Skip to content
New smishing defence guidance from the NCSC
OryxAlignJan 28, 20223 min read

New smishing defence guidance from the NCSC

In light of the rise in phone and text message scams (known as Smishing), the UK’s National Cyber Security Center (NCSC) has released new guidance for organisations on how to communicate with customers.

The guidance paves the way for businesses to create credible, security-conscious communications. The NCSC’s Technical Director, Dr Ian Levy, has urged all businesses to follow the guidance and do all they can to protect their customers from cybercrime and fraud.

Issues with telecoms

Many businesses rely on text messaging and phone calls for mass communication, particularly for those in touch with the general public. The technology and systems used can’t guarantee to the recipient who the sender was and where the call or text originates from, hence why cybercriminals can disguise as legitimatise businesses and replicate their communications.

How to create trustworthy content

You want your business communications to appear legitimate, so all content should meet high-quality standards, such as proper formatting and no spelling mistakes.

Here are a few tips your business can keep in mind when creating content:

  • Refrain from asking for personal details
  • Avoid using links where possible
  • If links are needed, they should be human-readable and easy to recall
  • Maintain consistency across all channels
  • Avoid language that fuels panic or urgency

Speaking with a single voice

Telephone numbers, email addresses and SenderIDs should be kept simple, and the messaging should be consistent. The benefits of maintaining consistency are:

  • Easier differentiation between legitimate and fraudulent
  • Official sources can list the contact details definitively
  • Your messages explaining the communications process will be more accepted

Guidance for safe communication via texting

Texting needs careful consideration to present as credible.

SenderIDs – The text addresses that show instead of the phone number should build trust and they’re case-sensitive

Shortcodes – These are five-digit numbers which are provided by the individual mobile network

Mobile numbers – Using this can look like a person-to-person message

As stated by the NCSC you should:

  • Use as few providers as possible to manage your communications supply chain, you need to understand the whole process
  • Refrain from using weblinks unless necessary. Think about using trusted links instead of URL-shortening services
  • Avoid special characters when using SenderID, and add the ID to the MEF registry
  • Audit your messages to ensure messages are received as they are sent. If any changes are made, it could imply your provider is using grey routes, which puts your messages at risk of fraud, delay or regulatory breach.

Guidance for safe communication via phone calls

It’s relatively easy for cyber criminals to spoof a phone number - Cyber criminals in a different country can look like a local call number. You should have a few official numbers, should be minimal and well-publicised. You should also choose a provider that doesn’t route overseas UK-to-UK calls. Criminals are known to originate UK calls from outside the UK, which causes overseas routed calls to be blocked even if legitimate.

Remember to do your due diligence before you begin implementing services. Have you considered the following questions?

  • What type of number(s) are you looking to use? (shortcode, mobile, geographic, non-geographic, freephone etc.)
  • Are all the calls outbound-only, or do you want to accept some inbound calls?
  • Are you expecting to send or receive an SMS? SenderIDs and some numbers cannot receive messages
  • Who is/are the provider(s) of the Interactive Voice Response systems and/or call centres?
  • Which phone provider assigned the telephone number?

 

To help combat scams via phone calls, all businesses are advised to use the following guidelines:

  • Prompt your customers to contact you instead. You can do this by providing contact details of your channels on your website
  • Double-check your service providers aren’t routing your calls to overseas
  • If numbers are only used for call reception, they should be added to the ‘Do not originate’ list
  • Be consistent with phone numbers when calling customers
  • Track that your provider is identifying or ‘signalling’ the numbers when making calls on your behalf. They should be using the general conditions
  • Check if your service provider has enabled anti-porting measures

For more information on smishing, phishing and how to protect your business, contact our cyber security experts today.

RELATED ARTICLES