SMS & Messaging Security
highSMS spoofing · Smishing · SIM swap
SMS was designed for person-to-person messaging in a closed operator environment. It is now the de facto authentication channel for banking, identity verification, and account recovery across the internet — a role it was never designed for and cannot fulfill securely. The gap between this expectation and SMS's actual security model is exploited daily at massive scale. SIM swap fraud has become a multibillion-dollar criminal industry. OTP interception via SS7 is technically trivial for any entity with signalling network access. Smishing campaigns routinely impersonate banks, parcel couriers, and government agencies with near-perfect fidelity.
Threat vectors
SIM swap fraud
criticalAn attacker convinces an operator's customer service or retail channel to transfer a victim's number to a SIM card under the attacker's control. Authentication is typically social — exploiting weak identity verification, insider access, or data from prior breaches. Once the number is ported, all SMS OTPs, call-forwarded authentication codes, and password reset links are delivered to the attacker. High-value targets (cryptocurrency holders, executives, politicians) are routinely targeted; documented SIM swaps have resulted in losses exceeding $100 million in individual incidents.
SS7-based SMS interception
criticalUsing MAP SendRoutingInfoForSM queries over the SS7 network, an attacker obtains the subscriber's current MSRN and delivery MSC. By impersonating the home SMSC, they can receive the SMS before it reaches the victim. This attack is invisible to the target and requires no device access. It is the technical mechanism behind many targeted OTP thefts against banking customers.
Sender ID spoofing
highA2P SMS (Application-to-Person) messages are delivered via aggregators that set the alphanumeric sender ID in the message header. Without sender ID registration and validation at the operator level, any string — including 'HSBC', 'Apple', 'HMRC' — can be spoofed. The resulting messages appear in the same conversation thread as legitimate messages from the impersonated sender on most devices.
Smishing and malware delivery
highSMS phishing (smishing) combines sender ID spoofing with social engineering to deliver malicious links. Campaigns impersonating parcel couriers, tax authorities, and financial institutions drive victims to credential-harvesting sites or trigger drive-by malware installation. The high open rate of SMS (~98%) versus email makes smishing disproportionately effective as a delivery vector.
Silent SMS (Type 0) surveillance
mediumType 0 SMS messages are processed by the handset without user notification and without being stored. They are used legitimately for network diagnostics but can be abused to trigger location updates, determine subscriber presence, and in some cases probe device characteristics. Sent over SS7, they leave minimal trace on the device and are invisible to the end user.
Impact
- 01
Mass account takeover via OTP bypass — SMS interception and SIM swap attacks have been used to compromise banking, cryptocurrency, email, and social media accounts at scale, with individual incidents causing losses in the millions.
- 02
Identity fraud enabled by number portability abuse — SIM swap attacks that succeed against identity verification systems allow attackers to impersonate victims across any service using SMS as a recovery channel.
- 03
Consumer harm from smishing — SMS-delivered phishing causes measurable financial and psychological harm, with elderly and less technically sophisticated users disproportionately affected.
- 04
Erosion of SMS as a trust channel — widespread spoofing and fraud are undermining consumer confidence in legitimate SMS communications from banks and public authorities.
Mitigations & solutions
Deploy SMS Home Routing
Route all inbound international SMS through the home SMSC before delivery to prevent foreign network elements from querying the subscriber's MSRN. This eliminates the SS7-based SMS interception vector for inbound messages and is the most impactful single control for this threat.
Implement an SMS Firewall
Deploy an A2P and P2P SMS firewall that enforces sender ID registration, blocks known grey routes, detects spoofed origination, and applies pattern-based filtering for smishing content. Integrate with industry threat intelligence feeds (e.g., GSMA Fraud and Security Group, MEF Anti-Fraud databases).
Strengthen SIM swap verification
Require step-up authentication (e.g., video identity verification, in-store presentation with photo ID, existing device confirmation) for SIM replacement requests. Implement time-locks on number transfers following recent account changes. Notify subscribers via email and app push before completing a SIM swap.
Register and validate A2P Sender IDs
Require all A2P senders to pre-register their alphanumeric sender IDs. Reject or flag messages from unregistered sender IDs. Participate in industry-wide sender ID registries and work with regulators to establish mandatory sender ID registration for high-risk categories (financial, government).
Advocate for and implement OTP alternatives
Engage enterprise and banking customers to migrate away from SMS OTP toward app-based TOTP, push authentication, or FIDO2/passkeys. Where SMS OTP must be retained, implement silent network authentication (SNA) — a carrier-level API that validates mobile number possession without sending an interceptable code.