UK steps up efforts to tackle smishing

No, that’s not a typo. Smishing refers to phishing over SMS, which is apparently on the increase as SMS fraudsters seek to exploit COVID-19 text alerts.

A bunch of UK organizations, including the Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance, are trialling a new system designed to protect people from this opportunistic foulness. The trial, which is supported by the NCSC, uses the SMS SenderID Protection Registry, which allows organisations to register and protect the message headers used when sending text messages to their customers.

“The SMS SenderID Protection Registry is a tactical solution to mitigate smishing and spoofing, backed by MEF’s A2P SMS Code of Conduct,” said MEF’s COO, Joanne Lacey. “Through the Registry, the industry has been able to support the UK Government’s campaign and demonstrate the vital role of messaging not least in times of emergency and crisis.”

“Mobile companies work hard to protect their customers from fraud and the contribution from the industry to the Registry will help reduce the number of scam texts pretending to be from trusted brands,” said Mobile UK’s Head of Policy & Communications, Gareth Elliott. “This gives much-needed protection against fraud, including for the most vulnerable customers.”

“This trial builds on the success of an HMRC pilot, conducted with telecoms providers, which resulted in a 90% reduction in reports of the most convincing HMRC-branded SMS scams,” said Mike Fell, Head of Cyber Operations HM Revenue and Customs. “We are happy to collaborate with MEF and partners to take forward our work to safeguard the UK public from such SMS-related scams.”

“We are pleased to be supporting this experiment which is yielding promising results,” said Dr Ian Levy, Technical Director at the NCSC. “The UK Government’s recent mass-text campaign on Covid-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kinds of scams.”

50 bank and Government brands, including 14 banks and Government agencies including HMRC and DVLA, are currently participating in the trial with 172 SenderIDs registered so far. Over 400 unauthorised variants are being blocked on an ever-growing blacklist, including 70 senderIDs relating to the Government’s Coronavirus campaign. The UK’s four MNO’s are also supporting the scheme.

How the ad fraudsters hid 2019 biggest mobile phone attacks periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Geoffrey Cleaves, Head of Secure-D at Upstream, looks at the apps responsible for the most Android-based fraud last year.

Globally, there are some 2.5 billion Android phones. They represent an opportunity for criminals and a clear and present danger to operators, advertisers, and consumers.

Android phones are vulnerable to invisible attacks from fraudsters that are totally screened from view. These attacks are happening in the background of a host of popular apps that hundreds of millions of people have already downloaded.

In the background, these rogue apps are constantly making fake clicks on adverts, or secretly signing their users up to subscription services. The advertisers are paying the App providers for these fake clicks, consumers are being falsely registered for premium services and their data bundle used by activity they have no control over or are even aware it is taking place.

For 30 operators, our platform monitors transactions for anomalies or suspicious transactions.  In 2019, we processed more than 1.71 billion mobile app transactions on those networks and blocked 1.6 billion – more than 90 per cent – that were identified as fake or fraudulent.  We also found 43 million Android handsets affected with malware.

Based on our data, here are the apps that 2019’s biggest attacks hid behind:


Some 128 million suspicious or fraudulent transactions were generated in 15 different countries by this app in 2019. First exposed in May, a hidden component of the app delivers fake ads and attempts to generate clicks and even purchases. This app is now only available from some third-party Android stores and not from Google’s own store. Nevertheless, this video downloading app is still available, still active, and has racked up some 500 million downloads worldwide making it the fraudster’s best friend.


Running Vidmate a close second was the file-sharing app 4Shared.  Despite the apparent credibility of being available via the Google Play store, receiving high ratings and positive reviews from IT websites and even the Microsoft store, this app generated 114 million suspicious transactions in 17 countries.  As well as sharing files as requested by its users, 4Shared was also found to be sharing its users’ personal details in the background. After reporting the activity, Google removed the App from its Play store, but a new version reappeared the very next day and 4Shared remains a live threat.


Compared to the top two, only a relatively small number of devices were infected by Snaptube – just 4.4 million. Nevertheless, in just six months it was responsible for more than 70 million fraudulent transactions from those devices. The transactions were taking place behind the screen of this video downloading app popular in Egypt, Brazil, Sri Lanka, South Africa and Malaysia.  Left undetected, ad-fraudsters would have reaped $91 million from this activity first exposed in October last year. Now only available in third party app stores, Snaptube is still active and every day is making new attempts to defraud advertisers and misuse user data.

Weather Forecast

In 2019, some 27 million transactions were blocked on ‘Weather Forecast: World Weather Accurate Radar’. This forecasting app is still available on Google’s Play Store and is even pre-installed on some Alcatel Android phones. It commits advertising click fraud in the background while delivering its weather forecasts and maps in the foreground. This activity was first reported in January last year but the App is still being downloaded from Google Play and has now been installed on some ten million handsets.


Being on the Google Play platform gives these rogue Apps a cloak of credibility. Customizable keyboard app Ai.Type hid behind the cloak to initiate some 14 million fraudulent transactions that unless blocked would have resulted in a $18 million haul for the fraudsters.  For apps with hidden ad malware getting on, and remaining on, the Google Play Store is a major ambition.  Ai.Type was responsible for one of the biggest spikes of fraudulent activity in 2019 and was removed by Google from its Play Store in June. Nevertheless, it is still available from some third-party stores.

There’s a lot more…

The open nature of the Android ecosystem has been a strength to help the OS become a dominant force in the handset market.  But its open nature is also responsible for its security weakness.  The Apps above are behind some of the biggest attacks of 2019, but the number of malicious apps found to be hiding fraudulent activity from view is getting longer every day.  We publish the Secure-D Index that tracks all the apps we find to be behaving badly. If any of them are living on your phone – delete them now.


Geoffrey Cleaves is Head of Secure-D at Upstream. Secure-D provides real time fraud detection to mobile operators and digital marketers. Having used computers to analyse data since the age of 13, Geoffrey has held tech management roles in Chile, Argentina, Spain and the United States. Prior to joining Secure-D, Geoff was Managing Director at Opticks, a fraud detection venture he helped launch in 2017. Geoff was also Compliance Director at Billy Mobile analysing some 1Bn impressions daily.


Mobileum grows assurance profile with WeDo acquisition

Mobileum has announced it will acquire risk and business management solutions provider WeDo Technologies, bringing together two of the bigger names in this niche segment.

Following the purchase of Evolved Intelligence in October 2018, Mobileum is seemingly on the move to dominant the market. The acquisition of WeDo adds additional weight to its analytics armoury, aiding telcos to detect and prevent fraud on their networks, as well as increasing the physical presence of the firm around the world.

“We are excited to partner with WeDo and support them in the next phase of their growth,” said Bobby Srinivasan, CEO of Mobileum. “As we continue to grow Mobileum, organically and inorganically, the addition of WeDo’s strong product engineering, customer footprint, consulting and services teams to our existing talented workforce around the world will allow us to expand the depth and breadth of our offerings.”

“The combined business offers our customers a richer and more diverse portfolio of solutions in the domains of Revenue Assurance, Fraud Management, Network Security, Roaming and Interconnect. As the mobile industry continues to evolve, this transaction will allow us to continue to invest in the future architecture, assuring the success of our customers along a journey of continuous transformation.”

The newly combined business will have 1,100 employees in 30 offices, serving 700 customers in 180 different countries. The existing WeDo platform and architecture will be maintained, though it will also be integrated with the Mobileum Active Intelligence platform.

Pinning down how big the revenue assurance and risk management software market actually is, however, is not the easiest of tasks.

The Communications Fraud Control Association suggests fraud costs the telecoms industry more than $38 billion a year, with roaming fraud accounting for $10.8 billion of that figure. Estimates from Credence Research suggests the global revenue assurance software market was worth $2.5 billion in 2017, with growth projected at 11% CAGR through to 2026. This sounds promising, however Heavy Reading Analyst James Crawshaw has some doubts.

If we are to assume WeDo is the leading player in the revenue assurance software market, it will have a notable market share. Looking at WeDo’s financials, the team increased orders to more than €60 million for 2018. The numbers aren’t quite adding up here.

Either this is an incredibly fragmented market with thousands of suppliers making up the $2.5 billion, WeDo is not a leading name in the revenue assurance software market or the market is worth considerably less than $2.5 billion.

It is not necessarily the end of the world if the addressable market is smaller than analysts are currently estimating, as long as there is growth potential. There is of course opportunity to grow, though as Crawshaw points out, WeDo’s orders have not really increased significantly over the last few years, suggesting this is somewhat of a stagnant market.

Court rules companies can be sued for collecting biometric data without consent

A reminder of how quickly the technology world evolves; it’s not only regulations which need to catch-up, but business practices too, as a Supreme Court opens the door for privacy lawsuits.

In an interesting case, the Supreme Court of Illinois has set precedent for its Biometric Information Privacy Act (BIPA). Companies who have not appropriately obtained consent from individuals before storing biometric data can now be sued under the BIPA without said individual being damaged, fraud for example, by the scenario. The ruling makes BIPA a dangerous piece of paper, as effective use of the Freedom of Information Act could put a few in precarious positions.

This case, Rosenbach versus Six Flags, has pinned a 14-year-old against the amusement park for collection and storage of thumbprint data without informed consent. The BIPA prohibits companies from gathering, using, or sharing biometric information without informed opt-in consent, though the issue which the Supreme Court has been considering is whether there are grounds for a lawsuit without damage being inflicted to the user.

“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act,” stated Chief Justice Lloyd Karmeier in his decision.

But why is this a dangerous decision for businesses locating or operating in Illinois? Because business practises are not keeping up with the tsunami of data which emerging, and many companies do not have fully visibility into the data which they hold.

One of the problems we saw in the build up to General Data Protection Regulation (GDPR) in Europe was an understanding of what data companies actually had their hands on. With the 21st century’s version of a land-grab seeing companies scrap for as much information as possible through the last decade, few companies actually managed to effectively store and categorize.

Before any company can consider calling themselves complaint (under GDPR, BIPA or any new data-orientated regulations) a full data audit would have to be completed; this discovery process was a critical step in the process. In conversations over coffee, a few consultants told us this was a significant issue for UK companies. During the audit, some were finding they were holding onto sensitive data, which they had no idea existed, and were in violation of data privacy and protection regulations.

BIPA is a no-where near as wide-ranging as some data protection and privacy regulations, though we suspect there will certainly be numerous companies who are now non-compliant under this new ruling and precedent. This is the issue with technology; it’s moving so much faster than the red-tape bureaucrats. Technology is implemented before regulations governing the usage, or business practises to ensure compliance, can be deployed. It creates a dangerous position where companies could be non-compliant without even realising.

In Illinois, as there no-longer needs to be proof of damages to individuals anymore, effectively placed Freedom of Information Acts could see similar cases brought in-front of the courts. In the rush to remain relevant through embracing technology, few have considered the boring aspect of regulation. Who would, considering how long it takes the courts to catch-up? But this is a case where being cutting-edge technology is a two-edged sword.

Huawei CFO charged with hiding connection to Skycom, which worked with Iran

The bail hearing for Huawei CFO Meng Wanzhou has revealed she is charged with concealing ties between her company and another that violated US trade sanctions.

Meng was arrested last week in Canada and had her bail hearing at the end of the week. In it, according to multiple reports, she committed fraud when she told US banks in 2013 that Huawei had no connection to Hong Kong firm Skycom, which was apparently doing business with Iranian telecoms companies. The suggestion is that Skycom was used to disguise Huawei’s own violations of US trade sanctions, which is what caused ZTE so much grief earlier this year.

“Ms. Meng personally represented to those banks that Skycom and Huawei were separate when in fact they were not separate,” said Crown Counsel John Gibb-Carsley. “Skycom was Huawei.” Evidence for this is reportedly contained in a PowerPoint presentation from that time and it looks like this manoeuvre may be what was referred to in ZTE’s F7 memo.

In a bid to get bail Meng’s lawyers that she’s not a flight risk because she wouldn’t want to embarrass her father, the founder of Huawei, as well as the company itself and the whole country. She also apparently has a couple of houses in Vancouver, which she could stay in. Counter-arguments have focused on how much cash she has, meaning she could afford to leg it.

The original scoop on Skycom seems to have come from Reuters, which reported back in January 2013: ‘Huawei CFO linked to firm that offered HP gear to Iran’. The reason this case has escalated to an arrest isn’t the business Huawei may or may not have done with Iranian companies, but the allegations of deliberately misleading US banks – hence committing fraud.

How can the telecoms industry block the account takeover threat? periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Roberto Valerio, CEO of anti-fraud specialist, Risk Ident, explores the challenge of identity theft in the telecommunications sector, and explains how companies can cut off the fraudsters before they do damage.

Identity theft used to be something that only worried banks, insurers and financial institutions. Over the past several years, however, the threat has expanded to other critical industries, including the mobile telecommunications space.

So widespread is the issue of identity theft that it is now reaching epidemic levels. In 2016, for example, 1.4 billion data records were exposed in nearly 1,800 security breaches worldwide. In September 2017, the network security system of U.S. credit bureau Equifax was breached, compromising the personal data of 143 million consumers.

The UK company TalkTalk was hit with a record £400,000 fine in October 2016 for the cyber attack in 2015 that placed the personal details of more than 150,000 customers in the hands of criminals.

The issue with these data breaches is what criminals do with the information afterwards. Once identity data has been stolen, fraudsters create new accounts online – or worse – use the personal information to hijack existing accounts. They can masquerade as a legitimate user and hide behind their good history to make fraudulent purchases – this “account takeover” threat is rising fast.

Mobile telecoms is at particular risk

The mobile telecoms industry is especially vulnerable to the threat of identity theft. The mobile phone contract model that is prevalent across the whole of Europe – where customers receive a high-value phone handset up-front and pay for it monthly – is very attractive for fraudsters, precisely because it offers so many avenues for crime to occur.

Such mobile phone fraud is growing fast. Cifas reported a 60% uplift in such mobile telecoms identity fraud from 2016-2017. Failure by firms to respond now could cause untold misery for customers, as they battle to recoup losses and protect their hard-earned cash. For the companies themselves, inaction could lead to financial penalties, such as fines, and a significant negative impact on their brand reputation.

So, what can mobile telecoms companies do to protect themselves and their customers?

Understanding fraud

There are a number of ways criminals are using stolen identities to carry out contract fraud.

A common and straightforward one sees fraudsters use a victim’s account details to sign up to a mobile contract – complete with expensive phone – then quickly sell the handset on, leaving the genuine account holder to deal with the contract repayments and other fall-out.

Contract extensions are also carefully targeted by criminals.

Many telecom providers aim to reduce friction with customers by avoiding the complex re-sign process – which inadvertently presents an attractive target to nimble fraudsters. It is not uncommon for criminals to use stolen data to hijack contract renewals by changing victims’ details to ensure the new handsets arrive at an address they can access.

These attacks are easy to carry out and can be highly lucrative – it’s no wonder that they are so attractive and tempting to criminals. With this in mind, it is vital that businesses do all they can to safeguard their customers’ data.

So, what can be done?

Quite simply, telecoms firms need to find ways of not just tightening security around their data storage, but of trying to close the gaps presented by the mobile phone contract process by predicting where customers may be most vulnerable to fraud.

Tackling the problem over the past five years, we’ve found that slightly more than 19 percent of confirmed fraud cases are identified as account takeovers.

At the same time, we identified several characteristics that can help any telecoms firm spot a case of account takeover, including:

  • Recent account changes: In nearly every instance RISK IDENT determined ATO to have occurred, either the password, email address or physical address had been changed in the previous 10 days.
  • Big spend: In cases of account takeover, the average order value is four times higher than typical orders – crucial for fraudsters to justify the effort. Fraudulent contract requests may involve a phone handset with a significantly higher RRP than the customer’s previous phone.
  • Customer’s age: The older an account holder is, the more likely they are to be the victim of an account takeover. Older users may have less technical expertise that could leave them vulnerable to data theft.

With these in mind, telecoms firms should take these factors into account when evaluating whether or not they have a problem with ATO, so they can take steps to act to protect their customers, before any fraud is actually committed.

Other business’ leaks will cause you headaches

Successfully protecting customer information means doing more than simply shoring up your own business’ computer systems and taking steps to predict the likelihood of account takeover fraud among your customer base. Other businesses and partners also present weak spots in a telecoms firm’s defences that fraudsters can exploit.

Take the 2017 Equifax breach, for example. More than 140 million credit records were leaked and telecoms businesses were among the victims hardest hit. Many ultimately paid for the security failings of Equifax, suffering a rash of mobile phone contract applications from crooks using stolen credentials.

The risk of partners suffering data breaches is significant. Telecoms firms, then, need to ensure their customers’ data is protected across the supply chain, by promoting solutions to help predict fraud risk.

A game of cat and mouse

It is not a question of “winning” against fraud – no one wins. Fraud is a cat-and-mouse game and telecoms firms have to up the stakes to take on the fraudsters. The harder you make it for them, the less likely you will be hit.

Simple steps like incorporating systems to predict account takeover vulnerability can go a long way towards helping telecoms companies prepare themselves to tackle the ever-increasing fraud threat. By talking to experts, firms can ensure their fraud prevention processes are fit for purpose well into the future.


Roberto Valerio CEO Risk IdentRoberto Valerio is one of the foremost experts on the rise of AI in combating fraud and founder of RISK IDENT, Europe’s leading provider of new intelligent anti-fraud software. Roberto sits on the European Advisory Board of the Merchant Risk Council and is a regular speaker on Europe’s anti-fraud conference circuit

Crime moves upmarket as fraud becomes the UK’s number 1 offence

New research from Experian claims fraud is now the UK’s most common criminal offence, much to the dismay of thugs and hoodlums everywhere.

The company’s Annual Fraud Indicator 2017 estimates the annual cost of fraud in the UK is £190 billion, exceeding the total Gross Domestic product of 148 out of 191 countries on the planet. Splitting it down, private sector fraud costs the UK economy £140 billion over the course of 2017, while it is only £40.3 billion in the public sector.

“Awareness of the dangers fraud poses is growing, but the total of £190 billion is startlingly high,” said Nick Mothershaw, Director of Fraud and Identity Solutions at Experian. “Plastic card and online banking fraud continues to increase, so new regulations which make it harder for fraudsters to use someone’s cards online are a necessary step.

“Fraudsters are shamelessly opportunistic and are now turning their attention to the pensions release, lured by the promise of high value returns when their scams are successful.”

Procurement has been pinned down as the biggest sucker for fraud, but the report notes new technologies are opening up new opportunities for the tricksters. Online Banking fraud has grown by 226% and Telephone Banking Fraud by 178% in the past year, with millennials getting caught out as well.

While this number is surprisingly high, the growing popularity of mobile money and contactless payment solutions might add to the problem. Another area which we haven’t seen the impact of is social media.

With the online world taking more control of our daily lives, authentication techniques using social media accounts are becoming more common. The vast majority are used for free services, but that doesn’t mean someone won’t work out how to commit a white collar crime using this little development. Individuals seems very enthusiastic about handing out their personal information online, and in truth we haven’t seen any particularly devastating negative impacts yet. That doesn’t mean it isn’t possible though.

Breaking the bottleneck of counter fraud management periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Joseph George, Senior Vice President of Fraud & Security at Mobileum, argues operators need to revise their approach to countering fraud.

We live in a golden age of data. For operators looking to counter fraud, there has never been more actionable information available at their fingertips, than there is now.

In theory, this is an amazing advantage for communications service providers (CSP) looking to stay one step ahead of increasingly sophisticated ‘fraudsters’, as well as gain insights that can help their business thrive in new service areas. A wealth of useful data, an increased ability to fight fraud, and a way to add to the bottom line all are all wonderful things for operators. However, this explosion of data has also created unforeseen challenges too.

Operators are reaching a tipping point, as the telecoms sector significantly expands its global services with faster broadband, 5G roll-out and more connected devices. Combined with the overall trend of traffic moving from voice to data networks, CSPs are facing huge challenges as many fraud management systems are buckling under the weight of trying to detect and act with the speed and accuracy needed to prevent potential revenue losses.

Simply put, many traditional fraud management systems can’t keep up with the sheer volume of data out there. It’s leaving operators staring at a mountain of overlooked (and underutilized) data, too much of a pain and inconvenience to be analysed thoroughly.

The root problem with many systems is that they can only handle limited datasets, not accounting for volume, variety and velocity of critical data. Also, modern capabilities and features are missing in older systems, including mobility, machine-learning, self-service analytics, and more visual and intuitive interfaces. In fact, some legacy systems still in use today by CSPs monitor fraud by only analysing aggregate records of calls.

There is a real, looming threat that fraud management is becoming a bottleneck, impeding CSPs’ ability to offer and expand services until fraud data can be interpreted and managed. Like a clogged kitchen sink, fraud management is creating a backup. Initially it might just cause a small pipe leak, but if operators aren’t proactive, they could have a full-blown burst on their hands.

That burst may be caused from the pressure of a mounting catalogue of services (and data) CSPs are involved in the delivery of, which they also need to analyse. Although outside their control, CSPs are often best positioned to identify instances of fraud occurring over carrier traffic on their networks. Examples of this include data fraud, international revenue share fraud and bypass fraud, among others. Along with the risk of IoT and sensor networks having fraudulent apps installed, the result is that the blind spots of many current CSP systems are being exposed by emerging sources of fraud.

So how can operators get ahead of the problem? How can they break this ballooning bottleneck, take advantage of that fact that they have access to vast amounts of data, and expand their services? The first step is to go beyond merely detecting fraud. CSPs should look inward, circling back and advancing their fraud protection tactics.

CSPs should have integrated, actionable and prescriptive control of fraud and abuse, based upon a combination of dynamically auto-configured business rules and policy control. By obtaining a high degree of detection accuracy, operators can get a clear understanding of the fraud data they are being presented with, and what it is telling them. With IoT for example, it means having an ability to uncover fraud outside of rule-based detection.

The implementation of predictive, big data technologies and machine-learning is a way to keep up with new frauds in real time, stopping it in its tracks. It also offers the added benefit of creating more parameters and making greater volumes of data available for analysis. All of this can be accomplished by employing a comprehensive multi-protocol solution that is nimble, fast and adds to an operator’s current system capabilities.

It’s no secret that the telecoms sector is significantly expanding its services and capabilities. But it’s the savvy operators who realize that breaking through the bottleneck of fraud data saves time and money in the long-term, and facilitates investment in new opportunities and services that otherwise would have been missed.


Joseph GeorgeJoseph George joined Mobileum in May 2017 as Senior Vice President, Fraud & Security. He leads the global strategy for solutions that help service providers control their risks related to fraud & security and prevent revenue leaks in their business.