Can you guess which one of these is fake?
Of course not, they’re identical.
How about these?
If you paid close enough attention to the second message, you may have noticed the difference in URL hostname.
By the way,
fedex.delivery is available for purchase:
But… if one is real and one was spoofed, why are both messages in the same conversation? Don’t they have different senders?
Truth is, for all your phone knows, they were sent by the same sender.
How is this possible?
SMS has a field called sender ID, which is set by the sender, requires no identity verification, and can be any arbitrary short string.
This allows anyone to send messages to any number, identifying themselves as whoever they want to impersonate.
And since there’s no sender phone number in the message, your phone can’t tell real and fake messages apart.
And so it groups them into the same conversation. Ugh.
And how do we fix it?
Sender ID should be a function of the sender phone number.
Assuming the integrity of the sender’s carrier, this would protect recipients from malicious senders. Some countries do this.
Phones should warn users of non-verified sender IDs.
If browsers show “not secure” warnings on non-HTTPS sites, messaging apps should do the same for non-verified messages.
Companies should stop sending URLs over SMS.
If your company sends links over SMS, expect your users to trust any further links they receive, including spoofed ones.
Vote the first one into policy, add number two to your backlog if you work on iOS or Android, and stop doing number three if you are.