Full Report
Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month. The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent. In
Analysis Summary
# Best Practices: Mobile Communication Security and Scam Prevention
## Overview
These practices focus on leveraging built-in platform defenses (like those in Android) and organizational policies to mitigate risks associated with malicious communication, specifically focusing on SMS and RCS-based scams (e.g., employment fraud, financial lures, impersonation). The goal is to proactively filter, block, and educate users against phishing and social engineering attempts delivered via text and Rich Communication Services (RCS).
## Key Recommendations
### Immediate Actions
1. **Enable Default Scam/Spam Filtering:** Ensure that the Google Messages (or equivalent native messaging application) settings are configured to automatically filter known spam and suspicious messages into the "spam & blocked" folder using on-device AI capabilities.
2. **Activate Safer Link Protection:** Verify that "Safer Links" functionality is globally enabled within the messaging client to provide real-time warnings when users attempt to click on URLs identified as suspicious or located within messages flagged as spam.
3. **Update Operating System and Applications:** Mandate that all end-user devices run the latest stable version of the operating system (e.g., Android) and the native messaging application to benefit from the most recent threat intelligence and defense updates.
### Short-term Improvements (1-3 months)
1. **Implement Proactive Threat Reporting Mechanism:** Establish a simple, highly visible process for users to report suspected scam messages (including the content and sender) that bypass automated filters. Aggregate these reports for analysis and potential correlation with global threat intelligence feeds.
2. **Systematically Block Unverified Senders (RCS Context):** For organizations utilizing RCS, audit and tighten controls to ensure that only verified entities and established contacts can initiate communication, effectively blocking the high volume of malicious entities attempting to use the service.
3. **Baseline Threat Education on Timing:** Disseminate internal security advisories highlighting the peak times for scam activity (e.g., early morning and Monday mornings) to encourage heightened vigilance during these known high-risk windows.
### Long-term Strategy (3+ months)
1. **Integrate Dynamic URL/Link Inspection:** Deploy or integrate services that validate all incoming URLs against up-to-date public blocklists and proprietary threat databases before they are rendered accessible, regardless of whether the message was initially marked as spam.
2. **Develop Custom Anomaly Detection Models:** For internal communication channels or proprietary messaging platforms (if applicable), develop AI/ML models trained on historical internal threats (especially employment fraud patterns) to identify "Spray and Pray" or "Bait and Wait" conversational styles unique to the organization's context.
3. **Data Sourcing and Dark Web Monitoring:** Initiate monitoring services to track if corporate or employee data (e.g., phone numbers, job titles) are being actively listed or traded on known dark web marketplaces, allowing for pre-emptive alerts if specific cohorts are targeted.
## Implementation Guidance
### For Small Organizations
- **Focus on Configuration:** Rely heavily on enabling all available, built-in security features on existing end-user devices (e.g., enable all Google Play Protect and Messages security settings).
- **Simplicity in Reporting:** Use a single dedicated email alias (e.g., `[email protected]`) for employees to forward suspicious messages immediately.
### For Medium Organizations
- **Internal Threat Briefings:** Schedule mandatory, brief (15-minute) sessions quarterly focused purely on current social engineering trends observed in external messaging (like employment scams or package delivery lures).
- **RCS Policy Review:** If using internal or customer-facing RCS, define strict whitelist policies for approved sender IDs and mechanisms for external verification.
### For Large Enterprises
- **API Integration for Threat Intelligence:** Integrate mobile security vendor APIs or threat intelligence feeds directly into incident response platforms to automate blocklisting of suspicious numbers globally as they are identified internally.
- **Advanced Group Chat Monitoring:** Implement enterprise mobility management (EMM) policies or endpoint detection and response (EDR) tools that can flag patterns indicative of a scammer using group chats to establish deceptive validation among potential targets.
## Configuration Examples
*(Note: The source material focuses on Google's internal platform configuration. Organizational best practice involves pushing these settings.)*
| Mechanism | Actionable Setting/Guideline | Rationale |
| :--- | :--- | :--- |
| **URL Protection** | Enforce "Block access to suspicious sites" for all standard user profiles. | Prevents loading of obscured malicious links masked by URL shorteners. |
| **Spam Filtering** | Set messaging application behavior to "Auto-move spam to archive." | Mimics the functionality of blocking known malicious numbers *before* the message is physically delivered to the primary inbox. |
| **RCS Security** | Require two-factor verification or certificate pinning for the first message exchange from unknown external RCS entities. | Mitigates exploitation of RCS messaging channels for mass distribution of scams. |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):**
- **Identify:** Mapping common scam vectors (like employment fraud) to existing organizational data exposure risks.
- **Protect:** Utilizing platform-based defenses (AI filtering, safer links) to minimize transmission of harmful content.
- **ISO/IEC 27001:**
- **A.12.1.3 (Technical Vulnerability Management):** Regularly ensuring endpoint operating systems and security clients are patched to maintain functional filtering capabilities.
- **CIS Critical Security Controls (CSC):**
- **Control 14 (Security Awareness and Skills Training):** Incorporating specific training modules based on identified scam trends (e.g., "Bait and Wait" personalized scams).
## Common Pitfalls to Avoid
1. **Over-reliance on User Vigilance:** Assuming users will manually review every suspicious link when automated, proactive filtering (like Google's built-in solution) is available and scalable.
2. **Ignoring Group Chat Vectors:** Only defending against direct, one-to-one communication; scammers increasingly use group chats to engineer false validation and urgency.
3. **Disabling Native Protections:** Organizations implementing overly restrictive mobile policies that inadvertently disable critical, on-device AI-driven spam and phishing filters for the sake of process conformity.
4. **Treating All Communication Channels Equally:** Failing to recognize the increased risk associated with evolving, less scrutinized channels like RCS, which require targeted validation policies.
## Resources
- **Platform Security Documentation:** Review documentation published by mobile operating system providers detailing how to enforce security/privacy settings across managed devices.
- **Threat Intelligence Feeds (Specific to Phishing/Smishing):** Subscribe to CISA alerts or industry-specific threat intelligence sharing groups to integrate timely updates on new scam campaigns into internal blocklists.
- **Open Web Application Security Project (OWASP) Mobile Security Project:** Reference guidelines for hardening communication layers within custom LOB applications.