The work done by the Finnish Transport and Communications Agency Traficom and operators to prevent text message scams is bearing fruit. So far, different organisations have already protected over 70 SMS Sender IDs. Traficom also encourages other organisations that send text messages to check their security needs and register the necessary IDs in Traficom’s service.
In recent years, most Finns have received scam messages in which the SMS sender ID shows that the message has come from a trusted organisation such as their bank, the Tax Administration or a logistics company that delivers a package. Cybercriminals have managed to use this cheating method successfully, and according to even conservative estimates, the criminal profit from this has been a total of 10 million euros
From 9 November 2023, Traficom has offered organisations the opportunity to protect their own sender ID. "We are satisfied with the result of the first three months, as many key players such as Nordea, Osuuspankki, S-Bank, Posti, Social Insurance Institution of Finland, Tax Administration and National Police Board of Finland, as well as many other players in public administration and business life have already protected their IDs”, summarizes Traficom’s Chief Specialist Klaus Nieminen regarding the current situation. The first protections will take effect on 21 February 2024, after a qualifying period of three months has passed from the registration of the ID.
You can check the protected IDs and the effective date of the protection on Traficom's website.
What does the protection mean in practice and what does it require from the applicant?
Companies and public corporations can protect the sender IDs they use so that no one else can send text messages with protected IDs. The protection takes effect three months after the registration of the ID. After this, messages can no longer be sent to recipients from abroad via the general international interface, and text message traffic sent through this will be blocked. During these three months, the organisation that registered the ID must ensure that its text messages are brought online via the application interfaces provided by Finnish telecommunications operators.
"This service offered by Traficom gives organisations that send text messages the tools to protect their IDs, but it does not provide protection until the IDs are registered” Nieminen reminds. He encourages organisations that send text messages to check their security needs and register the necessary IDs in Traficom’s service.
More information on the subject and, for example, the format requirements of the IDs to be registered can be found in Traficom's instructions on protecting text message sender information (in Finnish). (External link)
Further information
Chief Specialist Klaus Nieminen, tel. +358 29 539 0528, klaus.nieminen@traficom.fi
Fact box
SMS Sender ID = alphanumeric sender ID visible to the recipient of the text message. According to the standard, the SMS sender ID of the text message does not have to be limited to the subscription number of the mobile phone subscription, e.g. 040 1234567, but instead of the phone number, an alphanumeric identifier consisting of maximum 11 characters can also be used as the sender information of the text message, which is called SMS Sender ID.
The ID can also use special characters, including å, ä and ö. However, when using these characters, the applicant for protection should check with their service provider before submitting the registration application whether the ID works as desired in the intended use case. Some of the short message service centre's application interface protocols in use in Finland also support a narrower character set than the standard, and the internationally compatible character set is even narrower. In general, in international communications, the recommended characters are 0-9, a-z, A-Z and space.
In addition to the searched form of writing (e.g. "TunnuS"), the protection covers writing forms where the ID is written with a capital initial letter and otherwise with lowercase letters ("Tunnus"), all lowercase ("tunnus") and all capital letters ("TUNNUS"). For other similar identifiers (such as "Tunnus Oyj" or "T-unnus"), the organisation that registered the ID can agree on possible additional security needs directly with mobile network operators.