Why Do Telcos Allow URLs in SMS Messages?

You can rest at ease, because I know the answer to my own question: any remotely liberal society is going to permit people to type whatever they want into an SMS message, and no business generates profit by preventing people from doing what they would like to do. However, we should also know that using an SMS message to get someone else to open a specific web page is increasingly anachronistic. As time progresses, customers with mobile data connections and smartphones capable of running a web browser will make less use of SMS because they have other methods of communication at their disposal. Businesses that need to provide important information to customers can deliver it via dedicated apps. It is less and less likely that you will receive an SMS with a link you might actually be glad to open. Meanwhile, smishing is rising. The spread of Flubot has illustrated just how dangerous it can be to open links that appear to come from trusted sources. That means we should expect that fewer people will trust SMS messages anyway, even if they are genuine. This is all relevant context for a recent article by Daniel McTague, Chief Technology Officer at Cellusys (pictured), who argues that users should be prevented from following hyperlinks in SMS messages unless their comms provider knows the destination can be trusted.

Currently the approach taken is to block any known bad URLs, and assume the rest are OK. With a Zero Trust approach, we flip this on its head. Only URLs that are known as safe are considered safe. All other URLs are considered unsafe.

Switching to a zero-trust mentality would have one incredibly obvious benefit.

This approach eliminates smishing in an instant.

The fix may be obvious when the focus is shifted towards protecting consumers, but that does not mean it will be adopted. There is likely to be a mix of inertia and deliberate foot-dragging from businesses that are happy to generate additional revenues by indirectly profiting from fraud. Crocodile tears may be spilled over the possible inhibition of legitimate businesses that have yet to appreciate their methods are indistinguishable from those used by crooks. However, a few moments of reflection may explain why honest business people may want to stop communicating with customers via the same techniques as the most prolific criminals. And telcos may want to contemplate how much more money they really expect to generate by allowing SMS messages to become even more feared than voice calls, with the result that they will all soon be routinely ignored.

As somebody who really is a liberal, I would be happy for my comms provider to censor inbound messages if it spares me the need to read any future text messages including hyperlinks. I cannot think of a single occasion when a genuine friend sent me a URL this way. Can you?

You can read Daniel McTague’s article about a zero-trust approach to filtering the URLs in SMS messages by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.