New smishing defence guidance from the NCSC
In light of the rise in phone and text message scams (known as Smishing), the UK’s National Cyber Security Center (NCSC) has released new guidance for businesses to follow when communicating with their customers.
The guidance paves the way for businesses to create trustworthy communications that are credible and security conscious. The NCSC’s Technical Director, Dr Ian Levy, has urged all businesses to follow the guidance and do all they can to protect their customers from cyber crime and fraud.
Issues with telecoms
Many businesses are reliant on text messaging and phone calls for mass communication, particularly for those that are in touch with the general public. The technology and systems used can’t guarantee to the recipient who the sender was and where the call or text originates from, hence why cyber criminals are able to disguise as legitimatise businesses and replicate their communications.
How to create trustworthy content
You want your business communications to come across as legitimate, so all content should meet high quality standards such as proper formatting and no spelling mistakes.
Here’s a few tips your business can keep in mind when creating content:
- Refrain from asking for personal details
- Avoid using links where possible
- If links are needed, they should be human readable and easy to recall
- Maintain consistency across all channels
- Avoid language that fuels panic or urgency
Speaking with a single voice
Telephone numbers, email addresses and SenderIDs should be kept simple, and the messaging should be consistent. The benefits of maintaining consistency are:
- Easier differentiation between legitimate and fraudulent
- Official sources can list the contact details definitively
- Your messages explaining the communications process will be more accepted
Guidance for safe communication via texting
Texting needs careful consideration to present as credible.
SenderIDs – The text addresses that show instead of the phone number should build trust and they’re case sensitive
Shortcodes – These are five digit numbers which are provided by the individuals mobile network
Mobile numbers – Using this can look like a person-to-person message
As stated by the NCSC you should:
- Use as few provider as possible to manage your communications supply chain, you need to understand the whole process
- Refrain from using weblinks unless necessary. Think about using trusted links instead of URL shortening services
- Avoid special characters when using SenderID, and add the ID to the MEF registry
- Audit your messages to ensure messages are received as they are sent. If any changes are made, it could imply your provider is using grey routes, which puts your messages at risk of fraud, delay or regulatory breach
Guidance for safe communication via phone calls
It’s fairly easy for cyber criminals to spoof a phone number -. cyber criminals in a different country can look like a local call number. You should have few official numbers, should be minimal and well publicised. You should also choose a provider that doesn’t route your UK-to-UK calls overseas. Criminals are known to originate UK calls from outside the UK, which causes overseas routed calls to be blocked even if legitimate.
Remember to do your due diligence before you begin putting services in place. Have you taken into consideration the following questions?
- What type of number(s) are you looking to use? (shortcode, mobile, geographic, non-geographic, freephone etc)
- Are all the calls outbound-only or do you want to accept some inbound calls?
- Are you expecting to send or receive SMS? SenderIDs and some numbers cannot receive messages
- Who is/are the provider(s) of the Interactive Voice Response systems and/or call centres?
- Which phone provider assigned the telephone number?
To help combat scams via phone calls, all businesses are advised to use the following guidelines:
- Prompt your customers to make contact with you instead. You can do this by providing contact details of your channels on your website
- Double check your service providers aren’t routing your calls to overseas
- If numbers are only used for call reception, they should be added to the ‘Do not originate’ list
- Be consistent with phone numbers when calling customers
- Track that your provider is identifying, or ‘signalling’ the numbers when making calls on your behalf. They should be using the general conditions
- Check if your service provider has enabled anti-porting measures
For more information on smishing, phishing and how to protect your business, contact our cyber security experts today.