Australia’s New SMS Sender ID Legislation: What It Means for Fraud Prevention

In March of this year, the Telecommunications Amendment (SMS Sender ID) Act 2024 will come into effect in Australia. Following this, the Australian Communication and Media Authority (ACMA) will potentially need to establish a register aimed at blocking SMS impersonation scams where alphanumeric sender identifications (IDs) are used.

A sender’s ID is an alphanumeric identifier used by banks, government departments, and other large organizations rather than just a phone number appearing as the sender. Fraudsters use them for added authenticity when sending scam SMS messages because an ID of Telstra, for instance, will appear in-line with all legitimate messages previously received by Telstra. This gives the SMS an air of authenticity that will assist in the potential fraud.

ACMA must decide whether or not a register of IDs is required and if it is, whether registration of IDs would be voluntary or mandatory. Where an ID was registered by an entity, telecommunication providers responsible for sending SMS messages would block any ID messages that did not originate from a legitimate sender.

The Australian Government Office of Impact Analysis in determining the costs and benefits of this initiative refers only to investment scams. However, impersonation scams are also rife in bank fraud, principally for fraudsters to obtain One-time Passcodes (OTPs) required to authorize online transactions.

In the case of bank impersonation scams to obtain OTPs, it is difficult to see how much impact this initiative will have. The block, if initiated, will only refer to alphanumeric IDs, not numeric phone numbers, and then only to SMS messages, not phone calls. So, there is nothing to stop fraudsters from spoofing the phone number of a bank, for instance, on an SMS or phone call, which a victim could check against a website.

Whilst spoofed ID SMS messages can form part of an impersonation scam, they are not mandatory. The most important attributes of bank impersonation scams are urgency and a sense of panic as the victim’s money is in imminent danger of being stolen. So whilst ID blocking may assist in the reduction of investment scams, there is little likelihood of it being especially effective in reducing bank impersonation fraud.

Binding an OTP to its intended recipient, such that it is unusable by any other person, whether or not they come into possession of the OTP, is the only effective way of defeating bank impersonation scams designed to obtain OTPs. Using voice biometrics such as ValidSoft’s See-Say® solution and having the user speak the OTP into the browser rather than type it immediately makes the OTP unusable to anyone but the intended recipient. Binding an OTP to the user stops this form of bank impersonation fraud, blocking SMS IDs won’t.