Australia has called out five telcos for sending through bulk SMS that contain scam messages, breaching the country’s anti-scam and public safety rules.
The Australian Communications and Media Authority (ACMA) said it had taken action against Message4U, SMS Broadcast, DirectSMS, Esendex Australia, and MessageBird for allowing millions of SMS messages to be sent without sufficient checks to ensure they were not scams. These SMS messages had used text-based sender IDs, or shortened business names.
Also: The best VPN services (and how to choose the right one for you)
Message4U sent through 36.1 million SMS messages, while SMS Broadcast allowed 4.5 million SMS messages to be sent. Esendex Australia and DirectSMS allowed 6.7 million and 1.6 million SMS messages, respectively, to be sent between July 2022 and June 2023. MessageBird sent 1.1 million SMS messages in early-2023, ACMA said.
ACMA noted these telcos had allowed through scam SMS messages that impersonated well-known brands and government services. Specifically, SMS Broadband and Message4U enabled more than 1.2 million impersonation scam texts to be sent to consumers, while Esendex sent through at least 99,000 scam texts.
Also: 6 simple cybersecurity rules you can apply now
These actions were in breach of Australia’s various anti-scam and public safety rules, ACMA said.
ACMA Member Samantha Yorke said it was “unacceptable” that telcos had enabled these scams amid data that showed an increasing number of Australians were being targeted by scam SMS.
“Australians reported losing over AU$25 million ($16.31 million) to SMS scammers last year and the impact on individuals and families can be truly devastating,” Yorke said. “Scammers will always look for cracks in systems and if even one telco fails to have its compliance in order, it can open the door for scammers to target Australians.”
She added: “Telcos must have processes in place to ensure that customers sending bulk messages are verified.”
ACMA noted that the five telcos also failed to provide customer data to the Integrated Public Number Database, which is used to locate people in an emergency and to send out emergency alerts in the event of high-risk events, such as floods or bushfires. The database is further used to support law enforcement activities.
Also: Scammers are using AI to impersonate your loved ones
Yorke said that, while there were no reported or known incidents as a result of the breach, it was concerning so many telcos had failed to comply with their obligations.
The telcos have been formally directed by the ACMA to comply with the Integrated Public Number Database and the Reducing Scam Calls and Scam SMS industry codes, which the authority said is the strongest enforcement outcome available for initial breaches of these codes.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
For breaching ACMA’s directions to comply with industry codes, telcos may face penalties of up to AU$250,000 ($163,079), the authority said.
“We will be closely monitoring for any scam activity coming via these telcos and will not hesitate to take action if we find evidence Australians are being placed in harm’s way again,” Yorke warned.
An Australian man in January 2023 was sentenced to jail for more than two years over an SMS phishing scam, during which he stole AU$100,000 ($65,232) and targeted 450 victims.
