Why US Banks and Their Customers Are Exposed to SMS Fraud

Overview

SMS phishing — often called smishing — has overtaken email as the primary delivery method for phishing attacks in the United States. Despite countless warnings and increased public awareness, major mobile operators still rely on outdated security measures like spam filters and basic firewalls. These fail to authenticate or verify URLs in real time, leaving banks and customers vulnerable to large-scale fraud.

Recent scams targeting FasTrak toll payments in California have highlighted the severity of the problem. The FBI’s Internet Crime Complaint Center received over 2,000 reports linked to these toll scams in just six weeks. This kind of exploit leads to credential theft, unauthorized transactions, and potential account takeovers that specifically undermine consumer trust in financial institutions.

Why This Matters to US Banks

• Phishing Is the Front Door: Over 90% of cyberattacks, including business email compromises, ransomware, and data breaches, begin with phishing. As SMS outpaces email, it’s now the single biggest vulnerability.
• Huge Regulatory and Financial Risk: A breach involving compromised banking details can result in FDIC investigations, lawsuits, and significant fines. The damage to customer relationships and brand reputation can be immeasurable.
• Customers Trust Their Bank First: When a customer loses money to an SMS scam, they hold the bank responsible, even if the message came from a criminal impersonating the bank. This erodes loyalty and may prompt clients to switch providers.

Key Findings from MetaCert’s Testing

• 100% Delivery Rate for Malicious Links: In tests across major US operators, every phishing SMS reached its intended recipient.
• Zero Blocking: No URLs—despite being verified malicious—were flagged or intercepted.
• Failure of Reactive Measures: Re-sending identical phishing messages yielded the same result, proving that SMS filters don’t adapt quickly.

Why Mobile Apps Alone Can’t Keep Customers Safe

• Not All Customers Use Apps: Many still rely on SMS for verification codes, transaction alerts, and other banking communications.
• Attackers Exploit Familiarity: A criminal posing as a bank can easily craft messages that mirror typical SMS banking alerts.
• Inbound Messages Remain Vulnerable: Even if an app is secure, a text message with a dangerous link can still lead to compromised accounts when unwitting customers follow instructions.

How Zero Trust SMS Protects Banks

1. Every Link Is Dangerous Until Verified: This system doesn’t depend on recognizing “known threats” but rather denies or flags every URL until it’s confirmed safe.
2. Real-Time Authentication: Links in SMS are checked against continuously updated intelligence before they ever reach the user’s phone.
3. Blocks Unknown Threats: Attackers constantly create new domains, so real-time checks are the only way to detect malicious links that haven’t yet appeared in blacklists.

Call to Action for US Banks

• Lobby US Carriers: Urge Verizon, AT&T, T-Mobile, Boost Mobile and others to adopt a Zero Trust model for SMS.
• Advocate Regulatory Standards: Encourage the FCC and other relevant bodies to set rules enforcing stronger SMS security.
• Educate Customers: Sadly this has proven to be ineffective so there isn’t much you can do or say that will keep people safe.

Please feel free to share our insightful report with your telecom contacts, which can be found here: https://www.dhirubhai.net/pulse/failure-us-mobile-carriers-protect-consumers-from-sms-paul-walsh-pe4tc/

By addressing SMS as the single choke point — where criminals get their foothold — banks can dramatically cut down fraud and identity theft. Zero Trust SMS represents the first meaningful upgrade to SMS security in over 20 years and can save financial institutions from reputational damage, losses, and costly litigation.