The text message said “Use this Passcode to complete your online purchase with [a retailer]. Didn’t request this transaction? Call …” and then the number. Ha ha, you can’t catch me out like that.
I reported it to the DIA spam hotline and shared a screen shot on everyone’s favourite social media channel as a warning to others. But then something odd happened.
It turns out it was a real text message from a real company and the phone number was legitimate.
So, I called and we sorted out the problem but it got me thinking about the way companies communicate with customers and the way we’ve all been trained to do exactly what we shouldn’t do: click on links in emails, call numbers provide via text message and all the rest of it.
The marketing team’s toolset for the past few years is now a major part of the scam problem, and that’s going to need to be addressed.
Emails and text messages are great if you’re in a high-trust world where you can take every piece of communication at face value, but clearly in 2023 that’s not the case. Fraud and scams are at an all-time high, according to Cert NZ and unfortunately, the customers most badly affected by these attempts seem to be the less digitally-savvy folk who will respond to a text saying they should click on a link or call a strange phone number.
Text messages and email are a preferred medium and customers are comfortable with. How many email alerts did you get over the Christmas shopping season from companies offering discounts and sale items, all with links to websites and online shopping portals? If you’re like me you received dozens (providing me with a great opportunity to unsubscribe to many such endeavours), but you only need to get one look-alike email from a scammer to be caught in your worst financial nightmare.
Thankfully apps provide a good alternative and some businesses are looking more and more to them for safety and security reasons. Banks have moved quickly to providing service via apps, but so too have others, such as electricity companies and even telcos. You can be assured any communication you receive via that app is trusted and safe because only the providers have access to the system that sends it. Typically, you can pay your bill or manage your account, but equally we should start to see them used as a secure comms channel from the provider for things like fraudulent use alerts and direct marketing activity.
Let’s say your bank wants to ask if you’ve recently been in Uzbekistan buying expensive sneakers (as mine did once). Instead of a text from a random number, this kind of communication should come through the app. There’s no way for the fraudsters to duplicate it so I’m comfortable that this is an actual question from my actual bank.
Currently many companies use text messages for two-factor authentication (2FA), which is a great way to prove you are who you say you are. Not only do you know the username and password to the service but you also have that person’s phone and can enter a secret code the bank or service provider sends to you.
While someone might have access to your username and password without you being aware, it’s highly unlikely they’ll also have access to your mobile device, making them an ideal way to provide authentication.
But text messages were never designed with this kind of security element in mind. Sure, they’re encrypted but many of us have our phones set so urgent messages pop up on the home screen, which means anyone can see them. That’s great for convenience but not so good for security.
Enter the Authenticator – an app from a third-party provider (mine is from Google but there are others) that provides a rolling screen of authentication codes linked to various accounts. These codes are synchronised with each provider I’ve signed up to, so instead of waiting for a text message I just log on to the app and get them from there. No messages to intercept, no home screen issues, no loss of convenience but much higher levels of secrecy.
Marketing departments are going to have to make the leap from the exciting world of email and text message spam to a more secure environment to protect their customers. It’s not impossible but it will need a lot of retraining for marketing teams and customers alike. But when you compare that with our current system that allows fake emails, text message scams and increasing fraud, it’s something that we need to do sooner rather than later.
Paul is the Chief Executive of the Telecommunications Forum.