/ Scams

Why companies should adopt our guide to SMS Best Practice

It’s often hard to know which text messages you can trust. We’re asking businesses to adopt our SMS best practice guide to help consumers spot scam texts and have more trust in business messaging.

10/12/21: Update

It’s important that businesses protect their customers from scams. We’re continuing to engage with lots of businesses and sectors on adopting our SMS best practice guide, including supermarkets, energy companies and PayPal amongst others.

Thank you to supporters who have been sharing examples of businesses that are frequently spoofed by scammers or have poor SMS practice. You can continue to share examples of business messages by emailing smsguide@which.co.uk, or share scam text messages with us via our Scam Sharer tool.

14/09/21: Our Best Practice Guide

We all know that text message scams, known as ‘smishing‘, are a big problem for consumers. The cyber security company Proofpoint has seen nearly a 700% growth in reports of smishing in the UK in the first six months of 2021 compared with the second half of 2020.

This is driven in large by more businesses using SMS to reach their customers – and more scammers mimicking their tactics. 

At Which?, we often share warnings about the smishing texts circulating and try to help people spot these so you can protect yourself. You’ve probably noticed that lots of scam texts try to get you to follow a URL, call back a phone number or reply to the message.

They can also include language that makes you feel panicked into taking a certain action. While scammers use these techniques, unfortunately some legitimate businesses do as well. As a result, some genuine texts end up looking suspicious.

Here are a couple of examples of legitimate text messages that could be mistaken by consumers for scams:

On the left, this legitimate text from a bank uses language that sounds urgent and requests that the receiver calls back a number included in the text: techniques that can be easily imitated and adapted by scammers.

To the right, a legitimate delivery text has come from a mobile number rather than a company name, and has instead included the company in the text itself. It includes not one but two URLs to follow. Again, these are common tactics of scammers.

Our tips for SMS best practice

We want businesses to use SMS in a way that helps protect consumers from SMS scams, so we’ve developed a best practice guide (PDF) for them. 

📱 Be clear and consistent – this is so customers can become familiar with the types of messages a company sends and know what to expect.

📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.

📱 Don’t include phone numbers to call back – businesses should instead ask consumers to look up the number independently to call back.

📱 Be careful with personal information – businesses should address you by name if possible as scammers usually use generic greetings, but any other personal information (such as email addresses, account numbers, postcodes) should be at least partially redacted so that your data is not at risk if anyone else sees the message.

📱 Be careful with tone and language – it’s important that businesses don’t use language and tone that creates a sense of urgency or panic as this is what scammers do as well.

The businesses joining our call

The most common scam texts that get reported to us are pretending to be delivery companies or banks, so we’re pleased to say the following businesses from these sectors have already committed to following the points in our guide:

TSB

“We are signing up to the Which? SMS guide because we are firmly committed to tackling fraud together and to sharing industry expertise and advice to help people spot these scams. Fraud is the big consumer issue of the day, which is why we launched the UK’s only Fraud Refund Guarantee – to return our customers’ money should they ever innocently fall victim to bank fraud.

This guide provides a helpful framework for all businesses to rely on when developing customer communications and we hope it will drive continuous improvement across sectors”

Barclays

“SMS messages are a valuable channel to contact customers and provide great customer service. However, scammers will use any means possible to exploit the trust between a business and their customer and SMS messages are often used as a tool to do just this. It’s important that businesses across industries work to take these tools away from scammers by taking actions to distinguish between their SMS messages, from those of scammers, as much as possible.

We see this guide as a checklist of manageable steps businesses can take to help protect customers from being tricked by scammers, while maintaining what is a preferred method of contact for many. If all businesses followed the recommendations proposed in the guide, it would be much easier for customers to spot scam SMS messages and keep themselves safe, making SMS messages much safer as a whole”

DPD

“DPD is committed to tackling scams and working with other like-minded organisations to protect customers. As a result, we are very happy to support this Which? SMS initiative, which provides straightforward guidance for consumers and businesses.

Our long-term focus is on providing parcel recipients with a safe alternative to text and email notifications via the DPD app, which already means over 10 million users receive push notifications about their parcel, rather than texts. But we continue to raise awareness of best practice and safe links, where we still need to use traditional notifications.

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/”

Hermes

“We always advise consumers to be vigilant online and we’re committed to protecting the privacy and security of consumers and website visitors. Staying safe online can be tricky, which is why these handy guides are so important”

Our guide is also supported by a number of organisations, including Which? Conversation guests Friends Against Scams and Consumers International.

More work to be done

We want to see all UK banks and delivery companies adopting this guide, so there’s work for us to do yet.

Unfortunately, we know that scammers will keep sending fake texts out to the public. But as more businesses start following our guide, it will make it much easier for consumers to know what they can expect from legitimate messages and make the scams easier to spot.

Have you received good or bad examples of text messages from banks and delivery companies, or any other businesses?

What other sectors do you think we should target next? Let us know in the comments to help us apply pressure and get businesses to change their SMS practices.

Comments

One of the major problems with scams is making people understand them; for example, never respond to a request to move funds from a “compromised” bank account to a “safe” one. But many don’t see, don’t listen or ignore the information.

So while encouraging businesses to exclude the possible “traps” as listed in ”Our tips for SMS best practice” how do recipients of such messages – legitimate or fraudulent – know what to avoid? I suspect the frauds will still continue successfully. Much greater publicity aimed at consumers is, I believe, necessary to make them aware; tv and social media are the necessary vehicles to haven any real chance of success.

For many years I have maintained strict security over my mobile phone number with only two or three people knowing it. I have therefore received hardly any text messages and have never sent any. Lately it has been necessary to provide a mobile number for various purposes because organisations will not use landline numbers. My building society will not allow me to open a particular savings account unless I provide my mobile number; I regard this as discriminatory. British Gas will not even allow a customer to enter their website unless they give a mobile phone number. It has become virtually compulsory not just to have one, but to be permanently hitched to, a mobile phone; scammers know that, so business has opened the door to something which is now costing it a fortune to defeat.

Norman R. says:
30 September 2021

I do not have a mobile phone and, so far, this has caused me no problems. My bank wanted to send passwords via a mobile, but readily agreed to send them via email when I objected. So it’s not true to say they are now compulsory.

Doug Knox says:
30 September 2021

So true! Banks who would never have used email to contact a valued customer, now routinely use anti “social media” and so encourage avoidable risk taking.
Use cheques, paper is safer, reduce your data being broadcast and available to hackers.

Can you just give a made-up number to save giving your own. It is infuriating that they demand such

Where does British Gas insist on a mobile phone number? Registering for an online account says:

“Mobile number (optional)
This will only be used to match you against our records and send you a verification code.”

If you are prevented from using a service because you cannot or do not wish to give out your number, then I suggest you contact the supplier, say you have a disability that makes using a mobile phone difficult and ask what they suggest instead.

Verification codes can equally well be sent to a landline number as a recorded message, and some companies do this.

When I was trying to sort out a boiler service, Em. I do not use BG for energy so do not have an general account. I had such a good deal on boiler and central heating maintenance that I stayed with BG for that purpose. They have now notified me that with my original contract soon expiring it will cost three times as much for the same service.

A possible way of addressing this if you have an old phone is to get a PAYG SIM, many of which can be obtained for free, and put it in the old phone. You may have to use it once every 6 months or so to keep it ‘alive’ but you can do that by calling or texting your main number.

You mean somebody else’s number?

Perhaps Which? could start by using links that give the appearance of being legitimate:

Today, @WhichUK launched an SMS guide on how consumers can be supported when spotting messages that they can trust or are fraudulent❗️

Find out more👇: https://t.co/RSNdOxxeBb pic.twitter.com/HV0iBZbGie
would look better as:
https://twitter.com/WhichUK/status/1437701535778156544
https://twitter.com/Consumers_Int/status/1437721117834231813

I hadn’t heard of Consumers International before but see it has over 250 member organisations in 120 countries. That gives a lot of scope for international cooperation on many issues.

The DPD app is excellent, Hermes is rubbish.

I have 3 deliveries on my Hermes app that have all been completed. 2 say they are on their way.

The third says no current journey data is available but check back later to see if it has been updated. So far I have had 3 emails giving me delivery times over 2 days and a fourth email the day after delivery informing me of a delay with the delivery and they will send me a message on 20th September. The parcel was actually delivered on the first delivery day within the first time-frame. 🙄

I don’t do financial transactions on my phone, but how secure are apps on a phone like my Samsung Galaxy S7 that is no longer supported?

@alfa wrote: “I don’t do financial transactions on my phone, but how secure are apps on a phone like my Samsung Galaxy S7 that is no longer supported?”

Isn’t it past time for Which? to address this particular bugbear? Presumably alfa’s concerns have been raised by the Which? campaign to get phone manufacturers to support their devices for longer. Fair enough, maybe.

But not when focusing on just one aspect of security causes members to make suboptimal risk decisions in general.

This security focus on not having the latest Android release totally ignores the bigger picture. What is the alternative being used? Windows? Internet Explorer? Chrome? How secure is that? Compared with any smart phone produced in the last ten years, not very!

At the most basic level, a Windows computer allows you administrative privileges. That means you (or a hacker) can do more or less what you like to the operating system and all the other software running on the system. You cannot do this to a mobile phone operating system unless you know how and are foolish enough to “root” the device.

How do we know that a computer has been maintained and has the latest operating system system and patches installed? I’m writing this on a Sony Vaio. They stopped making (very good) laptops some years ago, but I don’t see Which? warning about that.

Installing the latest version of the operating system and browsers is very much in the user’s control. I’m not sure how many people have the right settings or would be prepared to undertake the complexities of an operating system upgrade or the risk of “bricking” the computer in the process. It is quite possible that some computers are still running the operating system as first shipped, without the benefit of any maintenance upgrades or more secure drivers.

How do we know that a computer device – even if still supported by the manufacturer – wasn’t compromised years ago and has all sorts of viruses and key loggers installed and monitoring every move? Windows PCs are still the Number One target for hackers, because they have been around so much longer, run commerical systems (bigger pickings) and are far easier to infect or hijack.

Is the computer device used for secure transactions being by other members of the household who are installing their own software? Mobile phones are not shared devices, so you immediately have one major advantage in keeping your financial applications safe from harm.

Another advantage of a mobile device is that you have both the App to check your account and the means to contact the security department with you at all times. Did you accidentally let the waiter or hotel take away your chip-and-pin card? Did they use if fraudulently? Why wait until you get home or even back from a holiday abroad to find out? Or would you risk using a public computer to check this?

And what are you using for the greatest security innovation most people now have access to, assuming you haven’t already been put off completely? Two Level Authentication – something you know and something you have. Not that “insecure” mobile phone, surely?

I could go on (… and on, and on …) about the numerous security advantages of using a mobile phone for making financial transactions, provided you look after its physical security and only download your Apps from legitimate sources.

But why take my word for it?

Is mobile banking safe?

The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone.

Although phones are more easily lost or stolen, apps are in some ways safer than using a computer to log in to your bank account. This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.

It’s also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).

Smartphones can be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’). Of course mobile banking isn’t risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones.

Who said that? Which? August 2021

Stephanie wrote:
“📱 Don’t use hyperlinks unless absolutely necessary – scammers rely on getting people to click on links so it’s best if companies don’t use them at all. However, in some situations, including links can be more convenient for consumers, so in these cases businesses must use easily verifiable URLs so consumers can check they are legitimate.”
Hi Stephanie @stephanie-borthwick – If legitimate companies were instructed not to use links to protect consumers then we could assume that any text messages with links are likely to be scams. I’m struggling to think of examples where convenience is more important than tackling crime.

Thanks for the best practice guide.

” If legitimate companies were instructed not to use links to protect consumers then we could assume that any text messages with links are likely to be scams.”. As I tried to explain above, this only works if people know that legitimate messages will not include links. Judging by the number of people who fall for scams it seems many take no notice of, or are not aware of, warning information. So without a mass publicity campaign, probably repeated regularly, I doubt it would achieve the success needed.

I would not mind if there were no links in commercial e-mails although I feel it is not so much the time saving that is critical with links — usually only a few seconds difference — but the avoidance of errors.

The biggest risk in dealing with scam e-mails is not from those purporting to come from companies you don’t deal with, they can be dismissed immediately, but those pretending to come from companies or organisations that you do. Unless they give some unique reference relevant to our address or account I am suspicious; I double-check the contents, and compare it with previous ‘safe’ examples. Another problem, however, is that companies tend to change their presentation format from time to time [no doubt in order to defeat scammers] so you have to be alert to what is genuine and what is not. I don’t expect there is a fool-proof protection against these difficulties other than constant vigilance and patience to examine everything thoroughly for authenticity. Many people will just not take the time to do that and put themselves at risk.

One of the advantages of having systems and devices that can do things incredibly quickly is that it gives us more time to look more carefully at what is showing. Unfortunately, judging by the number of people who admit they did something in a hurry and ended up on a bad website, many are not using that extra time to safeguard themselves. Perhaps that is a lesson that needs to be drummed in. I sometimes wonder if more mistakes are made because people are trying to do everything on a small screen; I wouldn’t know because I only use the internet on a full-size monitor where there is much more in view and less scrolling is required.

Hi Stephanie – Thanks for your reply.

I take your point about customers being frustrated by not having a simple link for tracking a delivery. A compromise could be to provide a code (a single word would do) that could be entered on the tracking page of the courier’s website. The customers of banks have had to adapt to using two factor authentication to improve security. Perhaps if companies explained that removal of links has been done to protect them from scams their customers would understand the reason.

Another reason given for including links in texts is for resetting passwords. I believe that a better approach is to provide a code (again a word would be best) that can be typed into the website. I find it encouraging that some organisations use this approach.

It would be good to hear about other companies that support the Which? best practice guide.

This “protection” seems to hinge around people taking notice of published precautions and acting accordingly. Experience shows many do not.

Stephanie Borthwick says:
Today 09:21

Hi Wavechange. Thanks for your comment. You’re quite right that it would be much easier for consumers to spot a scam if businesses never used hyperlinks at all. However, we also know that a lot of consumers would be frustrated if they could no longer click on a tracking link for an expected delivery and instead they had to go to the relevant website, find the tracking page and type in the tracking number.

I suspect they could simply copy and paste the tracking link, Stephanie. I agree with Wavechange: I suspect the risk of malignant links is now too great for them to be used.

John wrote: “I sometimes wonder if more mistakes are made because people are trying to do everything on a small screen….”

It would be interesting to explore this hypothesis, John. When planning to use an unfamiliar company I spend time exploring their website, for example to study terms & conditions and whether these comply with legal requirements, company number, address, etc. That might not be easy on a phone. On the other hand it has been suggested that using phone apps could be safer than online banking on a computer, and is certainly more convenient.

One of the more unprofessional abusers of SMS messaging is SSE. They send out unsolicited texts from a mobile number about their engineers installing smart meters in our area *, with an unverifiable URL to click or a mobile number to text to book a convenient appointment.

* No doubt they also have a load of spare asphalt and could re-lay our drive, or fix the loose roof tiles at the same time.

I had an email yesterday from Which? containing 19 clickable links. Presumably any one, or all, could have been “malignant” if the email were a scam. Nothing n the email related to my identity. A very convenient way to access their information, but is this not an illustration of the dangerous territory we are in? Is Which? somehow exempt?

Em, a bowls club I belonged to was doorstepped by a gentleman from a close overseas territory offering to patch up their car park with asphalt he happened to be in possession of. He quoted a price “for the yard”, which the naive “treasurer” who answered the door assumed was a total price (for the yard). Only when he was subsequently asked for the cash was his misunderstanding revealed. I suppose if SSE had come along and offered to re-lay cable “for the meter” he’d have got into similar problems.

I wish businesses would stop using SMS as a means of 2-factor authentication. SMS is not secure, as it is vulnerable for example to SIM swap fraud. For me, each of my SIM cards is a means of obtaining mobile data service, not a means of receiving SMS. So when I’m using a different SIM card (such as when abroad), I can’t receive SMS on the number that businesses expect me to receive it on.

Jeremy says:
30 September 2021

I got a text the other day asking me to click and give a no contact approval for a delivery. I didn’t respond but deleted it instead.

if you don’t expect it, don’t trust it. when dealing with mail order/online shopping ALWAYS keep a tally on expected delivery dates of goods ordered , be clear about the carrier service delivering the goods for you and if you get a a message within the expected delivery time from a carrier other than that stated by the company you are conducting business with, check with them as a precaution. if they have no record of the alternate carrier fulfilling your delivery, you can be pretty well assured it is fraudulent in the majority of cases.

Nicole King says:
30 September 2021

I have an investment vehicle whose website will send an SMS message with a code to allow access. They will send this message to a landline – a gateway rings your phone and dictates the message to you. I have disabled this because spammers were waking me up in the small hours. The investment company has no other mechanism available, unlike Halifax, who will ring you directly with an automated message. This is the problem with computer systems designed by people who cannot imagine life without a mobile phone. I grew up without and spent most of my adult life without one. I never missed it.

What annoys me, more than anything else, is the waste of time, space, and the modern equivalent of paper. I do not use Macaffee mcafee or whatever it’s called. I tried it once, but it slowed things down so much it was like going back to shaving a slave’s head, writing a message on it & awaiting covering hair growth before dispatching him. Now, I get five or sometimes a dozen E-mails a day telling me my subscription is running out. Surely the “Server” [a misnomer if ever there was] could stop this easily. My XYZMail does this; my ABCMail doesn’t.
Servers awake ! You have nothing to lose but your customers !

Malcolm Burgess says:
30 September 2021

Drive more economically

Glenda says:
30 September 2021

I am an electric wheelchair user, with a huge accessible van to take the wheelchair lift and my electric wheelchair, I am the main driver, I transfer from the wheelchair to the drivers seat.

Public transport is impossible, each time I’ve tried, when my van has been in the garage or I’ve been unable to drive, it has resulted in me cancelling appointments, buses don’t all have wheelchair ramps, despite saying they do, half the time at least they do not work, not all kerbs are suitable for the ramps, if there is already a wheelchair user or child’s buggy on the bus, there is no space for another. My van is diesel, I don’t chose my vehicles, I lease through motability, their assessor visits me at home, know my health issues, knows my wheelchair, knows my needs, there is usually only 1 option, to fit my needs.

Andrew J King says:
30 September 2021

As in all things, refraining from answering text or emails from unknown parties, and be careful in the bio details you give on social media. As an oldie, I don’t use those services.

Steve Z says:
30 September 2021

I have often thought that, if it were possible for the customer to include their own order reference or password when they placed an order with a company, it might make things more secure. If the said company then had to use the password / order reference in all communications with the customer it would allow you to determine if something was legitimate or not, thus the company would need to included the reference etc. in emails, SMS, phone calls or any communication with the customer. This could be extended to verbal passwords with banks / building societies / utility companies etc. and may add another level of security for the end user.

Romain says:
30 September 2021

As I read early regarding those multiple scans I response on the phone in French(very rudely!!) and as I survive mouth cancer when those people try to show new stuff to get your teeth back, special outfit for you face +++++I do answer in German, French and some time, when I got time(as retired!!) in Vietnamese it makes my day!!! as they do not answer as my rudeness in French as is an ex-French Army 1970!!!!!!!!!
Thank you for your warning and have an easy week you and your team
Regards
Romain

Sheila Rushbrook says:
30 September 2021

I could not easily find reference to using 159 – your comments?

Can the new 159 anti-fraud hotline stop impersonation scams?

Read more: https://www.which.co.uk/news/2021/09/can-the-new-159-anti-fraud-hotline-stop-impersonation-scams/ – Which?

Valerie says:
30 September 2021

We have always paid our electricity bill by cash,promptly, at the Post Office. We have just changed suppliers and have opted to do direct debit transactions and have obviously given them details. The old supplier threatened to take money owed by our last bill, which was an erroneous amount, by direct debit. We have never had a dd with them. On checking with the bank the old company had set up a dd with our bank when we had given no details of our bank account etc. to the old company. Is this illegal.? Our new provider says they did not share our details. How were the old company able to access them?

Hi Valerie – It’s worth having a look at the Direct Debit Guarantee, which requires banks to refund money in event of an error: https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx

I hope that your bank will carry out a prompt investigation and arrange a refund.

Paying by monthly direct debit is likely to be the cheapest way of buying energy.

I was checking the advice to firms collecting payments by direct debit recently, and was surprised to read that there is no time limit for backdated claims to be made by the payer under the DD guarantee. So if for example, you discover a company has been taking payments from your account for the last ten years after you cancelled a service – like a warranty maybe – you are entitled to recover all the payments taken in error.

“I hope that your bank will carry out a prompt investigation and arrange a refund.”

I meant to add that the Direct Debit Guarantee is provided by the bank. Provided they are satisfied that an error has occurred, then you are entitled to have the money refunded to your account on the same day.

It is then up to the bank to obtain a refund from the merchant.

However, a DD Guarantee refund does not void any contract you have with the merchant and they may seek to recover money owed by other means.

A very good friend of mine from Holland banks with the Rabobank and whenever the Bank sends their customers a message by Email they will NEVER include a link for the customer to click on.
If it mentions that you should contact the bank for whatever reason, you know their phone number or email address and should contact them as such.