowledge of this, then they should not be held legally liable.

I have asked to see information as to whether any particular banks are more prone to hosting fraudsters accounts than others; that might help focus attention on any lax checking procedures.

I see no logical justification for expecting a bank that has done everything correctly to return money that turns out to have been obtained by a fraudster. There may be an emotive reason, usually that banks have lots of money (mostly belonging to you and me as depositors, of course) and can therefore easily afford to make a sympathy repayment. Or that there are (unspecified) actions they should have taken. I think the latter is valid if their individual and collective systems could be shown to have been defective and could practically be improved; the threat of being held financially responsible should, if that were the case, incentivise action.

Many proposals have been made in Convos about how we could better tackle consumer detriment. It would be worthwhile summarising them so a better picture could be appreciated.

As this particular Convo is about SMS messaging these comments might be better moved elsewhere. However, we frequently see links in SMS messages from all kinds of sources and I, for one, rarely use them but go directly to the source. In many cases that is probably over cautious prompted by publicity, but no bad thing. Certainly I believe any financial provider should not use them in SMS but simply ask the recipient to access their account or the providers website in the normal way.

wavechange says:

I had already copied Colin’s comments to another Conversation, Malcolm: https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1641892

wavechange says:

Malcolm wrote: “However, we frequently see links in SMS messages from all kinds of sources and I, for one, rarely use them but go directly to the source. In many cases that is probably over cautious prompted by publicity, but no bad thing. Certainly I believe any financial provider should not use them in SMS but simply ask the recipient to access their account or the providers website in the normal way.”

We and others have suggested that it would be best for responsible organisations not to include links in text messages, now that they are widely used to support fraud. Undoubtedly they are convenient but is the risk too high? Perhaps Which? could look into this. Do we really need links in text messages at all?

John Ward says:

I happen to think that no official business should be conducted through the medium of text messages.

Once we let businesses know our mobile phone numbers we become prey. We alone can stop it by our own actions.

I am sure many will give reasons why my comment is impractical but it works for me.

wavechange says: