/ Scams

Why companies should adopt our guide to SMS Best Practice

It’s often hard to know which text messages you can trust. We’re asking businesses to adopt our SMS best practice guide to help consumers spot scam texts and have more trust in business messaging.

10/12/21: Update

It’s important that businesses protect their customers from scams. We’re continuing to engage with lots of businesses and sectors on adopting our SMS best practice guide, including supermarkets, energy companies and PayPal amongst others.

Thank you to supporters who have been sharing examples of businesses that are frequently spoofed by scammers or have poor SMS practice. You can continue to share examples of business messages by emailing smsguide@which.co.uk, or share scam text messages with us via our Scam Sharer tool.

14/09/21: Our Best Practice Guide

We all know that text message scams, known as ‘smishing‘, are a big problem for consumers. The cyber security company Proofpoint has seen nearly a 700% growth in reports of smishing in the UK in the first six months of 2021 compared with the second half of 2020.

This is driven in large by more businesses using SMS to reach their customers – and more scammers mimicking their tactics. 

At Which?, we often share warnings about the smishing texts circulating and try to help people spot these so you can protect yourself. You’ve probably noticed that lots of scam texts try to get you to follow a URL, call back a phone number or reply to the message.

They can also include language that makes you feel panicked into taking a certain action. While scammers use these techniques, unfortunately some legitimate businesses do as well. As a result, some genuine texts end up looking suspicious.

Here are a couple of examples of legitimate text messages that could be mistaken by consumers for scams:

On the left, this legitimate text from a bank uses language that sounds urgent and requests that the receiver calls back a number included in the text: techniques that can be easily imitated and adapted by scammers.

To the right, a legitimate delivery text has come from a mobile number rather than a company name, and has instead included the company in the text itself. It includes not one but two URLs to follow. Again, these are common tactics of scammers.

Our tips for SMS best practice

We want businesses to use SMS in a way that helps protect consumers from SMS scams, so we’ve developed a best practice guide (PDF) for them. 

📱 Be clear and consistent – this is so customers can become familiar with the types of messages a company sends and know what to expect.

📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.

📱 Don’t include phone numbers to call back – businesses should instead ask consumers to look up the number independently to call back.

📱 Be careful with personal information – businesses should address you by name if possible as scammers usually use generic greetings, but any other personal information (such as email addresses, account numbers, postcodes) should be at least partially redacted so that your data is not at risk if anyone else sees the message.

📱 Be careful with tone and language – it’s important that businesses don’t use language and tone that creates a sense of urgency or panic as this is what scammers do as well.

The businesses joining our call

The most common scam texts that get reported to us are pretending to be delivery companies or banks, so we’re pleased to say the following businesses from these sectors have already committed to following the points in our guide:

TSB

“We are signing up to the Which? SMS guide because we are firmly committed to tackling fraud together and to sharing industry expertise and advice to help people spot these scams. Fraud is the big consumer issue of the day, which is why we launched the UK’s only Fraud Refund Guarantee – to return our customers’ money should they ever innocently fall victim to bank fraud.

This guide provides a helpful framework for all businesses to rely on when developing customer communications and we hope it will drive continuous improvement across sectors”

Barclays

“SMS messages are a valuable channel to contact customers and provide great customer service. However, scammers will use any means possible to exploit the trust between a business and their customer and SMS messages are often used as a tool to do just this. It’s important that businesses across industries work to take these tools away from scammers by taking actions to distinguish between their SMS messages, from those of scammers, as much as possible.

We see this guide as a checklist of manageable steps businesses can take to help protect customers from being tricked by scammers, while maintaining what is a preferred method of contact for many. If all businesses followed the recommendations proposed in the guide, it would be much easier for customers to spot scam SMS messages and keep themselves safe, making SMS messages much safer as a whole”

DPD

“DPD is committed to tackling scams and working with other like-minded organisations to protect customers. As a result, we are very happy to support this Which? SMS initiative, which provides straightforward guidance for consumers and businesses.

Our long-term focus is on providing parcel recipients with a safe alternative to text and email notifications via the DPD app, which already means over 10 million users receive push notifications about their parcel, rather than texts. But we continue to raise awareness of best practice and safe links, where we still need to use traditional notifications.

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/”

Hermes

“We always advise consumers to be vigilant online and we’re committed to protecting the privacy and security of consumers and website visitors. Staying safe online can be tricky, which is why these handy guides are so important”

Our guide is also supported by a number of organisations, including Which? Conversation guests Friends Against Scams and Consumers International.

More work to be done

We want to see all UK banks and delivery companies adopting this guide, so there’s work for us to do yet.

Unfortunately, we know that scammers will keep sending fake texts out to the public. But as more businesses start following our guide, it will make it much easier for consumers to know what they can expect from legitimate messages and make the scams easier to spot.

Have you received good or bad examples of text messages from banks and delivery companies, or any other businesses?

What other sectors do you think we should target next? Let us know in the comments to help us apply pressure and get businesses to change their SMS practices.

Comments
Paul Burrowbridge says:
1 October 2021

PB: I have wondered for some time why Which? isn’t crusading for a clamp down on the scammers who are causing us all so much hassle and ruining our lives.
Which? is in a unique position to initiate a worldwide attack on scammers and fraudsters.
We are all conditioned into using passwords, codes, etc. to combat the cancer of the internet, when what we should be doing is getting to the heart of the problem, ie tracking down scammers and dealing with them once and for all, instead of being led down the ridiculous route of having to take more and more precautions at every turn.
Currently I know so little about what is being done at the heart of the problem and I hear almost nothing about caught scammers. Are there any? Let’s get all countries to round up these people – get to the crux of the crime instead of inventing temporary ways of dealing with the symptoms of it!
Tell us about what is being done to track down scammers and about punishments that are being dished out, severe enough to prevent them acting again – ever! …and disable their activities for good! Let’s name and shame these people, so that we can trust what we receive online. Rant done!

Feedback for Which;
The Which Email providing the latest information on Scams, includes a couple of “buttons” with hyperlinks within the email. Exactly the practise the latest Which newsletter is warning against ! If I log into the Which website, and use the search function, I am unable to find the latest notice regarding Scams in the website. The historic Scam notices can be found under “Which Services”, but not the latest notice. When I review and analyse the hyperlink file path (without clicking on the hyperlink), the hyperlink file path address bears no resemblance to the normal Which web address.

I would be interested in hearing a response from Which.

I have just suffered the effects of a fake text message from DHL. As I had just Tracked my delivery from Germany the last info read : “item has been picked up from depot” and immediately came off that I received a text message from “DHL” saying my delivery was on its way (or similar words) Please instal our app to track item with the link. I had NEVER done this before, because I had received many fake texts from various couriers. This one looked different, looked genuine and caught me out! This happened Sunday tea time, I knew almost immediately this was really dodgy, but could NOT access the app tried to uninstall it, but I could not. The next day I received a text message from my mobile provider, TalkMobile, with advice that some unusual activity on my account regarding many hundreds of texts being sent at one time, and to give them a call. I did and spoke to a lovely adviser who explained that the Fraud dept would give me a call to go through steps to try and sort out what has happened, within 48 hours, I waited until Wednesday morning for the call, which did not happen. I phoned them and spoke to another adviser who did not have any info on my issues and just said sim is secure carry on…! I was so upset and did not know where to turn. I finally took my phone into a PC Express shop where it still remains..the guy there has said he has never seen malware like this. I know this is ongoing I tried to inform PayPal etc but seeing as all my calls insisted on confirming via my mobile phone number with the infected malware…I have been running around like a headless chicken. No help whatsoever!

https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes

This 2 year old guidance for businesses suggests that the structure of SMS messaging is insecure, never was and was not designed as such. It is, however, an easy and wide reaching way of contacting people with mobile phones. Using it to transmit sensitive information is quite inappropriate; just use it for non-sensitive messages.

So the guidance to simply ask the customer to contact the sender is the only way to preserve security. Businesses should be required to send these free of any links and contact numbers.

As there’s no fuel shortages why are people panic buying! I’ll walk more if possible anyway to save fuel, its nothing to do with panic buying. The government and forecourts should have stepped in quickly to stop this. The media should never have reported this in the first place.

I have another concern, which is that some companies are sending out communications that look like scams (i.e have several characteristics that the scammers use):-
1. British Gas took over my gas supply from PFP Energy. They initially send me two “welcome emails” that included my name and informed me of the change and why (but not what I would then be paying). Three weeks later, BG sent me another email saying:-
“Reset your password
Hello
We’ve received a request to set up or change your password.
You can set your new password by following this link:
Reset and access your account
If you didn’t ask to reset your password, or you are accessing your account for the first time, don’t worry, your account is still secure.”
This was laid out with their logo etc, but as you see, did not give my name, provided a link and as I did not have an account with them (nor had received any details about my new account with them), made no sense and thus looked suspicious.

2. When renewing my Broadband & Telephone account with John Lewis, they would not give me the £75 gift card in their online advertisement because I was an existing customer (who therefore did not need a router, nor the admin to change supplier). I changed my account into my wife’s name so she was then a new customer and qualified for the deal (yes, it seems you can do this! – even though our address, phone number, email, bank details and so on stayed exactly the same ). They then wanted confirmation of her acceptance of the terms of the deal and sent her an email, not from John Lewis Broadband, but from Lightico (who I had never heard of). That read as follows:-

“[Edited] just sent you a request to connect for document collaboration.
Your sales advisor has just sent you a screen share request, please click the link to connect. If you did not request this, please do not click the link and disregard this message

Press To Connect

Do Not Share This Email
This email contains a secured link to Lightico. Please do not share this email or link with others.

About Lightico
Lightico lets you collaborate with your clients in real-time, exchanging documentation, electronically sign them and even collect payment while you’re on a call with your clients. It’s safe and it’s legally binded. No matter where you or your clients are, at the office, home or on-the-go — Lightico provides a professional and trusted sales productivity tool.

Questions about this document?
If you need to modify any detail in the documents that you will exchange in this interaction please reach out to the sender by emailing or calling them directly.”

Note, the instigator has a plus.net (not JL) email address and there is one of those links again. This went on to require access to my computer and while the content that followed did refer to John Lewis, was almost illegible. I only proceeded with this because I was trying to complete what had been a long a long contract renewal process on the phone at the same time, but afterwards felt a fool.

[Moderator: we’ve edited this comment to remove an email address. Please do not post personal contact details or other personally identifiable information – this is for everyone’s privacy. For more information see the Community guidelines]

I have received not only emails about my account being “suspended” from banks I do not have an account with, but also allegedly from PayPal. Easily recognised by me, since I use that account regularly enough to know it isn’t true. But I also regularly get emails from computer security companies telling me my protection subscription has run out, the latest from McAfee alleging I have 23 viruses on my computer! The regularity with which I receive “reminders” is enough to demonstrate that they are scams, although the fact that I have never subscribed to them also helps! Not at all sure everyone would realise this. I’ve had DPD ones too, not many, asking for payment, and even a Royal Mail attempt (I don’t know why they wasted time on that one).

constant phone calls claiming to be Amazon or BT

I am a disabled person and I have found once firms like DPD delivery drivers get to know me,
ninety-nine percent of the time things are great the only time it goes wrong is when there is a new person cover the round. that goes for Hermes, Amazon and the other firms deliver to me.

Ken Martin says:
4 December 2021

I use the internet but have not a moble phone so get late emails but no text.I want get an email in good time not it was delivered an hour ago!

Ken Martin says:
4 December 2021

Banks set rules about emails and phone then make to hard use them with high cost calks long waits or information you have lost.

Aileen Harris says:
4 December 2021

My husband and I both received messages from NHS test and trace stating that we had been in contact with someone who had tested positive for Covid. The messages had our middle name as our surname, something I have seen done on scam texts and emails and would never expect to happen with an NHS text. This was the only personal ID on the text. Additionally their website says they will call you, it doesn’t mention emails or texts. As we had not been anywhere together since we returned from holiday a week previously, had not downloaded the test & trace app, knew no one who had Covid and had taken day 2 PCR tests a few days previously it seemed obviously a scam.
After the third text however I phoned the helpline and they confirmed that it was genuine. They also said that the name switch happened regularly.
Given that Covid scams are common they need to be more careful when sending out texts and emails
And also ensure that their website is updated to show that they may contact you by text or email and what it will look like. They could also include some additional personal information such as the last part of your NHS number like banks do with account numbers

Lorcan Farrelly says:
4 December 2021

We have recently experienced a couple of new (to us) scam type emails.

1) emails from addresses on an old school friend group, asking for a favour, and to be called back.

2) emails enclosing a voice message to be played (which we didn’t), one sent just to us, and the other with several recipients, including at least two from the old school friend list.

I really don’t think that companies, especially banks and finance companies are doing enough about this situation. Too often the onus is on the customer, when they have been taken in by seemingly legitimate sounding texts or e-mails and have lost money as a result. The banks try to make the customer feel stupid and that it is all their fault. I speak from personal experience here. It seems that if you, as a result of a fake text or e-mail, no matter how seemingly genuine, authorise a payment from your account, you are solely responsible for your financial loss. That to me is completely wrong and unacceptable, it is about time that this practice is looked at. it seems that there is nothing to stop a former or current employee of a bank or finance company from using their inside knowledge to con someone. When I once complained to my bank and showed the offending communication to a member of the branch staff, they told me that even they too would have been fooled. That fact still did not convince my bank that I was not an idiot for being fooled in the first place! Subsequently I was compelled in writing to close my account and transfer my money elsewhere. The banks make billions and can and should easily, collectively do far more to sort the problem. They are almost as culpable as the crooks themselves.

Richard, I agree with the part of your comment about the convincing nature of some emails and texts that lead to some customers being defrauded. But I do not see it follows that the bank must refund them if they had no way of knowing the transaction was fraudulent and all they did was obey their customer’s instructions to transfer money to another account. We can all make mistakes.

I would like some explanation as to what more the banks, and other bodies, can do to identify potential fraudsters and scams before they are perpetrated. One view as to why banks should refund money is because they have more money than those defrauded. That money is, of course, effectively their own customers and will be retrieved by higher charges on loans and lower savings interest.

However, if the banks can be shown to be negligent I would look at “refunds” differently. I would look to see the receiving bank taking responsibility as it is they who host the fraudsters’ accounts and should, maybe, take more care in who opens accountsand how those accounts are monitored for questionable activity.

Richard — I agree with Malcolm that there are limitations to what it is reasonable for banks to take responsibility for. We live in a world where communication via e-mails, text messages and social media contact is regarded as trustworthy despite plenty of evidence to the contrary. As a consequence of this misplaced trust scammers are intercepting communications and pretending to be friends or relatives asking for money.

The banks should certainly educate and inform their customers about the best way to stay safe in this new uncertain and fraudulent world, and about the risks of responding to texts and e-mails without verification. I feel they should also do more to identify which customers might need additional help or protection in the management of their money. Banks should make it clear that they cannot be held liable for the loss of money if customers give transfer instructions without a simple checking process. However, I don’t think banks should accept responsibility for their customers’ negligence.

You say “seemingly genuine” but nothing is genuine until you can prove it to be so, person-to-person. If someone has a phone that can send a text they can make a phone call to inform their mother of a new number and ask for money, and then voice recognition, vocabulary and dialogue content would prove their credentials. On receipt of such a message people must stop and think – Why didn’t he or she speak to me?

We all have a responsibility to adapt to the new reality and to learn that a text, e-mail message or social media contact does not, by itself, have guaranteed reliability. There is no inherent reason to trust someone you cannot see or speak to directly at the time.

If I have a debit or credit card stolen or simply lose it, my understanding is that my loss is limited to £50 providing I report the problem promptly. I have not tested this. The bank would not be responsible if had acted irresponsibly, for example by writing the PIN on the card or if I had allowed someone to use the card and PIN. I have long believed that this is rather generous protection but equally it has made me comfortable about carrying around my cards.

Neither my bank or credit card company has done anything to assess my abilities to avoid fraud yet I have the ability to transfer thousands of pounds. A great deal of fraud could be avoided if the banks – collectively – acted more responsibly. The intended subject of this discussion is the Which? Guide to SMS Best Practice. The reason that we have this Conversation is that banks are not following established best practice. The banks could have put in place what we now know as Confirmation of Payee from the start rather than simply ignoring the name of the payee, thus allowing payments to be misdirected for years. Before computer systems were in place there was the possibility of contacting our bank to request to have a cheque stopped for good reason. Now we have the ability to transfer large sums of money so quickly that it may not be recoverable, a system that facilitates fraud. It seems logical that payments to new payees should be delayed to allow time for suspected fraud to be reported to the bank and investigated before the transaction is completed. Banks should be working together to tackle crime and if customers losses are restricted to £50, as with cards, that would provide an incentive. Banks need to be able to recover money transferred to recipient banks in event of fraud.

Banks can protect themselves by restricting what their customers can do with their money, whether these are young and inexperienced people, old people with declining abilities, and anyone who has not acted responsibly in the past. As Richard has said, the banks should collectively do far more to sort out the problem.

I suspect that in the final analysis this will all come down to the question of negligence and what tests are applied to justify a reimbursement claim on the banks.

It would not surprise me if the Confirmation of Payee procedure has dramatically reduced the Authorised Push Payment [Payment Diversion] scam but, with many banks, and presumably all or most foreign ones, outside the scheme, significant risks remain.

It is possible that some people do not read the warnings on the transfer instruction pro forma and do not take any notice of a statement that there is not a match between the payee’s name and the account number specified for the payment. If people press the ‘continue’ button the deed is done. I don’t know what can be done about that other than, in the case of new payees, to have a mandatory stay of execution of the transfer, but even that is not guaranteed to lead to a cancellation unless there is direct communication between the bank and their customer.

I do not know what happens if the customer over-rides a mismatch warning and proceeds with the payment transfer anyway. I feel there should be a bold red warning on the screen and a bank message to say they will not process the transfer until the customer has telephoned to confirm it. That would be in the bank’s interest as much the customer’s.

I don’t expect we will be given full details of how claims are handled, John. This information could help those of us who are interested in the subject but also aid exploitation by fraudsters.

I do not understand why it is possible to proceed with a transaction when CoP shows ‘no match’ with the payees name. Why not require the customer to contact their bank rather than allowing the customer to ignore the warnings?

After Ian commented on problems with CoP, I spoke to friends and they have had problems too.

If, as you say, CoP is not possible with foreign banks then that needs to be addressed. The customer still needs to be protected from being the victim of crime.

A great deal has been said about negligence of customers and perhaps attention should now focus on the failings of the banking system. I have no personal grouse against my bank or others but feel that we are very much let down by the banking system.

Responsibility rests with customers as well as banks.

Confirmation of Payee has been discussed ad infinitum inclding why it might not have been introduced earlier and why not all banks are included, although Phase 2 should deal with that. See other Convos.

It would be useful if informed proposals were sumnarised from time to time that would advance protection rather than continually blaming banks, or anyone else.

Restricted account facilities have been suggested a number of times to protect those less capable from making expensive mistakes.

I think no communications in this context -SMS or text – should include links or phone numbers. Just point the customer to the official site.

As far as “standardised” SMS formats are concerned I would have thought fraudsters would simply adopt the same style, wouldn’t tbey?

I wonder if there is a case for eliminating links from SMS messages. DerekP has pointed out that they are convenient for resetting passwords but many organisations avoid using links for this purpose.

wavechange says: Today 12:06

I do not understand why it is possible to proceed with a transaction when CoP shows ‘no match’ with the payees name. Why not require the customer to contact their bank rather than allowing the customer to ignore the warnings?

This is actually what I had to do, simply because I wasn’t prepared to override the COP warnings. But what’s interesting is that the banks actively promote one of the advantages of switching to them is faster payments between banks.

For me, anyway, the answer is simple: the banks are made responsible for all fraudulent APPs unless they can definitively prove their own systems were in perfect working order and the customer was adequately warned.

I agree, Ian, but I want to see the banking system run in a way that allows all payments to fraudulent accounts to be recoverable by reverse payment – from the receiving bank to the customer’s bank. In my view, rapid payments seem to have facilitated fraud by removing the time needed to report and cancel any transaction if it would be fraudulent.

I have given the example of customers liability being limited to £50 if they lose their providing that they do not contribute to fraud by divulging their PIN or delay reporting the loss. If we buy products online, we are legally entitled to return them for a refund without having to provide a reason. I don’t see complaints that this is unfair on the companies ‘that have done nothing wrong’ to borrow a phrase. I have only done this once and that was when a company contacted me to substantially delay a delivery without even asking whether the new date was acceptable.

Online returns are permitted because you have not had the opportunity to
examine the product, so it is effectively on approval. That is not, I suggest, the same as instructing your bank to carry out their obligation to transfer your money.

In principle, as I and some others have repeatedly suggested, I think the payee’s bank should refund not the payer’s. I would like to see informed input as to the possibilities and difficulties of this.

But tbis Convo is about SMS Best Practice. Perhaps a discussion of the banking system should be moved to another Convo?
https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/

malcolm r says: Today 14:21

Online returns are permitted because you have not had the opportunity to examine the product, so it is effectively on approval. That is not, I suggest, the same as instructing your bank to carry out their obligation to transfer your money.

Perhaps strictly speaking, not; but it does place more responsibility on the retailer than the customer. I wrote a topic some time ago in which I highlighted the behaviour of some less scrupulous retailers. In that instance it became very clear that some retailers wield an arrogance in respect of their customers, which would leave those same customers unable to respond were it not for the current legislation, much of which was pioneered by Which?.

I am not arguing against the legislation that allows us to return unwanted products or the protection offered to holders of debit and credit cards, but these privileges are obviously paid for by all customers. Banks have obligations under the current CRM Code and Which? has found that claims are treated differently by different banks, demonstrating the need for legislation. The solution is for the banks to work together and ensure that payments to accounts run by scammers etc. are returned promptly to the customers’ banks. In my view, the CRM Code provides an incentive to tackle the problem.

Perhaps it is debatable whether we should be arguing for diminished consumer protection and leave that up to the companies. That would be a good topic for discussion elsewhere.

Colin says:
6 December 2021

Maybe there is something I don’t understand, but it seems to me that where money has been electronically transferred to a fraudster’s account, the bank hosting this account is more than culpable. At somer point in time they will have allowed the fraudster to open an account without fully verifying who they are hence allowing the banking system to act as a conduit for illegal money transfer. I can understand that a major difficulty in detecting fraudsters lies in their hiding behind stolen identities and hence in actually identifying who they are. But surely, in this age of technology, it must be possible for an individual’s true identity to be verified beyond any doubt using, for example, previously recorded personal information such as passport details, National Insurance number, NHS number, etc, etc, and surely here the banks have an ideal opportunity to fight crime.

I agree, Colin. In my view, the fraudster’s bank should be responsible for returning the stolen money even if they were not aware that the account was going to be used for fraud. When this is not done it makes fraud worthwhile. Nowadays, transfer of money between banks is fast and introducing a mandatory delay would provide time for suspected scams to be reported and investigated before the transaction was completed, so that the payment can be blocked. That would only be necessary for payments to new payees and not ones we have used before.

Fraud is lucrative and the banks can work together to help prevent it.

I agree Colin that if a bank has opened an account without reasonably checking the applicant’s credentials then, if that account has been used to perpetrate a fraud the bank should be held liable.

However if they have made all reasonable checks, or if, as has been reported, legitimately-opened accounts are sold to criminals ( e.g by foreign students returning abroad) and the bank could have had no knowledge of this, then they should not be held legally liable.

I have asked to see information as to whether any particular banks are more prone to hosting fraudsters accounts than others; that might help focus attention on any lax checking procedures.

I see no logical justification for expecting a bank that has done everything correctly to return money that turns out to have been obtained by a fraudster. There may be an emotive reason, usually that banks have lots of money (mostly belonging to you and me as depositors, of course) and can therefore easily afford to make a sympathy repayment. Or that there are (unspecified) actions they should have taken. I think the latter is valid if their individual and collective systems could be shown to have been defective and could practically be improved; the threat of being held financially responsible should, if that were the case, incentivise action.

Many proposals have been made in Convos about how we could better tackle consumer detriment. It would be worthwhile summarising them so a better picture could be appreciated.

As this particular Convo is about SMS messaging these comments might be better moved elsewhere. However, we frequently see links in SMS messages from all kinds of sources and I, for one, rarely use them but go directly to the source. In many cases that is probably over cautious prompted by publicity, but no bad thing. Certainly I believe any financial provider should not use them in SMS but simply ask the recipient to access their account or the providers website in the normal way.

I had already copied Colin’s comments to another Conversation, Malcolm: https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1641892

Malcolm wrote: “However, we frequently see links in SMS messages from all kinds of sources and I, for one, rarely use them but go directly to the source. In many cases that is probably over cautious prompted by publicity, but no bad thing. Certainly I believe any financial provider should not use them in SMS but simply ask the recipient to access their account or the providers website in the normal way.”

We and others have suggested that it would be best for responsible organisations not to include links in text messages, now that they are widely used to support fraud. Undoubtedly they are convenient but is the risk too high? Perhaps Which? could look into this. Do we really need links in text messages at all?

I happen to think that no official business should be conducted through the medium of text messages.

Once we let businesses know our mobile phone numbers we become prey. We alone can stop it by our own actions.

I am sure many will give reasons why my comment is impractical but it works for me.

It seems that we need something more secure than SMS. I am concerned when businesses and other organisations want us to use social media and chat facilities. 🙁

With businesses and even the NHS making extensive use of mobile numbers I am not sure about the practicality of withholding them and I wonder how those without phones cope without using them. It would be an interesting discussion.

Last week I was making a business phone call on my mobile that was unexpectedly cut off after 15 minutes. Shortly afterwards, I received an SMS text from an unknown 5-digit number, claiming to be from Vodafone and advising that my Spend Manager limit (out of plan spending cap) had been reached. However, part of the URL link inviting me to log in looked wrong – vodafone.uk – and I assumed this was some kind of scam.

Later on, I typed in the URL link provided on another computer and was taken to some Bitly domain hosting page. Obviously a scam.

However, I continued to receive SMS messages about my spending cap limit, so logged into my Vodafone account and could see no out of plan spending. I then contacted customer services to alert them to a possible scam and double check my account via webchat. I was assured that there were no changes on my account, my £10 Spend Manager limit was intact and everything was normal.

Come Monday morning, I called the same business number, my call was immediately blocked, and an announcement said my Spend Manager limit had been exceeded. Back on the phone to Vodafone customer services who, after 40 minutes on hold, reviewed my account and confirmed that I had exceeded my limit during Friday’s 15 minute call to an 0845 number, for which they charge a whopping £0.65 per minute! However, they tried to put things right by refunding my call charges and also compensated me for incorrect information provided on Friday evening’s chat.

Proof, as if proof were needed, that companies should not sent out weblinks in SMS texts. Not only does over-familiarity with this practice present an opportunity for scams, but large companies like Vodafone can’t be trusted to get it right and end up misleading their own customers.