How SMS 2FA Messages Can Fight Scammers
Gift-card and tech support scams are on the rise in the United States, causing a reported loss of 148 million dollars in 2021.
Although consumer education reduces harm and police investigations help make the cost of running these scams more difficult, some simple systems can be implemented by companies that can make these scams much harder to implement.
One such system is to simply use better language in the 2FA SMS texts that companies send to customers, which both instructs users on better online security and serves as a way to reinforce consumer education.
Why It Works
Creating better SMS messages for 2FA codes can help train users on what to expect when dealing with these codes.
How the Scams Work
These scams often work when a scammer instructs a victim, to take some action on their account, for example changing their password, registering for a service, or sending money.
When the user takes this action, a 2FA code may be sent to their phone by SMS. In most cases, the 2FA code arrives without any context, so the scammer is able to provide their own explanation for what the intended action of the 2FA code is. The victim believes the explanation and shares the 2FA code with the scammer, who is able to complete the action.
For example, a typical 2FA SMS from a major company may look something like this:
The victim may not know that the company will never call for the code, and they may have been lied to about how the code will be used.
Why the Solution Works
Better SMS messages provide clear language that explains the intended use of the 2FA code, procedures for handling it safely, and what to do if the account is compromised.
The more companies that implement this, the more there will be a positive feedback effect. Consumers will see the same language repeatedly, causing the messaging to sink into the general consumer consciousness the same way that a commercial jingle does.
What This Looks Like
When the user initiates an action that triggers a 2FA code to be sent to their number, the SMS should include language that clearly states:
- The name of the company
- The reason for the 2FA code
- Instructions to never share the code
- A warning that the company will not call for the code
These four points can be stated succinctly:
You have requested a request password code from CHASE Bank. We will never call you for this code. Do not share it with anyone: 12332
Additionally, a follow-up message can be sent that guides the user to take action if they were not expecting to receive this code, for example:
If you weren't expecting this code, visit chase.com/security immediately
Caveats
The maximum length of an SMS message is 160 characters. Longer messages are split into 153-character chunks. Sending one SMS is ideal because there may be a time delay between message parts and because the message may be confusing if split
The website link should be short, but not shortened. A URL such as example.com/security is better than bit.ly/a3ma49X because:
- The full URL shows the domain name of the company, reinforcing the sense of security that the user has about the authenticity of the sender.
- The user can type in the full URL into their browser to get the company’s actual policies regarding two-factor authentication, including up-to-date scam warnings and ways to protect themselves.
- Training the user to click on shortened URLs may result in them clicking a forged 2FA code that sends them to a spoofed website or one that gathers sensitive information about the user.
Together, this information can reduce scammers’ ability to manipulate users into performing unwanted actions.
The more companies that use this language in their SMS 2FA messages, the more users will be trained not to do things that make them vulnerable to these types of scams.
