How many text messages have you received lately about a missed delivery of a package you didn’t order? Or a prize you’ve earned for being a loyal customer of a company you don’t use? Or a nonexistent withdrawal just made on your account?
Bogus messages like these have skyrocketed in recent years as scammers have shifted from robocalls to robotexts — in part because the feds were forcing phone companies to shut their networks to robocalls. The legal landscape is changing, however, in a way that should make it tougher for fraudsters to invade your message queue too.
That’s tougher, not impossible. Scammers are a notoriously resourceful bunch.
On Thursday, the Federal Communications Commission adopted a rule that requires mobile phone companies to block texts that are “highly likely to be illegal.” That includes texts from spoofed or non-working numbers, which spammers frequently rely on for their bulk messages.
The robotext problem has grown dramatically; according to Robokiller, which makes spam-blocking technology, Americans received more than 225 billion unsolicited texts last year. That works out to more than 700 per smartphone user.
The scams are particularly dangerous, the commission warned Thursday, noting humans have a hard time not reading incoming texts. In addition to peddling get-rich-quick schemes and other nuisances, robotexts may be used to trick people into revealing sensitive personal information or installing malware.
The new rules won’t go into effect for several weeks, and a follow-up set of protections from the FCC are still awaiting public comment and a final vote. In the meantime, there are steps you can take to spare yourself the misery of hearing your phone’s incoming text notification chime, only to discover it’s yet another fake notice from FedEx.
The new rules
The commission applied some of the same techniques to spam texts as it has used to deter spam calls. Once the newly approved order takes effect, mobile phone networks will be required to establish a “reasonable” Do Not Originate list of numbers that will not be allowed to send text messages, similar to the list they must maintain for phone calls.
At a minimum, the Do Not Originate text list will include numbers that are invalid or not yet assigned in North America. Individuals and organizations whose valid numbers are used by spammers to disguise the real source of their texts can also have their numbers placed on the list.
This sort of blanket approach targets a common practice among robotexters, which is to use different numbers (real or spoofed) to originate successive come-ons or phishing attempts. That’s why you can’t make much headway against spam texts by blocking individual numbers on your phone — the texts just keep coming from new, unblocked numbers.
It’s also significant that the FCC is requiring, not urging, mobile companies to create a list and block texts from those numbers. The shift “is in part the result of the heightened risk of text messages as both annoyance and vehicles for fraud,” the commission said in its order. “Data indicates that consumers read nearly all texts they receive, and do so nearly immediately. Indeed, industry data suggests that consumers open a far larger percentage of text messages than email, and open such messages much more quickly. This stands in contrast to calls where, as we have said repeatedly, consumers report no longer trusting calls from an unfamiliar number and refusing to answer them.”
In case the new system interferes with valid texts, the order requires mobile companies to provide the public a single point of contact for complaints about excessive blocking.
The goal is to stop scam texts in the pipeline, rather than use big fines and splashy enforcement actions to try to deter robotexters. Not that the commission has done much on the deterrence front. According to the FCC, the agency has taken only one enforcement action against a text spammer, issuing a citation in 2018 to a marketer who sent texts to people on the federal Do Not Call Registry, which bars unsolicited messages as well as phone calls. The registry is based on the 1991 Telephone Consumer Protection Act, which prohibits the use of automated dialing equipment to contact any residential number “without the prior express consent of the called party.”
Two years ago the Supreme Court made it significantly harder to enforce the act, ruling in Facebook vs. Duguid that the law barred automated calls only if they were made to numbers chosen at random or in sequence. Robotext scammers “are increasingly using equipment that does not satisfy the definition of an autodialer under the law,” FCC Chair Jessica Rosenworcel told a House oversight subcommittee in a letter that December.
“In light of these new legal and technical limitations, I believe the FCC will need to focus on preventing robotexts in the first place, rather than just trying to punish those responsible for them after the fact,” Rosenworcel wrote.
The latest order will take effect 30 days after it’s published in the Federal Register, and it may take some time before that happens. So don’t expect mobile phone companies to plug their networks to suspected robotexts right away.
More protection in the future?
The order adopted Thursday also proposes additional rules that would crack down further on robotexts. One would bar text messages to the more than 240 million numbers on the Do Not Call Registry. Another would bar sites from tricking consumers into granting multiple unrelated companies permission to send them unsolicited messages. A third would require mobile companies to block messages from senders identified by the FCC as the source of illegal texts, just as they must do for robocallers identified by the commission.
The commission did not, however, propose a requirement that mobile companies authenticate the source of each text message and block the ones that are spoofed, as its rules require for phone calls. Together with a ban on texts from invalid or inactive numbers, blocking spoofed numbers could pose a significant hurdle to robotexters. The problem, the commission said in its order, is that it’s not clear whether the authentication methods that work for phone calls will work for texts.
Rather than proposing a rule, the commission asked for comment on how a system to authenticate the source of text messages might work, and how that technical solution might be applied to the robotext problem.
Another issue not explicitly addressed by the order is spam texts from email addresses. Mobile phone networks have email gateways that allow customers to exchange texts with email addresses. So naturally, software developers are offering tools that can send texts in bulk from email addresses — for free.
Already, some spammers are originating their text scams from email addresses. If the FCC manages to shut the door to spam texts sent from phone numbers, how long will it take the entire robotext industry to follow suit?
What you can do now
As the FCC noted, many consumers have taken a sledgehammer approach to spam calls, sending all calls from unknown numbers automatically to voice mail. Legitimate callers will leave a message; robots and scammy call centers typically do not.
If you have an Apple iPhone and use the company’s iMessage app, you can take the same approach with text messages. In the Settings app, under Messages, you can choose an option labelled Filter Unknown Senders. Doing so will put messages from numbers your phone doesn’t recognize into a list separate from the ones from your contacts.
On Android phones, Google’s Messages app — which isn’t necessarily the default messaging app on the phone — offers a similar form of safeguard, but with more AI. If you enable spam protection (it’s under “Spam Protection” in the Settings menu of the app), Google will use its machine-learning-powered analytics to review incoming texts. If Google suspects a text is spam, it will move the message to a separate folder for spam and blocked texts, then let you know you’ve received a message of sketchy origin. If it’s legitimate, you can remove the spam tag and send it to your regular text inbox.
These tools are free. Mobile phone companies and app developers also offer competing tools to block spam texts, some of which carry a fee.
The most popular messaging apps also enable you to block and report the numbers used by robotexters, but the one-at-a-time approach isn’t going to stop scammers who shift rapidly from number to number. It’s about as effective as trying to seal holes in a levee that keeps springing new leaks.