Scammers exploited a poorly protected SMS service to impersonate legitimate businesses and send 108 SMS scam messages in one month, the Australian Communications and Media Authority (ACMA) revealed in directing Sydney-based Burst SMS to observe industry rules.

Although Burst SMS operator Known Pty Ltd had followed regulations requiring SMS service providers to validate the identity of their customers, a loophole in its authentication processes allowed individuals to sign up for its services, then send up to 10 SMS messages per day using free trial credits without having to be verified.

An ACMA audit of the company’s service logs found that on 15 separate days last October, Known allowed scammers to abuse its services to send messages labelled with the names of financial institutions, telecommunications companies, courier companies, ride share, and ticketing companies.

Given that the service was operating in a similar way between 12 July 2022 and 15 November 2022, ACMA noted, “it is reasonably likely that additional contraventions occurred” during that time.

The company’s failure to properly authenticate its users contravenes the ACMA-enforced Industry Code C661:2022, called Reducing Scam Calls and Scam SMS, which industry body Communications Alliance says “provides clear requirements for telcos to work individually and collaboratively to combat scam calls and scam SMS, and protect customers from the associated harms.”

Among its guidelines is a requirement that licensed telecommunications carriage service providers (CSPs) only allow the use of alphanumeric Sender IDs where they have “been presented with evidence of a valid use case” – evidence that Burst did not acquire from the trial users in question.

Telecommunications companies following the Code’s guidelines blocked over 549 million scam calls in its first 16 months of operation – and exploitation of Known’s failure to maintain the proper authentication processes, ACMA chair Nerida O’Loughlin said, confirms that just how ready scammers are to exploit any weaknesses in the system.

“Scammers will take advantage of any small crack in the system,” she said in announcing the flagging of Burst SMS’s non-compliance, “and on this occasion they took the opportunity opened up by Burst’s free trial offer,” she said.

“Every text that contains a link should be treated with caution until you are sure it is legitimate. If there is any doubt, then the best course of action is to report and delete the message.”

Bolstering anti-scam defences

Having been officially directed to comply with the anti-scam code, Burst SMS – which educates customers about the anti-scam code and previously went on the record saying the new rules should make Australia “a much harder target for scammers looking to exploit people for their own gain” – joins the growing list of CSPs pinged for non-compliance this year.

In February, SMS sending company Modica became the first company flagged for non-compliance with the code while in May, ACMA called out Infobip Information Technology, Sinch Australia, and Phone Card Selector for allowing SMS messages to be sent using their services without verifying the identity of the senders.

This led to the sending of more than 117,000 scam messages with SMS Sender IDs that made the messages look like they were coming from Medicare, Australia Post, and road toll operators.

“While there is no suggestion the telcos were involved in scam activity themselves, scammers have used their failures to prey on Australians,” O’Loughlin said at the time. “This wouldn’t have happened if the companies had adequate processes in place and complied with the rules.”

Directing CSPs to comply with the Code is the strongest remedy available to ACMA, and failing to comply exposes CSPs to fines of up to $250,000 if the agency ultimately takes its grievance to the Federal Court of Australia.

This year’s anti-scam crackdown – one of ACMA’s key compliance priorities for the year – has been reinforced by an international anti-scam partnership and a series of significant penalties against Australian companies for breaching anti-spam regulations.

Companies including the Commonwealth Bank of Australia, Doordash, Binance Australia, Kogan, mycar Tyre & Auto, and BetDeluxe have all recently received significant penalties for spamming customers.

SMS scams have become common in Australia as elsewhere, with impersonation tactics helping trick victims into clicking on links in messages purporting to be from trusted service providers or other individuals.

Australians have already lost $17.7 million to more than 68,000 reported SMS scams this year alone, according to ACCC Scamwatch, which also found total losses to scams soared to $3.1 billion last year alone.