On January 26 2023 I did a short talk at an event hosted by The Norwegian Society of Graduate Technical and Scientific Professionals (tekna.no) in Oslo, where I mentioned the very common advice “do not click on suspicious links in text messages”.

One challenge with this advice is that we get A LOT of of unexpected e-mails and text messages in our everyday life, with totally legitimate links that you HAVE to click, even if you didn’t directly or recently initiated a process to get them.

Another challenge is that you do not receive any information that as part of a process you will receive a text message with a link that you are supposed to click, for example a link to signing an agreement online.

A third challenge is that we simply lack a common & easy understanding of what constitutes a “suspicious link”.

So I went through all my received text messages from organizations in 2022, and I found a total of 78 senders. The vast majority from Norwegian organizations since I live in Norway, but also some foreign organizations, such as Twitter & Coinbase. 12 senders were numbers ranging from length 5 to 14, while 66 were different names such as Telenor, Gjensidige, KPMG and SAS. In these different text messages I received 4, 5, 6 og 7-digit OTP codes. Some sent me passwords, which were all VERY bad. Out of 20 senders of OTP codes, 3 stated in the message for low long it was valid, like 5 minutes.

Suspicious links

41 senders (of 78 total) had 1 or more links in the text messages I received from them. I chose to define a “suspicious link” as a link to a domain name that has no obvious relation to the sender, like using the bit.ly URL shortener, or using a name that has no natural connection with the sender. Based on that definition 16 senders had “suspicious links” in their text messages, and came from a wide range of different organizations, including Norwegian telecom giant Telenor. I have yet to examine if these organizations have publicly informed about their use of “suspicious links”, and how we as end users can verify the authenticity without clicking the link to see what happens next.

Spoofing test

I have also tested if it was possible to send spoofed text messages from all 78 senders. I have a subscription with Telenor myself, and with 78 senders, only 4 spoofed messages didn’t get through to my phone: 2 messages pretending to be a large bank, a large classifieds site and the Norwegian governments owned gambling company. All others could be spoofed, so that text messages sent using their number/name nicely appears inline with existing messages from the real organization. The Norwegian telecom operators have some capability to prevent such spoofing from happening, but it requires the organizations to contact the telcos and ask for “protection” for themselves. There’s also a sad irony of Telenor as a telecom provider allowing their own name “Telenor” to be spoofed, so their own customers can be tricked, thinking Telenor is the real sender.

The advice of not to click on suspicious links in text messages and e-mails make sense. However anyone who send out legitimate SMS text messages must first make sure they cannot easily be spoofed, or use links that can be considered suspicious.

Until that happens it is very easy to understand why people get tricked, and become victims of fraud.