More than 100,000 Australians have received fake texts from scammers impersonating organisations like Medicare and Australia Post after three telcos failed to follow compliance rules overseen by the Australian Communications and Media Authority (ACMA).
Investigations by the agency found that sim card providers Sinch, Infobip and Phone Card Selector allowed SMS to be sent using text-based sender IDs without sufficient checks to ensure they were being used legitimately.
Infobip allowed 103,146 non-compliant texts to be sent, which included scams impersonating Australian road toll companies. Sinch allowed 14,291 non-compliant texts to go through, including Medicare and Australia Post impersonation scams.
While Phone Card Selector was also found to have inadequate systems in place to comply with the rules, there was no evidence scammers exploited the opportunities it created.
The ACMA has given Sinch and Infobip formal directions to comply with the obligations, the strongest enforcement action available for code breaches. Phone Card Selector has been given a formal warning.
Telcos may face penalties of up to $250,000 for breaching ACMA directions to comply with the code.
ACMA chair Nerida O’Loughlin said the investigations showed scammers will readily take advantage of vulnerabilities created by telcos.
“While there is no suggestion the telcos were involved in scam activity themselves, scammers have used their failures to prey on Australians. This wouldn’t have happened if the companies had adequate processes in place and complied with the rules,” she said.
“Scams that impersonate reputable organisations can be particularly hard for consumers to recognise and there’s no telling how much damage could have been done as a result of these scam texts.”
Text-based sender IDs can be used by scammers to pose as legitimate organisations such as government agencies, banks and road toll companies. Under the Reducing Scam Calls and Scam SMS Code, Australian telcos must obtain evidence from customers that they have a legitimate reason to use text-based sender IDs (such as business names) in SMS.
The federal government announced two weeks ago it will provide more than $10 million to launch Australia’s first SMS sender ID registry to prevent offshore scammers from impersonating trusted brands and government agencies.
“This initiative will help close a key vulnerability used by scammers. The ACMA looks forward to working with industry and trusted brands as we implement this new protection,” O’Loughlin said.
Today’s action from the ACMA also comes more than a year after the nation’s consumer watchdog announced it would be taking Facebook’s parent company Meta to Federal Court, alleging the social media platform “aided and abetted” scam cryptocurrency ads.
Get our daily business news
Sign up to our free email news updates.