The Missing Layer in SMS Fraud Prevention

By Eren Bahadir Pehlivan, Founder of ADORASEC

June 2026

Fraud prevention has become one of the most heavily funded areas in financial services. Banks, payment providers, telecoms companies and public authorities continue to invest in detection algorithms, transaction monitoring, customer warnings, two-factor authentication, scam filters and consumer education.

Those tools matter.

They stop harm every day.

And yet fraud remains stubbornly large, adaptive and costly.

In the United States, reported consumer fraud losses exceeded $12.5 billion in 2024, according to the Federal Trade Commission. The FBI’s Internet Crime Complaint Center reported more than $16 billion in internet crime losses in the same year. In the European Economic Area, payment fraud by value increased from €3.5 billion in 2023 to €4.2 billion in 2024, according to the EBA and ECB.

The global picture is not identical everywhere. Some markets, such as Australia, have reported meaningful reductions in scam losses following coordinated national action. That matters, because it proves progress is possible.

But the broader pattern remains clear: fraud adapts. Criminals move across channels, mimic trusted organisations and exploit the gap between institutional communication and user trust.

This is not a story of institutions doing nothing. It is a story of institutions fighting a structural problem with tools that often sit on top of the same vulnerable communication channels.

The channel nobody questions

When a message arrives on your phone claiming to be from your bank, delivery company, government service or healthcare provider, you face a difficult task.

You have to decide whether the sender is genuine.

That should not be your burden alone.

The problem is not that users lack intelligence or awareness. The problem is that SMS was never designed to prove institutional identity. The sender name displayed on a user’s phone is not, by itself, a reliable trust signal.

A message may appear to come from a bank, a public authority or a delivery company. It may be genuine. It may be fraudulent. The user is often expected to decide under pressure, while the fraudster deliberately creates urgency, fear or confusion.

That is the weakness fraudsters exploit.

Many existing fraud prevention tools operate inside or around this environment. Scam filters try to identify suspicious messages. Warnings ask users to pause. Detection systems monitor patterns. Education campaigns teach consumers what to look for.

All of this helps.

But it does not fully answer the deeper question:

What if the communication channel itself was not designed for trust?

Why filters are necessary, but not sufficient

Scam filters and detection systems are valuable. They reduce exposure and prevent harm. Any serious fraud-prevention strategy should include them.

But filtering is still a reactive model.

A filter works by assessing whether something looks suspicious. It depends on known patterns, risk signals, language, sender behaviour, links, device intelligence or user reporting. Fraudsters then adapt. They change wording, rotate infrastructure, impersonate new institutions and exploit new social-engineering methods.

Even very good filters cannot turn an unverifiable sender into a verified one.

This matters because institutional impersonation is not only a message-content problem. It is a sender-trust problem.

If a legitimate institution and a fraudster can both appear in the same messaging environment, using similar urgency, similar branding and similar language, the user is forced to make a trust decision that the channel itself does not reliably support.

That is where the missing layer appears.

The question the industry should ask more directly

Much of the fraud-prevention conversation asks:

How do we make SMS safer?

That is an important question, but it may not be enough.

A second question is needed:

Which institutional messages should stop relying on spoofable channels in the first place?

Not every message needs new infrastructure. SMS remains useful for low-risk, general communication. A marketing update, a routine reminder or a low-consequence service message may not require the same level of assurance.

But selected high-trust messages are different.

A fraud warning, account restriction notice, delivery redirection request, address-change confirmation, payment-risk alert, public-service instruction or healthcare appointment action can create real harm if impersonated.

Those messages need more than reach.

They need sender accountability, user clarity and evidence.

The issue is not whether SMS should disappear.

The issue is whether institutions should have a verified alternative for messages that should not depend on an unverifiable sender name, an unknown link or a stressed user’s judgment.

What a verified institutional channel should provide

A communication channel designed for institutional trust needs different properties from ordinary messaging.

It should require verified sender access. Institutions should be registered and approved before they can send through the channel.

It should restrict delivery to registered users. The channel should not be an open public gateway where any sender can present themselves as an institution.

It should create an audit record. Institutions should be able to evidence what was sent, when it was delivered, whether it was read and how the user responded.

It should support user clarity. A user should have a simple behavioural rule: important institutional messages can be checked in a verified place, rather than acted on through an unverifiable SMS.

It should use limited operational data. A trusted communication layer should not require bank credentials, card numbers, PINs, passwords or transaction data. It should process only what is needed for routing, delivery, response tracking and reporting.

These are not marketing claims.

They are design choices.

A channel built this way does not eliminate all fraud. No responsible system should claim that. But it can materially reduce the opportunity for criminals to impersonate participating institutions within the verified route.

That is a different kind of prevention.

Why this matters now

In the UK, the policy environment is moving in this direction.

The Fraud Strategy 2026–2029 places renewed emphasis on disrupting fraud at source, strengthening accountability and reducing vulnerabilities in the systems criminals exploit. It also points to the need to examine anonymity and accountability in the communications sector.

That is the right conversation.

If fraudsters benefit from anonymous or weakly accountable communication routes, then one response is better detection inside those routes.

Another response is to create verified routes for the categories of communication where trust matters most.

This is especially relevant after the PSR reimbursement changes for authorised push payment fraud. Prevention, evidence and customer-communication records now matter not only as operational tools, but as part of the wider accountability landscape.

Institutions need to know not just that they sent a message, but whether the customer received it, read it and responded.

SMS was not built to provide that evidence.

A verified institutional communication layer can.

Beyond Detection: A New Standard for Trust

Fraud prevention does not need fewer filters, fewer warnings or less monitoring. It needs all of those things.

But it also needs a communication layer designed for trust.

The future of institutional fraud prevention should not rely only on asking users to identify fake messages inside channels that do not reliably verify the sender.

For selected high-trust messages, institutions should be able to say:

This message is not asking you to trust a sender name in an SMS.

It is available in a verified channel.

The sender is known.

The delivery is recorded.

The response is auditable.

That is the missing layer in SMS fraud prevention.

ADORASEC is developing a verified institution-to-consumer communication layer designed to reduce reliance on spoofable SMS for selected high-trust messages. It supports verified institutional notifications, delivery/read/response evidence and simple user-facing trust signals.

For institutional, policy or pilot discussions: adorasec.com