Assuming a false identity for malicious acts such as collecting someone else’s personal information is not a new thing by any means. With the ever-changing landscape of technology, new techniques emerge continuously that make such attacks viable as well as more potent. One of the most popular communication channels is SMS spoofing.
It lends texting an air of certain casualness and clearness, which makes it a convenient channel to communicate over. However, those qualities also create vulnerabilities which come by way of spoofed SMS.
SMS spoofing is a technique/activity in which people replace or alter the originating mobile number (Sender ID) of a text message [sent via SMS] to an alphanumeric text of their choice. To put it into simple terms, the Sender ID of an SMS message is reset to change who the sender appears to be.
Spoofing an SMS message completely changes vital information like sender name, phone number or even both simultaneously. If you want to learn more about the technical side of how spoofing is carried out, here are couple of good resources for further reading.
In terms of legality, there is a huge grey area for whether or not this practice is legal. Because while SMS spoofing sounds malicious in concept, there are a lot of legitimate reasons why text messages can be spoofed. Consequently, spoofing has a varying degree of legality globally.
For example, a company altering its Sender ID from a random phone number to their company name would be a legitimate use of SMS spoofing. This is done so customers are alerted of the identity of the sender. Similarly, spoofing can be used for corporate branding messages and hiding the originating phone number—that can otherwise be an internal or private number—by replacing it with another, relevant number that people can respond to. This is especially the case for companies conducting SMS marketing where they need to use their company name instead of a phone number.
Nevertheless, spoofing can also be used to attack unsuspecting people by sending SMS messages to targets under the assumed identity of others (companies or phone numbers). Spoofing is the ideal tool to conduct fraudulent activities as it masks the identity of the original sender, and instead replaces it with an identity the person is trying to imitate. As a result, a lot of scammers try to phish for personal and confidential information (e.g. bank account or credit card details) using SMS spoofing.
While you may think these two uses of spoofing, in particular, make for a clear-cut situation, what actually creates the grey are is using spoofing services for anonymity. Some people may simply want to prank their friends, while some people may want to whistleblow without being under the risk of having their identity exposed. The reasons for spoofing are not black and white, more so they do not actually have to be malicious.
In any case, all of this makes it hard for authorities to detect and deal with spoofing. However, one thing is clear—SMS spoofing used under false pretenses is illegal in most countries and can get you in a lot of trouble with authorities.
There is no clear legislation about SMS spoofing in the majority of countries. Some countries have proposed the ban of spoofing altogether, while others are in a negligent state regarding the issue. Australia is the one notable example of a country that has completely prohibited the practice of spoofing.
In countries where spoofing is not regulated by national authorities, carriers have taken the matter into their own hands by banning the anonymous uses of spoofing.
No one can be 100% safe from spoofing. Whether scammers use your number for spoofing or are attacking you, you should always proceed by reporting it to your carrier and law enforcement, who can then track where SMS messages came from. This way you can prevent SMS spoofing in the future. Also, you can download SMS blockers to make sure that you will not receive SMS from the scammer second time.
SMS spoofing can be done online. There are many apps on the web that offer this service. Some are free while others are typically paid services. Spoofing web applications are by design easier to use than using command-line programs on operating systems like Linux. This makes them more accessible to the masses, thus resulting in a lot of traffic every day.
We advise to not proceed with this practice and not to cross any lines that might get you in legal trouble. Additionally, be careful in case you receive a message with the spoofed sender ID.