Published in


Email Phishing vs SMS Phishing And Why We Should Stop Blaming Mobile Operators for SMS-Led Attacks

Why I wrote this article

Email and SMS have similar characteristics:

  1. Messages can contain text and URLs.
  2. They’re both open channels — anyone can send a message to any other person in the world, no matter who their service provider is.
  3. Senders don’t need to be connected to recipients — unlike other channels such as Slack, Messenger, Social Networks, Skype, WhatsApp et al.
  4. It’s easy for social engineers to find a person’s email address or phone number.
  5. It’s easy to broadcast one message to many at lost cost.
  6. Many brands and financial institutions use email and SMS more than any other channel to build better relationships with customers.
  7. When sending a message, it’s easy to impersonate a person or entity.
  8. When opening a message, it’s hard to know if it’s from a legitimate person or entity, or from a threat actor impersonating them.
  9. It’s fast and easy to create a lookalike sender ID to spoof a legitimate sender.
  10. Blocking an email address or phone number doesn’t stop threat actors — at all.
  11. It’s easy to trick recipients with lookalike URLs that are deceptive.
  12. Both email and SMS have anti-spam filters but neither are effective or reliable for detecting phishing URLs.

The striking differences make SMS more attractive to marketers…. and attackers who find it easy to impersonate marketers

  1. The average open rate for email sits between 28% and 33% according to data from Hubspot. The average open rate of a text message sits at about 99%, with 97% of messages being read within 15 minutes of delivery.
  2. The click through rates between email and SMS are very different, email marketing tends to generate a rate of between 6–7%. Whereas SMS generates rates around the dizzying heights of 36%. In this plugged in, ‘always on’ marketing landscape, levels of engagement on any mobile platform are far higher than they are with non-mobile marketing platforms and are only growing.
  3. Emails can contain many danger signals that help people to avoid links from people they don’t know. SMS has room for a few words and one URL — making it harder for people to avoid links from people they don’t know. There’s certainly not enough text for AI to be meaningful enough for SMS-led phishing messages — “Install our app to track your parcel delivery” — are those words from a legitimate delivery company, or an impersonator? The only right answer is, you and I don’t know.
  4. Brands and banks use branded URLs when sending emails, but they use very different, non-branded URLs when sending SMS messages. This means marketers are unaware of the potential this has on security. Criminals who specialize in phishing, have a very deep understanding and appreciation for all of this, and more.
  5. An email sender ID is hard to verify but 100x easier than trying to identify a phone number — the world outside of telco does not care to look at the sender ID whenever they trust a text message. Therefore, verifying the sender ID is great for reducing spam related traffic but completely useless for anti-phishing security.

About email service providers

Google should be able to stop email-led phishing attacks

  • Google is one of the biggest cybersecurity vendors in the world.
  • Google owns an anti-spam filter for email.
  • Google owns one of the world’s biggest cyber threat intelligence systems that most security vendors rely on for their own products and services.
  • Google owns an email client for Android, iOS, Windows, Mac OS and the web.
  • Google owns the browser (Chrome) that many people use to access webmail. And if they use a desktop client, all links will open inside the default browser — which is Chrome for the vast majority of the world.
  • In summary, Google owns almost the entire technology stack along with one of the world’s most widely adopted URL threat feeds built-in.

We NEVER blame Google

About SMS service providers

Why Vodafone should NOT be able to stop SMS-led phishing attacks

  • Up to now, the cybersecurity industry hasn’t had a category for SMS — the market isn’t big enough to warrant an investment in possible solutions. No category = no security products or services. ZERO cybersecurity for SMS. Until MetaCert pioneered the first URL-based security service for mobile device OEMs, mobile apps, and then Slack, no security solution existed, and no stakeholder cared enough to discuss it. SMS today is the very same.
  • Anti-spam filters for SMS (i.e. SMS Firewalls) are similar to anti-spam filters for email — they are very effective at blocking unsolicited sales and marketing messages from spammers.
  • Anti-spam filters are not reliable or effective at detecting deceptive URLs — unless they are already classified as “dangerous”. And assuming they are working with at least 1 anti-phishing threat intelligence provider — this is not something that should be built internally — most security vendors license threat feeds from companies like Google, MetaCert, Akami and Symantec.
  • Almost every successful phishing attack uses a URL that is not yet classified as “dangerous”.
  • Most threat actors use phishing URLs in the same way that most people treat single-use water bottles. They’re used once and then discarded.

Traditional anti-phishing security won’t work for SMS, unfortunately. It’s no longer reliable or effective to…

The solution for SMS phishing

Assume every URL is dangerous, unless verified.


Related articles that you might be interested in:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.