Unfortunately, SMS fraud is a growing concern for businesses that rely on SMS messaging to communicate with their customers.

This fraudulent activity can take various forms, including unauthorized access to messaging services, phishing attacks (smishing), spoofing, and sending spam messages.

As a leading A2P SMS provider, TNZ focusses efforts on educating our users on the common SMS Fraud types and how to prevent your business from falling victim to fraud.

 

Common SMS Fraud Schemes

A list of reported TXT Scams can be found on the Department of Internal Affairs website.

SMS Fraud takes on a few common forms:

Smishing

Phishing, or "smishing" when specifically referring to SMS, is one of the most common methods of SMS fraud.

In this scheme, attackers send messages that appear to be from legitimate sources, such as banks, government agencies, or familiar service providers, with the aim of tricking recipients into revealing sensitive personal information, such as passwords, credit card numbers, or social security numbers.

In most cases, the SMS message will contain a malicious link that leads to a fake website designed to capture personal information.

A list of common smishing 

All links sent through TNZ's network must be whitelisted. See TNZ SMS and Preventing Phishing URLs.

SIM Swapping

Garnering attention in MFA circles, SIM swapping is a very targeted form of SMS fraud.

In this attack, a fraudster will request a SIM Swap, effectively porting the victim's mobile number to a new SIM in the attacker's possession. This gives the fraudster access to SMS messages intended for the victim, including those containing one-time passwords or multi-factor verification codes used for two-factor authentication.

While this attack is rare in New Zealand due to more secure porting procedures, it can be common internationally where number ports can be triggered by mobile network staff members.

Toll Fraud

Toll Fraud goes by various names such as "Artificially Inflated Traffic", "SMS Cracking", "SMS Pumping" and "API Spamming". Essentially, a fraudster will gain unauthorised access to an SMS service and send large quantities of SMS messages.

There are two factors to this attack:

  1. The fraudster will often send malicious SMS messages to legitimate mobile numbers, hoping to trick the mobile user into opening a phishing link or download a malicious app.
  2. Alternatively, the fraudster will send fake SMS messages to expensive toll-numbers, earning them money.

In both cases, businesses can detect this attack by identifying:

  1. A sudden spike in SMS usage
  2. SMS messages sent to unusual countries and geographies
  3. SMS messages sent to sequential mobile numbers at the same time

TNZ proactively monitors volume spikes to unusual destinations and employs a credit limit system to prevent bill shock, however, your best options to mitigate this attack are:

  1. Limit the country codes your application can send SMS messages to. For example, if you are only sending to New Zealand and Australian mobiles, allow these prefixes only:
    +642
    00642
    642
    02
    2
    +614
    00614
    614
    04
    4
  2. If you have a publicly accessible website that sends an SMS message (for example, a user sign-up form on your website that automatically sends a verification text message to their mobile number), add a CAPTCHA to the form.

 

Education & More Info

As technology evolves, so do the tactics used by fraudsters. Businesses must stay informed about emerging threats, such as sophisticated phishing schemes using AI to mimic legitimate messages, and the development of cross-platform scams.

For long-term protection against SMS fraud, businesses should adopt a culture of security awareness. Encouraging the reporting of suspicious activities and regularly reviewing security measures can contribute to a robust defense against SMS fraud.

The CERT NZ website provides valuable information on cyber-crime prevention and reporting.