The NCSC report/warning on SMS spoofing is very disappointing. A spokesbod from OfCom also commented on This Sort of Thing recently (https://www.bbc.co.uk/news/business-56934517). NCSC and OfCom issue warnings that CLI information is unreliable but don't pursue the implications:
1. If the CLI on calls is unreliable then so is the CLI on SMS messages.
2. If an SMS message contains a link (eg for use on a pocket computer) then that too is not trustworthy and should not be followed.
3. If links in SMS messages are untrustworthy then surely government institutions and marketeers for reputable organisations should not send them (note me avoiding the difficult concept of reputable marketeers).
4. If *only* untrustworthy organisations/people send links in text messages then people might eventually learn not to follow them.
Instead we get some weak compromise message about not following links unless you were expecting them. In other words, it's probably OK as long as you trust the sender... (See point 1, above).
Even worse than this, many organisations send shortened/obfuscated links such as bit.ly redirects for no good reason. If it's a clickable link then why not show the full URL? If it's a unique link they want the receiver to type in to the browser on another computer then a code to be entered onto their branded page would be a far better option.
FFS! Concealing where a link is leading people should set off big red flashing warnings that it's not to be trusted.
Banks, retailers, tax authorities, government (all levels), political parties, healthcare etc etc should *not* be sending 'clickable' links in text (SMS and e-mail) messages.
Biting the hand that feeds IT
