The Australian Communications and Media Authority (ACMA) has publicly rebuked Vonage and Twilio for failing to implement mandatory controls that ensure the SenderID associated with an SMS message is genuine. The ACMA’s rules were introduced in 2022 following a significant increase in complaints about impersonation fraud by SMS. ACMA Chair Nerida O’Loughlin commented on the non-compliance of Vonage and Twilio:
As the rules have been in place for over a year now it’s unacceptable that we continue to find telcos allowing scammers to send SMS impersonating businesses domestically.
The ACMA investigated Vonage by taking samples of SMS messages sent on four different days to see how many alphanumeric SenderIDs had been verified before the message was sent. They found that 6 percent of the sampled messages used SenderIDs where there was no evidence that the A-party had a valid use case for the SenderID. Other information that was separately collected confirmed another 3,887 messages had been sent by Vonage in violation of the requirement to check the SenderID first. From this latter group, the ACMA learned of:
- 2,230 scam messages that impersonated the Commonwealth Bank of Australia;
- 707 scam messages that impersonated ApplePay;
- 1 scam message that impersonated Australia Post; and
- 949 other scam messages.
The methods used to gather this data mean it is likely that Vonage sent many more SMS messages which infringed the requirement to validate SenderIDs. Vonage also ignored the obligation to report on the blocking of messages for three consecutive quarters.
Twilio was also admonished by the same press release although there were no known instances of scam SMS messages being sent by them. Twilio admitted it…
…does not have a systematic process in place to check whether there was a valid use case for using Alpha IDs for SMs [short messages] into Australia.
The ACMA used the same method of sampling messages sent by Twilio on four different days, resulting in the identification of 12 SenderIDs which had been used in violation of the rules. However, the ACMA has chosen to redact the number of messages associated with these SenderIDs in the public version of its investigation report. My suspicion is that this figure has been withheld because it is high and the ACMA did not want it repeated in news media headlines. Twilio is capable of handling messaging campaigns which are extremely large but their infringements were otherwise less serious than those of Vonage.
The ACMA has not been shy about investigating and criticizing other telcos for inadequate controls to protect the public for SMS messages that impersonate reputable organizations. In May they chastised Infobip and Sinch for not complying with the rules.
Despite the harshness of the language used in the ACMA’s press release, neither Vonage nor Twilio were fined. Their only penalty is to be ordered to do what they should have done anyway. You can read the ACMA’s investigation reports and compliance directions for Vonage and Twilio by looking here and here respectively.



