Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An Overview of 7726 User Reports: Uncovering SMS Scams and Scammer Strategies

Sharad Agarwal, Guillermo Suarez-Tangil, Marie Vasek

TL;DR

The paper tackles the rising problem of SMS scams by exploiting a large-scale dataset of 1.35 million user reports from the 7726 reporting service to distinguish spam from scam texts and to classify scam types. It presents a multi-stage methodology—data collection, enrichment (HLR, DNS, registrars, AS), text classification with GPT-4o, and evaluation—yielding insights into scam diversity, infrastructure abuse, and attacker lures. Key findings include that over 40% of unique SMS reports are scams, many lacking URLs, and that scammers rely on conversational tactics and long-lived infrastructure to evade operator filters. The work highlights the need for cross-operator collaboration, improved sender-ID governance, and better user education to mitigate SMS-based fraud with practical implications for MNOs and regulators.

Abstract

Mobile network operators implement firewalls to stop illicit messages, but scammers find ways to evade detection. Previous work has looked into SMS texts that are blocked by these firewalls. However, there is little insight into SMS texts that bypass them and reach users. To this end, we collaborate with a major mobile network operator to receive 1.35m user reports submitted over four months. We find 89.16% of user reports comprise text messages, followed by reports of suspicious calls and URLs. Using our methodological framework, we identify 35.12% of the unique text messages reported by users as spam, while 40.27% are scam text messages. This is the first paper that investigates SMS reports submitted by users and differentiates between spam and scams. Our paper classifies the identified scam text messages into 12 scam types, of which the most popular is 'wrong number' scams. We explore the various infrastructure services that scammers abuse to conduct SMS scams, including mobile network operators and hosting infrastructure, and analyze the text of the scam messages to understand how scammers lure victims into providing them with their personal or financial details.

An Overview of 7726 User Reports: Uncovering SMS Scams and Scammer Strategies

TL;DR

The paper tackles the rising problem of SMS scams by exploiting a large-scale dataset of 1.35 million user reports from the 7726 reporting service to distinguish spam from scam texts and to classify scam types. It presents a multi-stage methodology—data collection, enrichment (HLR, DNS, registrars, AS), text classification with GPT-4o, and evaluation—yielding insights into scam diversity, infrastructure abuse, and attacker lures. Key findings include that over 40% of unique SMS reports are scams, many lacking URLs, and that scammers rely on conversational tactics and long-lived infrastructure to evade operator filters. The work highlights the need for cross-operator collaboration, improved sender-ID governance, and better user education to mitigate SMS-based fraud with practical implications for MNOs and regulators.

Abstract

Mobile network operators implement firewalls to stop illicit messages, but scammers find ways to evade detection. Previous work has looked into SMS texts that are blocked by these firewalls. However, there is little insight into SMS texts that bypass them and reach users. To this end, we collaborate with a major mobile network operator to receive 1.35m user reports submitted over four months. We find 89.16% of user reports comprise text messages, followed by reports of suspicious calls and URLs. Using our methodological framework, we identify 35.12% of the unique text messages reported by users as spam, while 40.27% are scam text messages. This is the first paper that investigates SMS reports submitted by users and differentiates between spam and scams. Our paper classifies the identified scam text messages into 12 scam types, of which the most popular is 'wrong number' scams. We explore the various infrastructure services that scammers abuse to conduct SMS scams, including mobile network operators and hosting infrastructure, and analyze the text of the scam messages to understand how scammers lure victims into providing them with their personal or financial details.

Paper Structure

This paper contains 24 sections, 1 equation, 8 figures, 14 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Methodology
  4. Data Collection
  5. Data Enrichment
  6. Text Classification
  7. Evaluation
  8. Results
  9. User Reports Over Time
  10. Characterization of User Reports
  11. Suspicious Text Message Classification
  12. Scam Type Classification
  13. Originating Sender ID Distribution
  14. Sender IDs
  15. Mobile Network Operators
  16. ...and 9 more sections

Figures (8)

  • Figure 1: Overview of our processing pipeline to characterize 7726 user reports and identify SMS scams.
  • Figure 2: Time of the day per week when users report suspicious text messages ($n=1,202,859$). The pair-wise two-sample KS test is significant with $p<0.05$.
  • Figure 3: Distribution of known and new scam-type messages over time. Y-axis is on log scale. Colors represent scam types.
  • Figure 4: Sender IDs which scammers abuse to send six types of scam texts. Y-axis is normalized by the total number of scams in each category.
  • Figure 5: Heatmap of common Sender IDs used in different scams. Values normalized by the total common sender IDs.
  • ...and 3 more figures