In this digital era, individuals and businesses are extremely vulnerable to cybercrime, where sensitive and personal information is obtained by scammers and used for fraudulent activities. Cyber attacks often have devastating effects on victims, leading to financial ruin as well as reputation loss in the case of businesses.

98% of cybercrime contains some elements of social engineering (psychological manipulation that tricks people into giving away sensitive information or making security mistakes). One way this occurs is through SMS spoofing.

In this article, you'll learn what SMS spoofing is, how it impacts businesses and how to protect your business from this form of cyber fraud if you're using SMS to contact customers.

What is SMS spoofing?

Fraudsters use SMS spoofing to steal sensitive information, such as bank details. They do this by sending a fake text, hoping the recipient will respond and reveal such information or unwittingly allow the fraudster to download malware onto their mobile phone.

How does SMS spoofing work?

A fraudster hacks into SMS technology and changes sender information, such as the contact name and/or phone number, so as to impersonate a reputable business.

You've probably witnessed this practice yourself, having received a spoof text message from a business or person you think you know, but something about the message doesn't feel right. It might be the tone, the language used, or the fact that you're being unexpectedly asked to submit some personal details.

SMS phishing, smishing and vishing: what's the difference?

SMS spoofing is sometimes referred to as SMS phishing. Both terms relate to the fraudulent practice of purporting to be from a legitimate source to get individuals to reveal personal information. Phishing can occur through emails (the most common method), phone calls, and text messages. Wi-Fi spoofing – a malicious free Wi-Fi hotspot set up by hackers so they can access users' systems – is also a form of phishing.

Smishing is very similar but relates only to fake SMS messages. And then there's vishing, which is almost identical except fraudsters use Voice over Internet Protocol (VoIP) instead of SMS.

How can SMS spoofing impact businesses?

SMS spoofing is a major problem for all businesses and their customers. By gaining access to company networks and impersonating through spoofed messages, cybercriminals can potentially extract personal details from customers to:

  • Carry out identity theft, e.g. take out a loan in someone's name.

  • Take over the customer's account so they can access even more data.

  • Set up fake money transfers where the victim is scammed into transferring money from their bank account.

  • Sell the data to other criminals.

These activities cause great emotional and financial distress for victims. And this is bad news for the businesses being impersonated. Not only does SMS spoofing damage company reputations, but it's also very costly in terms of monetary losses. Then there are increased calls to customer service from worried customers who've received spoofed messages – this can lead to increased operational costs.

Sadly, this issue isn't likely to go away anytime soon. According to Proofpoint, SMS spoofing attacks increased by almost 700% in the first half of 2021. And because 45% of recipients respond to text messages, cybercriminals know that the chances of interaction are high.

Types of SMS spoofing

Let's look at some specific examples of SMS message spoofing and what scammers do to get people to interact and reveal personal data.

1. Fake money transfers

A typical example is where fraudsters send a text claiming the recipient has won a prize. They ask for bank details so they can deposit the winnings.

Example SMS spoofing - fake money transfers

2. Fake sender ID

This is the most common type of spoof SMS, where a hacker replaces the real sender ID with a fake one, allowing them to appear as a person's bank or credit card provider.

Example SMS spoofing - fake sender ID

3. Harassment

Stalkers, prankers and cyberbullies use this form of SMS spoofing to send threatening or unwanted texts to try and intimidate victims. The goal can be to extort money from the recipient, although this isn't always the case.

Example SMS spoofing - stalker harassment text

4. Espionage

This is the practice of 'spying' to steal information. Hackers send an SMS message which includes a link to a malicious website. When clicked on, the link redirects to another site that installs malware to gather personal information. Hackers can use this to access company resources or steal money.

Example SMS spoofing - espionage

How to protect your business from SMS spoofing

Anyone using a mobile phone for business (this includes employees) should be cautious when responding to unfamiliar text messages. Don't click hyperlinks from unknown sources, and always verify the sender's identity before providing any sensitive information.

Remember, banks and other financial institutions never ask for personal details or request that you change your password via SMS. Some spoof SMS messages can look incredibly authentic, so if ever in doubt, call the company in question and ask if they have sent the text.

Red flags to detect SMS spoofing text messages

Watch out for verification codes sent by text, especially if you didn't request them. This is a sure sign that a hacker is trying to log into one of your applications. Other warning signs include:

  • Suspicious wording – such as 'Reset Password Required', 'Delivery Attempt', 'Account Suspended', Update Payment Information' or 'Immediate Action Required'.

  • A number you don't recognise – sometimes the sender ID looks like a regular mobile number. If it's unfamiliar, do a quick search on it, even if the message content includes the name of a reputable business.

  • Spelling and grammar mistakes –  scammers often spell words incorrectly on purpose to get past spam filters which look for certain words. Another reason they do this is because they know that recipients who don't notice spelling errors are more likely to respond and be duped by them. (For fraudsters using bulk messaging services to contact many potential victims at once, this can save them time.)

  • Strange hyperlinks – URLs that look too short, overly long or contain unusual character strings should be treated as potentially suspicious. Use link scanning software (available online) to enter the URL and check it for safety before clicking the URL in the SMS.

Keep your business safe from SMS spoofing

SMS spoofing, where fraudsters attempt to trick you into revealing personal information to steal money, harass someone or undertake company sabotage, is illegal. It can cause significant emotional and financial distress for victims and ruin business reputations.

Keep your eyes peeled for the warning signs above to detect and prevent SMS spoofing from impacting your business. If you notice an SMS spoofing attack, report it to your wireless provider. In the US and the UK, you can do this by forwarding the message to 7726. Alternatively, contact your country's fraud prevention agency.