Skip to main content

When it comes to trusting SMS messages in a crisis, it's important to consider the context, the source of the message, the sender number, sender ID branding and other available information. While SMS messages can be a useful communication channel during emergencies, they are not immune to manipulation or exploitation and here are some factors to consider:

Official Sources

In a crisis, official sources such as government agencies, emergency management organisations, or your own organisation often use SMS alerts to disseminate critical information. The messages from official bodies often use short codes, but most corporate crisis messaging uses a telephone number structure, and 10-digit long codes.

It is generally advisable to trust short code messages as these are only issued to security-checked bodies, but long code should be treated with caution. Some countries are adopting a registration scheme for long codes which will help increase trust.

Access to Spoofing Tools

Cybercriminals with access to specialised software or tools designed for SMS spoofing can carry out such attacks very easily. These tools allow attackers to manipulate the content and other details of the SMS message.

A company should send an SMS message that displays the sender ID which can be your company logo or name. However, this is not always possible as some telecom companies and national systems do not have sender ID capability. If a message arrives with a sender ID, it is reasonable to assume a greater degree of trust. However, some cyber criminals with the right tools can even trick users by spoofing the sender ID, so checking a second source is always best practice.

Mass alerting systems can send on multiple channels simultaneously - email, SMS, push notifications and voice calls - to ensure delivery of the message and give users the ability to check validity.

A Recognised Number

Some advanced systems offer a dedicated SMS number for customers that can be added to the address book of their members of staff. As the number is known, it can be whitelisted in the do not disturb settings to ensure critical alerts will override privacy settings.

Known numbers will give greater confidence but some systems just deliver SMS from a large bank of numbers that are used for multiple organisations. This is the less expensive option but it prevents the ability to whitelist.

Confirmation from Multiple Channels

When receiving important information via SMS during a crisis, it is a good practice to cross-verify the information and check your email, app or other reliable sources. You can check with colleagues or if the same information is being shared through the company app, websites, news outlets, social media accounts, or other trusted communication channels.

Exercise Caution with Unsolicited Messages

Be cautious with unsolicited SMS messages received during a crisis, especially if they request personal information, or financial transactions, or contain suspicious links. Cybercriminals may exploit emergencies to carry out phishing attacks or spread false information. Do not click on unknown links or provide personal details without proper verification.

Consistency and Accuracy

Pay attention to the consistency and accuracy of the information shared in SMS messages. Official alerts and notifications generally provide clear, concise, and accurate details regarding the crisis, safety instructions, evacuation procedures, or any necessary actions to be taken.

If a message seems vague, inconsistent or contains alarming claims without reliable sources, it should be treated with caution.

Seek Confirmation from Reliable Contacts

Reach out to trusted contacts in your crisis management team or if it is public SMS, bodies such as local authorities, emergency services, or official helplines, to verify the information received via SMS, especially if it pertains to immediate safety concerns or evacuation orders.

Final Thoughts

Remember, while SMS messages can be a valuable communication tool during a crisis, they are not foolproof and can be subject to manipulation or false information.

Companies should use sender IDs where possible, use known numbers for messaging and train staff to add these to their address books and do not disturb settings. Cross-verification with multiple trusted sources is crucial for making informed decisions and ensuring your safety during critical situations.