How to use URLs safely in public SMS communications
Australians regularly receive unsolicited SMS communications that impersonate legitimate businesses, charities and even Australian Government entities. For this reason, many Australian Government entities clearly state that they will not include URLs in their SMS communications.
However, some Australian Government entities sometimes need to use URLs in their standard business practices to provide urgent information to Australians. Therefore, we have worked with our partners in the Australian Cyber Security Centre, the Australian Competition and Consumer Commission and the Australian Federal Police to provide guidance for Australian Government entities about the risks involved, key principles to consider, and the importance of a consistent approach to SMS communication.
Key principles to consider when using URLs in public SMS communications
Apply the below principles to reduce the risk to Australian businesses and the community:
- Use URLs as a last resort. Do not include a URL if your message does not require further information or calls to action. Acknowledge the risks of using URLs and implement mitigation strategies.
- Link to a central site if possible: link to 'aus.gov.au' or 'australia.gov.au' or another '.gov.au' address to minimise confusion and enable clear public messaging. Government information relating to emergency or crisis situations should be signposted and linked to a central site. If this is not possible, seek advice from the Australian Cyber Security Centre.
- Do not use shortened URL services. These are commonly used by cybercriminals to disguise malicious links. As above, simplify your URL by using 'aus.gov.au' or 'australia.gov.au' or another '.gov.au' address as a landing page and link from there. Government entities can use their homepage to link to additional guidance in place of providing a long URL in the message contents.
- Use clear, simple messaging to the public: this guidance contains examples of clear public messaging that can be used by government entities.
- Include scam awareness on your website: government entities should include information on their website detailing how they communicate and interact with the public. This can include example images of scams and information encouraging people to be cautious.
- Return to the normal practice. If sending URLs is required in an emergency situation, entities should return to the normal practice when the emergency situation is over.
Sample messages that entities can use in their communication to combat scams
Tips for avoiding scams
- Australians should treat all SMS communications containing URLs with caution.
- Do not click on URLs if you are unsure whether an SMS is genuine. This includes links to unsubscribe from the SMS service. Refer to the appropriate government website to verify the SMS and associated URLs.
- Government messages, sent via SMS, should only direct you to '.gov.au' addresses.
- Be aware that scammers may also use '.gov.au' and legitimate sounding names within their malicious URL to attempt to confuse.
How to recognise an SMS scam
- Australian Government entities should only ever ask you to go to 'aus.gov.au' or 'australia.gov.au' or another '.gov.au' address.
- Scammers may also use '.gov.au' within the URL – you should always independently check government websites before responding.
- Legitimate government SMS communications will not use URLs as a means to update your personal details, or ask you to confirm your personal details. It is recommended that users update details by going directly to the relevant website rather than clicking on a URL provided by the SMS.
- Ask yourself: Did you give your consent to receive the messages? If not, it may not be a genuine message.
Reporting cybercrime and support
Government and non-government entities should report malicious activity by cybercriminals to the Australian Cyber Security Centre via 1300 CYBER1 (1300 292 371) or the Australian Cyber Security Centre website.
Also contact the Australian Cyber Security Centre if you would like advice or have any questions regarding cyber security about SMS communications.
In addition, the Australian Cyber Security Centre publishes a range of information about malicious activity as well as advice and guidance that will help you protect your systems, data and personal information.
iDCARE provides a community response service for individuals that have been exposed to scams, cybercrimes and identity theft.
Scams and phishing threats
Scamwatch can provide you with information about new scams, how to protect yourself against scams and how to report a scam.
The Australian Competition and Consumer Commission and Scamwatch appreciate government entities' contribution to the collection of scam related data. Visit Scamwatch for further information.
Commercial SMS communications
The Australian Communications and Media Authority (AMCA) regulates commercial SMS communications under the Spam Act 2003. The ACMA also provides a range of guidance material on managing spam and phone scams on the ACMA website.