This is a guest blog post from our partner KONTXT, part of RealNetworks, which provides spam protection for text/SMS/MMS messages.
Just as consumers use a variety of methods to communicate with their friends, family and business colleagues — phone, email, text, messaging apps, etc. — fraudsters, too, use a variety of methods to find their next victims.
This blog post highlights two of the emerging threats that reach victims through text based messages: micro messaging scams and fraudulent messages sent using RCS technology.
Micro messaging scams
For decades, messaging platforms at all levels have played a cat and mouse game with fraudsters attempting to impersonate someone else. As these messaging platforms and their spam protection systems become more sophisticated in detecting and blocking large scale scams, fraudsters have adapted to the new ecosystem and are using new targeting techniques to focus on specific individuals in smaller volumes.
The attacks can take the form of spear phishing, where individuals are targeted for their roles within an organization to gain access to corporate information, or for highly targeted campaigns against a small number of individuals.
These targeted campaigns against a limited number of individuals are meticulously designed to evade detection — often leveraging third-party messaging apps known for their robust anonymity features — and tend to take on a more conversational appearance and appeal to emotions.
During Q4 of 2023, KONTXT observed a 175% jump in the number of unique phone numbers sending a spam message.
KONTXT shared a spotlight on micro messaging scams in the State of the Call 2024 report. Download your full copy of the report here.
This strategic shift allows fraudsters to circumvent traditional security protocols and deliver deceptive messages with a higher chance of success. Crafted with precision, these messages are personalized to deceive recipients into divulging sensitive information, clicking on malicious links, or gaining the trust of a user or their device — as is the case for iOS devices that will eventually “recognize” a number and shield it from future scrutiny.
The data science team at KONTXT has been exploring the inner workings of these attacks, building new AI models to detect and warn our customers of potential spear phishing or fraudulent activities whether it is detected in the network or on a device. By dissecting everything from what tools are being used to create and send messages, identifying common patterns within the messages and the calls-to-action, we aim to counter the sophisticated tactics employed by fraudsters and ensure we all stay one step ahead of evolving threats.
Fraudsters replacing SMS messages with RCS messages
In recent years, the landscape of digital communication has evolved rapidly, sparking unprecedented growth in A2P (application-to-person) messaging using long-supported channels such as SMS and MMS. SMS allows text-only messages up to 160 characters, while MMS messages can contain other content, such as pictures, videos, emojis or website links.
RCS, considered the successor to traditional SMS at the network level, introduces advanced functionalities such as high-resolution photo sharing, read receipts, group messaging, and interactive elements, such as those on WhatsApp Business. While RCS promises enhanced features and a richer experience for users, it also opens the door to a new avenue of concern: the potential for scammers to exploit this advanced messaging platform.
Examples of scam messages sent via RCS.
The allure for scammers lies in the advanced features RCS offers. For instance, the ability to send high-quality multimedia content and interactive elements could be exploited to deceive unsuspecting individuals. The ability to encrypt that message end to end will allow it to reach a user’s phone without spam filter protection, and the addition of read receipts lets the scammers know exactly who and when to call.
Carriers, message aggregators, and Google have established stringent verification processes for RCS-enabled business accounts and have implemented robust authentication mechanisms that can serve as initial steps toward safeguarding users. However, for scammers looking to target RCS users from existing phone numbers, the additional layers of encryption should help mask their efforts to spoof brands and spearphish their way into organizational infrastructure.
Protecting against harmful RCS messages
Educating consumers on how to identify and report suspicious RCS messages will be pivotal in empowering individuals to protect themselves from potential scams. Most consumers have no clue what RCS means and what features it allows for.
The power of “read receipt” is wonderful for friends and family, but unfortunately, letting the wrong person know you’ve read their fraudulent message could be an expensive endeavor. Likewise, the security of encrypted messages should be a right for everyone, but granting that right to scammers becomes a responsibility on carriers.
The hundreds of millions of messages blocked everyday by platforms, message aggregators and carriers worldwide will become the responsibility of companies like Apple and Google, who will need access to incoming messages to help combat spam that has reached the phone.
Apple has opened pieces of iOS to help better classify SMS messages from unknown sources into folders. With its recent announcement of RCS support in iOS 18, it remains to be seen whether Apple or Google is willing to share this new spam-prevention burden from the RCS channel with third-party providers or whether they attempt to become the message filters themselves.
As RCS becomes more prevalent in the messaging ecosystem, the imperative to fortify its defenses against malicious activities becomes paramount. This requires a concerted effort from all stakeholders to ensure the integrity and security of RCS-based communications, and we at RealNetworks and the KONTXT team are excited to be a part of that effort.