Number spoofing: are scam filters doing enough to catch dodgy texts?

While hundreds of millions of dodgy texts are blocked, scammers continue to find ways to get them through
Tali Ramsey
A woman holding a cup in her hand while looking at her mobile phone in her other hand

Mobile networks may not be paying enough attention to all types of scam texts, a recent report suggests. 

Text messages can be sent via A2P (Application to Person), when a brand sends you a message, or P2P (Person to Person), such as when you message one of your contacts. 

But cybersecurity firm MetaCert sent 1,000 phishing messages via P2P over a number of mobile networks and all were sent without being blocked or flagged. The messages mimicked HMRC refunds, bank alerts, DVLA fines and missed delivery scams

Recently, Which? reported on widely circulated scam texts, including those impersonating the DWP in fake energy grant messages and those claiming you have an unpaid parking fine. All messages we came across were sent via P2P from spoofed mobile numbers or email addresses.

Below, we look at the scam texts that continue to slip through the net, and what can be done to stop them.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

‘Criminals just need a Sim card and a regular phone’

A recent survey carried out by Ofcom, the UK's telecoms regulator, found that more than half of people received a suspicious text either via SMS (text messages sent without the need for an internet connection), RCS (Google's upgraded version of an SMS message), iMessage (Apple's internet-based messaging service used between Apple devices) or WhatsApp, in the past three months.

One in 10 survey respondents received daily suspicious text messages,  a third reported receiving them weekly, and two-thirds reported receiving them monthly.*

'Spam and scams are entirely different problems. Spam is annoying but primarily costs mobile operators money because marketers often send it without paying per message. Scams, on the other hand, are costly and dangerous for people,' Paul Walsh, the CEO of MetaCert, told Which?. 

Paul believes that operators focus on spam as opposed to actual scams targeting consumers when it comes to blocking SMS fraud. 

'They’re using systems built to filter obvious, repetitive spam to try to catch phishing, even though phishing messages are designed to look like legitimate messages and alerts. The only reliable giveaway is the link itself – and if that fake link is new or unreported, these systems simply can’t detect it,' he continued.

Most mobile networks block suspicious messages from being sent by applying firewalls that analyse the content of messages for suspicious activity and by using the SMS SenderID Protection Registry.

The registry works by enabling brands to register their sender names so mobile networks can block messages that use those names if they come from dodgy sources.

Some networks flag numbers which send large volumes of texts, as well as having dedicated teams to investigate suspicious messages.

Scam texts are getting through

Scam texts

A scam text impersonating Evri

1 / 5

  • A scam text impersonating Evri
  • A scam text claiming to offer a remote job
  • A scam text impersonating Nationwide
  • A scam text claiming you have an unpaid parking fine
  • A scam text impersonating Royal Mail

A large collection of images displayed on this page are available at https://www.which.co.uk/news/article/number-spoofing-are-scam-filters-doing-enough-to-catch-dodgy-texts-ahsYn9Q8gLmA

Several recent examples of scam text messages sent from spoofed mobile numbers and email addresses (where the scammer masks their SenderID), shared by members of the Which? scam action and alerts Facebook group, wouldn't be stopped by scam blocking technology that mobile networks use to tackle suspicious texts, according to MetaCert.

These texts included messages about unpaid parking fines, job opportunities and home deliveries.

key information

4 tips to spot a text message scam

  1. It’s from an unknown number
  2. You’re being asked to provide personal and financial information
  3. It includes a link
  4. It contains spelling and grammatical errors or uses phrases that seem odd

What are the regulations on scam texts?

Ofcom has rules for mobile networks to prevent scam texts. These include applying systems to identify and block scam texts and ensuring that the numbers they provide aren’t being used in scams.

They must also ensure that SenderIDs aren’t spoofed and act quickly if scams are detected.

Ofcom told Which? that while there are successful measures in place to reduce scam texts, scammers are constantly exploring ways to bypass these, and the problem isn’t going away. Due to this, it is currently considering what other regulations might be necessary. According to Ofcom, around a million messages are blocked every day, and approximately a billion scam texts have been stopped from getting through so far. 

It also explained that UK telecoms companies must use phone numbers efficiently and effectively, including to help tackle scams, and take appropriate steps to ensure their customers comply with our rules. With this in mind, it currently has open investigations into two companies.

Most mobile networks also use 7726, a free reporting service you can use to forward suspicious (scam and spam) text messages. This allows the network to investigate the message and potentially block or ban the sender.

Recently, Action Fraud reported that more than 27,000 scams were removed as a result of consumers forwarding scam messages and calls to 7726 since the service launched in April 2020.

What are the mobile networks doing?

Which? contacted Mobile UK, the trade association for the UK’s mobile network operators, about the report's findings.

MobileUK told us: ‘The industry takes the issue of protecting customers from scam texts very seriously and has invested in and implemented numerous initiatives to block these messages.

'Advanced filtering technologies, URL authentication and industry-wide reporting systems are just a few of these measures in place to help protect customers from fraudulent activities, resulting in over a quarter of a billion scam texts and messages being blocked since the beginning of this year.

'However, we continue to urge customers to remain vigilant and help us tackle scams by forwarding any suspicious messages to 7726.’

Which? also spoke to SpamShield, a firewall used by many mobile networks to scan and block suspicious messages, which told us that its technology would have recognised the texts sent by MetaCert as tests, so wouldn't have blocked them.

It also told Which? that it detects scam messages (both A2P and P2P) by recognising the patterns in them and validating URLs, but the exact methods depend on the network using the firewall and can't be shared.

Where to report scam texts

If you receive a suspicious text message, particularly if it contains a link, you can report it by forwarding the message to 7726. This information is then shared with the police and intelligence agencies working to stop text scams.

You can also take a screenshot of the message and forward the image to report@phishing.gov.uk.

If you've fallen victim to a text scam, you can report it to Action Fraud or the police if you live in Scotland.

Seen or been affected by a scam? Help us protect others

Sharing details of the scam helps us to protect others as well as inform our scams content, research and policy work. We will collect information relating to your experience of a scam, but we won't be able to identify your responses unless you choose to provide your contact details.

Share scam details

*Ofcom scams survey, fieldwork 5th to 7th February 2025

More on this

Related articles