Last week the news was that Irish phone users would begin seeing ‘likely scam’ warnings whenever they get an A2P SMS message that uses an unregistered Sender ID. This week the news is that some of the telecoms industry has made a mess of following the new rules. However, the news media preferred to target the regulator responsible for imposing those rules, ComReg, rather than doing the hard work involved in pinpointing which businesses were to blame.
Adrian Weckler of the Irish Independent broke the story on the morning of July 8.
Ireland’s new crackdown on scam texts is labelling real texts as fraudulent — leading to confusion over hospital appointments, digital verification codes and sports tickets.
Patients of St James’s Hospital in Dublin are seeing “likely scam” on appointment texts from the institution, despite the hospital being signed up on a new verified register with the telecoms operator, ComReg.
This makes it sound like the issue is with the online registration process when it almost certainly lies with the kinds of businesses that organizations like hospitals choose as suppliers. ComReg were quick to state that their own systems are working correctly, as were the systems of Ireland’s largest mobile providers. Just a little while later, George Merrigan, Market Framework Director at ComReg, jumped on the lunchtime news show of RTE Radio 1 to defend the roll-out of the new obligations. Merrigan said:
We have been working with industry on this for some considerable time, and we are now working with some industry players to resolve the technical implementation issues that they are experiencing in this matter, as quickly as possible.
That answer is generous. There are countries where regulators would not have hesitated to shift blame by naming the businesses experiencing technical difficulties. The introduction of a national mandatory Sender ID registry was formally proposed as part of ComReg’s national anti-scam plan published in June 2023. There was time for businesses to adapt, and it is telling that Ireland’s leading operators insisted that their systems are working correctly.
Using a tokenized method to verify the legitimacy of an SMS introduces the kinds of implementation risks associated with any technical novelty, and these risks are exacerbated by the tokens needing to be processed correctly by multiple different entities. Over 11,000 Sender IDs were registered by ComReg’s deadline, a number so large that it would be surprising if there were no errors when the process went live. Nevertheless, news reporters conflated failures relating to the processing of tokens with the fact that some other ‘legitimate’ messages were flagged precisely because they were sent by comms providers which had not registered. Attaching warnings to messages from comms providers that ignored the need to register is not a flaw in the method; it is the essential purpose of the exercise.
News providers love sensation, especially when they lack the understanding to provide their audience with any real insight. It was clear that none of the journalists who latched on to this story knows their SMS aggregator from their elbow. So instead of talking about the role of aggregators or examining the technical root causes of errors, they harped on about the potential consequences of mislabeling messages. They placed specific emphasis on the risk of genuine messages from healthcare providers being wrongly labeled as scams, or potentially being blocked. I found this to be an unhelpful way of explaining the risks to the public. That is because healthcare providers stand out as being risky for reasons that are separate from the failings of the communications sector. The problem with healthcare providers is that:
- they underinvest in the technology for support systems;
- they lack people with the skills, authority and budget needed to maintain good security;
- budget constraints lead them to prefer low-ball contracts for any service deemed non-essential;
- they have eagerly automated communication in order to reduce the costs incurred when staff interact with patients; and
- poor training means they already suffer from weak controls over communicating sensitive information.
This is why I expect that the increasing use of technologies to automate the blocking of harmful communications will cause problems for healthcare providers in many countries, not just Ireland. Put simply, a conventional for-profit business has the incentive to choose suppliers that will guarantee their communications get through to consumers. Hospitals and doctor’s surgeries are not run by people who are willing to pay extra to guarantee a better level of service. They expect all comms services to be equally reliable. Anybody familiar with the murky world of comms intermediaries should appreciate how naive that expectation is.
Crucially, regulators have never been sufficiently empowered to clean up all the murky intermediaries that keep their prices low by cutting corners. We have instead relied upon the myth of comms industry ‘self regulation’. If self regulation was effective then there would be no reason to introduce registries to halt the runaway abuse of Sender IDs.



