Home A
Homepage #1
Home B
Homepage #2
Home C
Homepage #3
Product A
Product #1
Product B
Product #2
Product C
Product #3
Contact A
Contact #1
Contact B
Contact #2
Contact C
Contact #3
About
About
Case Study
Case Studies
Single Case Study
Case Study
Integrations
Integrations
Single Integration
Single Integration
Pricing
Pricing
FAQ
FAQ
Sign In
Sign In
Create account
Create Account
Reset password
Reset Password
Legal
Legal
Book a demo
Book a demo
Blog
Blog
Article
Article
404
404
Password
Password
Pages
Get full access on request after purchase
Ultra
Buy
Blog

SMS spoofing and sender-ID integrity in unregistered markets

SMS spoofing and sender-ID integrity in unregistered markets

An alphanumeric sender ID, like "YourBank," "UberEats," or "NHSNOTIFY," is a text string that travels with an A2P SMS and displays on the handset as the sender name. In markets with a strong sender-ID registration regime, those strings are protected: only the registered brand can use them, and attempts to spoof them are filtered at operator gateways. In markets without a registration regime, the strings are effectively free-form text. Anyone with access to an aggregator that accepts arbitrary sender IDs can send a message that displays as any brand on any handset.

This is the infrastructural gap underneath most consumer-facing SMS phishing. The phone does not lie to the user, and the operator network does not lie to the phone. The network is simply passing through whatever sender ID the submitter claimed. When the submitter is a legitimate bank, the claim is accurate. When the submitter is an attacker, the claim is a spoof. The network has no canonical way to distinguish the two in markets where sender IDs are not authenticated at origination.

This post describes how SMS spoofing works at the protocol layer, what the published literature says about the attack, why sender-ID registration regimes in the UAE, Saudi Arabia, and increasingly in Nigeria have reshaped the problem in their jurisdictions, and what buyers in markets without such regimes should demand from their A2P provider.

The mechanism, briefly

An A2P SMS submission over SMPP carries a source address field, which is the sender ID. The submitter populates this field, the SMSC accepts it, the message traverses the signalling chain toward the terminating MSC, and the MSC delivers the message to the handset with the source address shown as the sender. Nothing in the plain SMPP or MAP protocol authenticates the source address. It is a claim rather than a verification.

Between the submitter and the terminating MSC, there may be one or more intermediate SMSCs, aggregators, or grey-route interconnects. Each of them can in principle rewrite the source address, and some do, either legitimately for routing reasons or illegitimately because the downstream operator does not enforce sender-ID consistency. In a market without sender-ID registration, the terminating MSC has no canonical way to check whether "YourBank" really belongs to the bank. It simply delivers the message with the label the signalling chain produced.

The security literature has long noted that SMS was designed under mutual-trust assumptions between operators, and the sender-ID field is one of the artefacts of that design. A comprehensive review of SMS as a second factor of authentication concludes that the channel has weaknesses at multiple layers (interconnect, SS7, endpoint), and sender-ID spoofing is one of the oldest and easiest to exploit.

What sender-ID registration actually does

Sender-ID registration regimes (UAE TDRA's Sender ID Registry, Saudi Arabia's CITC A2P sender-ID framework, Nigeria's NCC registration requirements) work by moving the trust decision from "at delivery" to "at submission."

The regulatory flow is consistent across the three. A brand registering to send A2P SMS submits documentation: corporate registration, a list of sender IDs they wish to use, descriptions of the use cases, and acceptance of an acceptable-use policy that prohibits prohibited categories (gambling where banned, religious solicitation, and so on). The regulator or an authorised operator-side authority issues approval, and the sender ID becomes a registered identifier. Operators in the jurisdiction are required to filter incoming A2P traffic against the registry: messages claiming a sender ID that does not belong to the submitting party are rejected.

The enforcement mechanism varies. In the UAE, operators maintain the registry and filter at the SMSC layer. In Saudi Arabia, a central platform enforces across all operators. In Nigeria, enforcement is still maturing, with operator-level compliance uneven across the three main carriers.

The effect on consumer-facing spoofing is measurable. Before registration regimes, impersonating banks over SMS was trivial in these markets. After registration, the impersonation paths narrow substantially. Attackers shift to other channels (RCS spoofing where RCS Business Messaging is not yet strictly regulated, WhatsApp Business impersonation, voice calls from spoofed numbers) rather than continuing to push SMS spoofs that get filtered. The literature on mobile-based fraud ecosystems documents this shift as a recurring adaptation: the fraud primitives do not disappear. They move to the weakest controllable channel.

The persistent gap in markets without registration

A large share of the world's A2P SMS traffic terminates in markets without sender-ID registration: most of sub-Saharan Africa outside South Africa, most of Southeast Asia, parts of Central Asia, and Latin America outside Brazil and Mexico. In these markets, the sender-ID-on-handset is effectively an unverified text label.

The consequences show up in two places.

Consumer trust: consumers in markets without sender-ID integrity cannot reliably distinguish a real bank SMS from a phishing SMS by the sender name alone. This reduces the marginal effectiveness of SMS-based brand communication and raises the base rate of user susceptibility to phishing flows that originate in SMS. A user trained to trust "MyBank" as a sender name is in a worse position when anyone can send as "MyBank."

Authentication integrity: OTP flows depending on the user recognising the sender ID as a trust signal are weakened in unregistered markets. The best-practice mitigation is to avoid depending on sender ID for trust decisions and to construct OTP flows that rely on the code itself plus the context of the login attempt rather than the label of the sender. The literature on SMS as a second factor makes this point explicitly: the rerouting and spoofing surfaces together make sender ID an unreliable trust indicator.

What buyers should demand

A buyer operating in markets with mixed sender-ID regimes needs to know, per destination, what the provider's stance is. The accurate answer varies by market and the buyer should get it in detail rather than as a global claim.

For regulated markets, the claim is "we comply with the registration regime and file your sender IDs on your behalf." The filing process typically requires corporate documentation, sample message templates, and use-case descriptions, and takes days to weeks depending on the regulator. A provider claiming sender-ID registration in UAE, Saudi Arabia, or Nigeria should be able to show their regulator-issued credentials and the corresponding filings for the buyer's IDs.

For unregulated markets, the claim is more complicated. The provider cannot prevent spoofing of the buyer's sender ID by third parties outside the provider's own traffic. The provider can only commit to not spoofing sender IDs in its own submissions. A provider that proactively monitors for spoofing of the buyer's IDs by others (via reverse-delivery testing, honeypot subscriber numbers, aggregator-coordination intelligence sharing) is offering something real. A claim of "no spoofing" without monitoring detail offers an assurance the provider cannot actually deliver.

The minimum sender-ID integrity ask in an enterprise A2P contract has three parts.

Per-market compliance statement: for each destination country the buyer sends to, the provider should state whether a sender-ID registration regime exists, whether the provider participates in it, what credential the buyer's IDs are registered under, and what the regulator's dispute process looks like if the buyer's ID is spoofed.

Route-provenance disclosure: for each destination, which route class is used (direct MNO interconnect, authorised aggregator, or best-effort). Buyers should refuse routes that terminate as P2P when they are paying for A2P.

Spoofing-monitoring commitment: a specific statement that the provider monitors for spoofed traffic targeting the buyer's registered sender IDs in the regulated markets, with a remediation escalation path. In unregulated markets, the provider should be explicit that monitoring is limited and the buyer has reduced recourse.

An A2P contract that does not address these three is leaving the sender-ID integrity question as an assumption. In markets with strong regimes, the assumption is usually reasonable. In markets without, the assumption does not hold.

How Tensormobile ships sender-ID handling

A licensed operator terminating its own traffic has visibility into the sender-ID claim at the point of submission and at the point of termination. When those two are both within the licensed operator's footprint, the operator knows with certainty that the claim was not rewritten downstream. When they are not, the operator is accepting the claim from an upstream party whose integrity is an assumption.

The practical consequence is that routes passing entirely through licensed operators are the routes where sender-ID integrity is strongest. Grey routes that terminate A2P as P2P traffic, precisely because they dodge the A2P termination process, also dodge the sender-ID checking that some terminating operators apply. This is a recurring theme in the grey-route literature: the economic incentive to route around A2P termination is the same economic incentive that erodes sender-ID integrity.

TensorConnect's A2P SMS surface publishes sender-ID registration status per market. For the EU, UAE, Saudi Arabia, Qatar, Nigeria, South Africa, and the other markets with active registration regimes, Tensormobile documents the registry, the filing process, and the timeline. Sender-ID filings are handled on behalf of customers as part of onboarding rather than as a separate service.

For markets without registration regimes, the absence is documented explicitly. Tensormobile does not claim to prevent third-party spoofing in those markets. What is committed is that Tensormobile's own submission layer does not rewrite sender IDs between submission and termination on the routes Tensormobile controls, and that the route-provenance disclosure identifies any hop where claim integrity is not under Tensormobile's direct control. Sender-ID integrity is a function of regulatory regime plus route architecture. Both are factual, auditable, and disclosed per market.

Skip the aggregator. Talk to the network.

Get Early Access
Take to an Engineer
logo single
Company
Home
About
Blog
Contact
Product
TensorConnect
TensorSignal
TensorAuth
TensorShield
More
Legal
Create Account
Sign In
© Tensormobile Telecom d.o.o. Hrvatska
Matrix Office Park, Zagreb, Croatia
“My favorite subscription by far. Fresh supply of templates and ready-to-use sections that save us hours on every project. Absolute no-brainer.”
Jeremy Olley
Small Agency
best deal
Save with BYQ Supply Ultra
BYQ Supply Ultra is our premium subscription that gives you access to our templates and 1800+ copy/paste sections library for half the price.
Webflow Marketplace
1 template for $129
With byq ultra
3 templates for $46 each + 1800 sections
3 template credits every quarter
Full access to 1800+ copy paste sections library
All new templates added during your subscription
With code CRAFTED20 only $46/month for the first quarter.
Cancel anytime.
Get Nerdstack with ULTRA