38.4k unique visitors in the last 3 days

Vonage and Twilio Blasted for ‘Unacceptable’ SMS Scam Failings by Australian Regulator

Scammers exploited Vonage's weak controls to send thousands of scam SMS messages that impersonated reputable organizations.

The Australian Communications and Media Authority (ACMA) has publicly rebuked Vonage and Twilio for failing to implement mandatory controls that ensure the SenderID associated with an SMS message is genuine. The ACMA’s rules were introduced in 2022 following a significant increase in complaints about impersonation fraud by SMS. ACMA Chair Nerida O’Loughlin commented on the non-compliance of Vonage and Twilio:

As the rules have been in place for over a year now it’s unacceptable that we continue to find telcos allowing scammers to send SMS impersonating businesses domestically.

The ACMA investigated Vonage by taking samples of SMS messages sent on four different days to see how many alphanumeric SenderIDs had been verified before the message was sent. They found that 6 percent of the sampled messages used SenderIDs where there was no evidence that the A-party had a valid use case for the SenderID. Other information that was separately collected confirmed another 3,887 messages had been sent by Vonage in violation of the requirement to check the SenderID first. From this latter group, the ACMA learned of:

  • 2,230 scam messages that impersonated the Commonwealth Bank of Australia;
  • 707 scam messages that impersonated ApplePay;
  • 1 scam message that impersonated Australia Post; and
  • 949 other scam messages.

The methods used to gather this data mean it is likely that Vonage sent many more SMS messages which infringed the requirement to validate SenderIDs. Vonage also ignored the obligation to report on the blocking of messages for three consecutive quarters.

Twilio was also admonished by the same press release although there were no known instances of scam SMS messages being sent by them. Twilio admitted it…

…does not have a systematic process in place to check whether there was a valid use case for using Alpha IDs for SMs [short messages] into Australia.

The ACMA used the same method of sampling messages sent by Twilio on four different days, resulting in the identification of 12 SenderIDs which had been used in violation of the rules. However, the ACMA has chosen to redact the number of messages associated with these SenderIDs in the public version of its investigation report. My suspicion is that this figure has been withheld because it is high and the ACMA did not want it repeated in news media headlines. Twilio is capable of handling messaging campaigns which are extremely large but their infringements were otherwise less serious than those of Vonage.

The ACMA has not been shy about investigating and criticizing other telcos for inadequate controls to protect the public for SMS messages that impersonate reputable organizations. In May they chastised Infobip and Sinch for not complying with the rules.

Despite the harshness of the language used in the ACMA’s press release, neither Vonage nor Twilio were fined. Their only penalty is to be ordered to do what they should have done anyway. You can read the ACMA’s investigation reports and compliance directions for Vonage and Twilio by looking here and here respectively.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email