Is texting a secure way to communicate? There have been rising concerns about the security of SMS as a communication channel, but nowadays, nothing is entirely secure. Every system has its vulnerabilities, even the most technologically advanced ones.
Take LastPass, for example – you'd think password management software would be impenetrable, but even this isn't safe from cyber attacks. Then there’s Facebook Messenger and WhatsApp, which are highly susceptible to security risks.
The best you can do when using any digital channel or software is to take precautionary measures to mitigate all known risks. As long as you do that, there's no reason not to use SMS for verification or as a communication channel for reaching existing and prospective customers.
The security risks of text messaging
So what exactly are the key security threats and concerns around using SMS for business communications? Here are the ones you should know about...
No end-to-end encryption
End-to-end encryption is where plain text is converted into scrambled SMS data at the point of transmission. It's then converted back into readable text at the recipient's end. So with encrypted messages, only the sender and receiver know the actual message content.
Because SMS doesn't have this type of encryption, mobile phone networks and other third parties can see the content of your text message if they receive or intercept them (accidentally or intentionally).
Why can’t we just encrypt SMS messages?
Unfortunately, SMS technology doesn't support advanced encryption security features. It works via legacy transmission protocol, meaning it doesn't have the end-to-end encryption capabilities of certain instant messaging channels, such as WhatsApp.
Even if the infrastructure of text messaging was upgraded in the future to something more modern and advanced, it likely wouldn't be compatible with all the many different mobile device types and platforms used by the general population. So, that could cause a major disconnect between your business and the significant proportion of your customer base or leads that sign up for your SMS marketing.
SMS message interception
SMS doesn't have totally secure delivery mechanisms and protocols – and the fact that messages aren't encrypted doesn't help. Text messages can be hacked, and if sensitive information falls into the wrong hands, the consequences can be highly detrimental.
For example, imagine you request a 2FA PIN code by text when logging into your bank account. If a hacker intercepts this SMS and has also collected other sensitive data belonging to you, such as your password and answers to security questions, they could gain access – and potentially clean out your account.
SMS phishing (or smishing) is a type of social engineering attack where victims are tricked into giving away sensitive information to an attacker. They usually steal this information by getting you to click on a malicious link in the text message, which can either download malware onto your phone or lead to a fake website. In both cases, cybercriminals hope you'll type in confidential information that they can then access and use fraudulently.
SMS spoofing is very similar to smishing. This is where cybercriminals impersonate a legitimate individual or organisation (like your bank) to deceive you and extract sensitive information. They alter the sender's phone number and/or contact name to make it look like the text message is coming from someone you know and trust.
An example is getting a text message from your bank, but something about it seems odd. Maybe the company name is the same, but one letter has been changed, e.g. instead of PayPal, it's Paypal with a lowercase 'p'. Spoofed texts look very convincing, and if you happen to click a link in the message content or reply to an individual, this gives scammers a green flag to steal from you.
SMS traffic pumping
SMS pumping is also known as an artificially inflated traffic attack. It's where fraudsters abuse a phone number input field online to request a one-time passcode (OTP) or a download link by text message. If controls aren't in place limiting the number of times users can request an SMS from your business, this can inflate traffic and exploit your system or app.
This type of scam generates income for the hacker, and as such, is very costly for businesses. If you suddenly notice an uptick in PIN code requests from random countries, your application will probably be affected by SMS pumping.
Why is SMS still used, despite the risks?
These security risks are a concern; however, no other communication channel has the same level of global penetration as SMS.
You might be tempted to switch to WhatsApp for sharing two-factor authentication codes with customers. But to do this, your customers need to download WhatsApp onto their mobile phones. Can you force them to download an app just to use your service? Absolutely not – people will only use the apps they like and find convenient.
SMS is a native app built into every text-enabled mobile phone; even the most basic feature phones can send and receive text messages. SMS doesn't require any extra app to be downloaded and installed, and there's no hardware to worry about.
Six top tips to enhance security for SMS messaging
There are plenty of things you can (and should) do to minimise the security risks around SMS messaging. Some of these involve educating customers about secure text messaging and the steps they can take at their end to use SMS safely.
1. Stay updated and be aware of potential texting scams
It's vital to stay in the loop about cybercrime to spot new threats when they arise. Keep an eye on the news because scams are always in the headlines with warnings and tips on avoiding them. Word travels fast!
2. Consider RCS and iMessage
Rich Communication Services (RCS) was created by Google as an upgrade to SMS, and to rival Apple's iMessage. Both allow users more flexible messaging features such as media attachments, group chat functionality and real-time typing indicators. Notably, both RCS and iMessages are end-to-end encrypted, meaning that if they're intercepted, no one can decode the contents, not even Google or Apple.
RCS and iMessage can be resource-intensive, and you'll also need an internet connection at both the sender and recipient's end. You could potentially send SMS over WiFi instead of a cellular network, but this relies on the recipient having WiFi or mobile data, which isn't always possible (for example, in patchy internet areas).
3. Keep mobile devices secured
One easy way to stop unauthorised people from reading text messages is to ensure your mobile phone or tablet is never left unattended. Always lock devices with a PIN or biometric ID, and should the worst happen and your device gets stolen, remote wipe it, lodge a formal complaint with the police and get your SIM blocked promptly.
These are useful fraud prevention measures you can educate your customers about through blog posts and marketing campaigns.
4. Avoid sending sensitive information over SMS
If you're sharing sensitive information with customers, don't use SMS – use another channel. For example, if customers want the option to pay by text, don't ask them to send their payment details by text message. Instead, send them a link to a secure online payment portal where they can safely enter their details. (You could still send the link by SMS – in which case you should brief customers in advance on avoiding suspicious messages and ways they can tell texts from your business are genuine.)
5. Use alternate messaging apps depending on specific use cases
You don't want to force customers to download third-party messaging apps, but there's no harm in using other channels if your customers prefer. So instead of relying purely on SMS verification, adopt an omnichannel approach and use another authentication method. This way, you can let customers choose which channel to use for receiving their PIN code.
Viber is a good option for verification as it uses HTTPS protocol to encrypt messages in transit, plus it allows rich content messages to help you create meaningful conversations.
6. Send flash SMS messages
Flash SMS messages can help you preserve customer confidentiality. They appear on the lock or home screen of the recipient's mobile phone and then disappear instead of being stored locally (in the customer's device memory). No content from a flash SMS message can be accessed after it's been closed, so if the recipient's phone is stolen, the text can't be read.
The only risk with flash SMS is that an unauthorised person near the recipient's phone could view it as it pops up. However, it's unlikely that you'd send a flash SMS with sensitive information at the exact time the recipient's phone is stolen.
Practice safer texting
If you've ever wondered, "Can someone access my text messages?" you now know that yes, it is possible. There are several ways scammers and hackers can threaten SMS security; however, no channel or system is 100% safe – not even those created by tech giants.
When you consider the advantages of SMS – the extensive global reach, the exceptionally high (98%) open rates and the convenience it offers customers (being a native app), these may outweigh the risks. And by taking preventive measures and ensuring customers do the same, you can avoid many threats from taking root.