UK’s Cyber Security Center publishes new guidance to fight smishing

UK’s National Cyber Security Center (NCSC) has published new guidance for organizations to follow when communicating with customers via SMS or phone calls.

The goal of the new guidelines is to make it harder for scammers to trick the public and lead users to phishing sites.

This action comes in response to an alarming rise in scams that spoof popular brands, with fake parcel deliveries being the dominant theme.

The NCSC urges businesses to do their part in protecting consumers and fighting the rising threat of scams, and the main way to achieve this is by making legitimate and fraudulent communications easier to discern.

SMS guidance

When organizations use SMS to communicate with an audience, the NCSC recommends that they use the following guidelines to assure recipients that a text is legitimate:

Use a five-digit number instead of a regular phone number. Use a SenderID that appears in place of the sending number, indicating that the sender is trustworthy. Use the same SenderID consistently across all communications and register it with the MEF. Try not to include web links in SMS, but if it’s absolutely necessary, do not use URL shortening services that obscure the domain. Use as few SMS distribution providers as possible, and audit all messages to validate the content.

Phone call guidance

Spoofing the phone numbers of legitimate entities is now fairly easy for criminals, so the calling number itself doesn’t constitute a guarantee of safety in communications.

To help tackle this problem, businesses are advised to follow these guidelines when calling customers:

Urge customers to call you instead and provide information on how to do it on the official site. Ensure that the service providers aren’t routing calls to overseas infrastructure. Ensure that the service providers have enabled anti-porting measures. Ensure that the service providers are following the ‘General Conditions of Entitlement’. Maintain consistency by using the same numbers to call people. Numbers used only for call reception should be added to the ‘Do Not Originate’ list. Provide a way and guidance for customers to report scams.

Consumer’s perspective

Even though the above measures will help in tackling scams, smishing (SMS phishing), and fraudulent phone calls, the consumers need to do their part too by keeping the following in mind:

Legitimate messages are typically consistent and straightforward. The phone number and email address used are minimal. Valid SenderIDs don’t usually feature special characters. The validity of the sending address and number should be easy to verify on the entity’s official website. Honest communications never ask for personal details. Shortened URLs are a red flag.

In general, if something feels wrong when speaking to someone, ask for their name and hang up. Then, independently call the organization using the number you’ll find on their website and request to speak with the agent who contacted you.

Do not, under any circumstance, give away sensitive personal information on calls that you didn’t initiate.