Businesses and political campaigns are increasingly relying on SMS messaging for critical communication with customers and constituents. Businesses use SMS for sales, service, marketing, simple notification, and two-way conversation. Political campaigns use SMS to drive awareness, donations, and get out the vote.
As SMS has increasingly become a channel of choice for these use cases, hackers and bad actors have taken notice. SMS is a viable attack vector. The U.S. Federal Trade Commission calls SMS attacks a “Triple Threat.” There is even a moniker for these attacks – Smishing – a clever combination of the phrases “SMS” and “Phishing” (coined in a McAfee blog post, 2006).
In the 2018 Texas Senatorial campaign, bad actors infiltrated the Beto O’Rourke campaign and used SMS to spread damaging misinformation.
In early 2019, mobile phone users in Australia received spoofed SMS messages from Apple trying to get users to click on a fraudulent link.
In 2019, A Knoxville, Tennessee cancer survivor was “smished” into sending $500 by scammers touting a government benefit.
Consumers text the keyword ID and receive a custom, single-use authentication token than can be entered into an embedded form on the organization's website.
On entry of the authentication code, definitive proof of the validity of the text message is provided: the originating number for the text message, the customer's phone number, and the timestamp of the last message sent.
Text A*SMS to 206-397-1625.
You will immediately receive a welcome message augmented with instructions for the ID keyword.
Reply ID to that message and enter the authentication code to prove our identity.
Prompt.io suggests these best practices for SMS-based communication: