/ Scams

Why companies should adopt our guide to SMS Best Practice

It’s often hard to know which text messages you can trust. We’re asking businesses to adopt our SMS best practice guide to help consumers spot scam texts and have more trust in business messaging.

We all know that text message scams, known as ‘smishing‘, are a big problem for consumers. The cyber security company Proofpoint has seen nearly a 700% growth in reports of smishing in the UK in the first six months of 2021 compared with the second half of 2020.

This is driven in large by more businesses using SMS to reach their customers – and more scammers mimicking their tactics. 

At Which?, we often share warnings about the smishing texts circulating and try to help people spot these so you can protect yourself. You’ve probably noticed that lots of scam texts try to get you to follow a URL, call back a phone number or reply to the message.

They can also include language that makes you feel panicked into taking a certain action. While scammers use these techniques, unfortunately some legitimate businesses do as well. As a result, some genuine texts end up looking suspicious.

Here are a couple of examples of legitimate text messages that could be mistaken by consumers for scams:

On the left, this legitimate text from a bank uses language that sounds urgent and requests that the receiver calls back a number included in the text: techniques that can be easily imitated and adapted by scammers.

To the right, a legitimate delivery text has come from a mobile number rather than a company name, and has instead included the company in the text itself. It includes not one but two URLs to follow. Again, these are common tactics of scammers.

Our tips for SMS best practice

We want businesses to use SMS in a way that helps protect consumers from SMS scams, so we’ve developed a best practice guide (PDF) for them. 

📱 Be clear and consistent – this is so customers can become familiar with the types of messages a company sends and know what to expect.

📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.

📱 Don’t include phone numbers to call back – businesses should instead ask consumers to look up the number independently to call back.

📱 Be careful with personal information – businesses should address you by name if possible as scammers usually use generic greetings, but any other personal information (such as email addresses, account numbers, postcodes) should be at least partially redacted so that your data is not at risk if anyone else sees the message.

📱 Be careful with tone and language – it’s important that businesses don’t use language and tone that creates a sense of urgency or panic as this is what scammers do as well.

The businesses joining our call

The most common scam texts that get reported to us are pretending to be delivery companies or banks, so we’re pleased to say the following businesses from these sectors have already committed to following the points in our guide:

TSB

“We are signing up to the Which? SMS guide because we are firmly committed to tackling fraud together and to sharing industry expertise and advice to help people spot these scams. Fraud is the big consumer issue of the day, which is why we launched the UK’s only Fraud Refund Guarantee – to return our customers’ money should they ever innocently fall victim to bank fraud.

This guide provides a helpful framework for all businesses to rely on when developing customer communications and we hope it will drive continuous improvement across sectors”

Barclays

“SMS messages are a valuable channel to contact customers and provide great customer service. However, scammers will use any means possible to exploit the trust between a business and their customer and SMS messages are often used as a tool to do just this. It’s important that businesses across industries work to take these tools away from scammers by taking actions to distinguish between their SMS messages, from those of scammers, as much as possible.

We see this guide as a checklist of manageable steps businesses can take to help protect customers from being tricked by scammers, while maintaining what is a preferred method of contact for many. If all businesses followed the recommendations proposed in the guide, it would be much easier for customers to spot scam SMS messages and keep themselves safe, making SMS messages much safer as a whole”

DPD

“DPD is committed to tackling scams and working with other like-minded organisations to protect customers. As a result, we are very happy to support this Which? SMS initiative, which provides straightforward guidance for consumers and businesses.

Our long-term focus is on providing parcel recipients with a safe alternative to text and email notifications via the DPD app, which already means over 10 million users receive push notifications about their parcel, rather than texts. But we continue to raise awareness of best practice and safe links, where we still need to use traditional notifications.

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/”

Hermes

“We always advise consumers to be vigilant online and we’re committed to protecting the privacy and security of consumers and website visitors. Staying safe online can be tricky, which is why these handy guides are so important”

Our guide is also supported by a number of organisations, including Which? Conversation guests Friends Against Scams and Consumers International.

More work to be done

We want to see all UK banks and delivery companies adopting this guide, so there’s work for us to do yet.

Unfortunately, we know that scammers will keep sending fake texts out to the public. But as more businesses start following our guide, it will make it much easier for consumers to know what they can expect from legitimate messages and make the scams easier to spot.

Have you received good or bad examples of text messages from banks and delivery companies, or any other businesses?

What other sectors do you think we should target next? Let us know in the comments to help us apply pressure and get businesses to change their SMS practices.

Comments

One of the major problems with scams is making people understand them; for example, never respond to a request to move funds from a “compromised” bank account to a “safe” one. But many don’t see, don’t listen or ignore the information.

So while encouraging businesses to exclude the possible “traps” as listed in ”Our tips for SMS best practice” how do recipients of such messages – legitimate or fraudulent – know what to avoid? I suspect the frauds will still continue successfully. Much greater publicity aimed at consumers is, I believe, necessary to make them aware; tv and social media are the necessary vehicles to haven any real chance of success.

For many years I have maintained strict security over my mobile phone number with only two or three people knowing it. I have therefore received hardly any text messages and have never sent any. Lately it has been necessary to provide a mobile number for various purposes because organisations will not use landline numbers. My building society will not allow me to open a particular savings account unless I provide my mobile number; I regard this as discriminatory. British Gas will not even allow a customer to enter their website unless they give a mobile phone number. It has become virtually compulsory not just to have one, but to be permanently hitched to, a mobile phone; scammers know that, so business has opened the door to something which is now costing it a fortune to defeat.

Perhaps Which? could start by using links that give the appearance of being legitimate:

Today, @WhichUK launched an SMS guide on how consumers can be supported when spotting messages that they can trust or are fraudulent❗️

Find out more👇: https://t.co/RSNdOxxeBb pic.twitter.com/HV0iBZbGie
would look better as:
https://twitter.com/WhichUK/status/1437701535778156544
https://twitter.com/Consumers_Int/status/1437721117834231813

I hadn’t heard of Consumers International before but see it has over 250 member organisations in 120 countries. That gives a lot of scope for international cooperation on many issues.

The DPD app is excellent, Hermes is rubbish.

I have 3 deliveries on my Hermes app that have all been completed. 2 say they are on their way.

The third says no current journey data is available but check back later to see if it has been updated. So far I have had 3 emails giving me delivery times over 2 days and a fourth email the day after delivery informing me of a delay with the delivery and they will send me a message on 20th September. The parcel was actually delivered on the first delivery day within the first time-frame. 🙄

I don’t do financial transactions on my phone, but how secure are apps on a phone like my Samsung Galaxy S7 that is no longer supported?

@alfa wrote: “I don’t do financial transactions on my phone, but how secure are apps on a phone like my Samsung Galaxy S7 that is no longer supported?”

Isn’t it past time for Which? to address this particular bugbear? Presumably alfa’s concerns have been raised by the Which? campaign to get phone manufacturers to support their devices for longer. Fair enough, maybe.

But not when focusing on just one aspect of security causes members to make suboptimal risk decisions in general.

This security focus on not having the latest Android release totally ignores the bigger picture. What is the alternative being used? Windows? Internet Explorer? Chrome? How secure is that? Compared with any smart phone produced in the last ten years, not very!

At the most basic level, a Windows computer allows you administrative privileges. That means you (or a hacker) can do more or less what you like to the operating system and all the other software running on the system. You cannot do this to a mobile phone operating system unless you know how and are foolish enough to “root” the device.

How do we know that a computer has been maintained and has the latest operating system system and patches installed? I’m writing this on a Sony Vaio. They stopped making (very good) laptops some years ago, but I don’t see Which? warning about that.

Installing the latest version of the operating system and browsers is very much in the user’s control. I’m not sure how many people have the right settings or would be prepared to undertake the complexities of an operating system upgrade or the risk of “bricking” the computer in the process. It is quite possible that some computers are still running the operating system as first shipped, without the benefit of any maintenance upgrades or more secure drivers.

How do we know that a computer device – even if still supported by the manufacturer – wasn’t compromised years ago and has all sorts of viruses and key loggers installed and monitoring every move? Windows PCs are still the Number One target for hackers, because they have been around so much longer, run commerical systems (bigger pickings) and are far easier to infect or hijack.

Is the computer device used for secure transactions being by other members of the household who are installing their own software? Mobile phones are not shared devices, so you immediately have one major advantage in keeping your financial applications safe from harm.

Another advantage of a mobile device is that you have both the App to check your account and the means to contact the security department with you at all times. Did you accidentally let the waiter or hotel take away your chip-and-pin card? Did they use if fraudulently? Why wait until you get home or even back from a holiday abroad to find out? Or would you risk using a public computer to check this?

And what are you using for the greatest security innovation most people now have access to, assuming you haven’t already been put off completely? Two Level Authentication – something you know and something you have. Not that “insecure” mobile phone, surely?

I could go on (… and on, and on …) about the numerous security advantages of using a mobile phone for making financial transactions, provided you look after its physical security and only download your Apps from legitimate sources.

But why take my word for it?

Is mobile banking safe?

The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone.

Although phones are more easily lost or stolen, apps are in some ways safer than using a computer to log in to your bank account. This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.

It’s also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).

Smartphones can be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’). Of course mobile banking isn’t risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones.

Who said that? Which? August 2021

Stephanie wrote:
“📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.”
Hi Stephanie @stephanie-borthwick – If legitimate companies were instructed not to use links to protect consumers then we could assume that any text messages with links are likely to be scams. I’m struggling to think of examples where convenience is more important than tackling crime.

Thanks for the best practice guide.

” If legitimate companies were instructed not to use links to protect consumers then we could assume that any text messages with links are likely to be scams.”. As I tried to explain above, this only works if people know that legitimate messages will not include links. Judging by the number of people who fall for scams it seems many take no notice of, or are not aware of, warning information. So without a mass publicity campaign, probably repeated regularly, I doubt it would achieve the success needed.

One of the more unprofessional abusers of SMS messaging is SSE. They send out unsolicited texts from a mobile number about their engineers installing smart meters in our area *, with an unverifiable URL to click or a mobile number to text to book a convenient appointment.

* No doubt they also have a load of spare asphalt and could re-lay our drive, or fix the loose roof tiles at the same time.