Scammers have found a new approach for spoofing numbers
It may not deserve it, but RCS gets a bad rap, particularly in areas where encrypted messengers like WhatsApp reign supreme. Even in the US, it's met with apathy, as iMessage has the mindshare despite Google's best efforts to move the needle. But it's an industry standard, not a walled garden, and for those who use it, the addition of web-based features like end-to-end encryption and message reactions make it a vastly superior alternative to SMS and MMS. However, it appears the standard is not immune to one of its predecessors' biggest issues: spoofed phone numbers sending spam texts.
A tipster brought this to our attention, and Android Police founder Artem Russakovskii noted that he had been seeing the same thing in recent weeks: scammers purporting to have a USPS package ready at your local post office now have an extra layer of authenticity to support their fraudulent claims, as the chats they initiate are coming through as end-to-end encrypted RCS messages. Upon further investigation, it appears this plague of RCS spam may have started in earnest two months ago. Redditors on the Google Messages forum and the Universal Profile subreddit have been encountering the same types of messages, all in the United States, as far back as September 23.
The screenshots above are from one of our own phones in the US. Interestingly, you'll notice the message fields at the bottom all say "Text message" rather than "RCS message," indicating they are SMS or MMS threads rather than RCS chats. But, as you can see immediately above each of the spam messages we received, these threads started out as RCS chats — it appears the scammers who spoofed these numbers somehow registered them with an RCS backend, but by the time we captured the screenshots, the numbers had been de-registered.
The fact that these numbers are so obviously being spoofed shines light on another wrinkle to this problem: you can't just block the phone numbers, as a new one will crop up tomorrow. However, Google Messages has done an excellent job of identifying these as spam and automatically filtering them — in fact, we didn't even notice these messages coming in, as the "Spam protection" notification channel was turned off on the phone where we received them.
However, this isn't the first time scammers have managed to spoof RCS-registered phone numbers. In 2022, an eerily similar problem plagued India, to the point where Google even had to shut down all RCS advertising in its Messages app. At the time, a company spokesperson said, “We are aware that some businesses are abusing our anti-spam policies to send promotional messages to users in India. We are disabling this feature in India while we work with the industry to improve the experience for users.”
It's unclear if the RCS spam messages currently plaguing the US are related to the business messaging feature like they were in India, but for now, take caution with any suspicious text — even if it's an encrypted RCS chat.
Thanks: Nick
By subscribing, you agree to our Privacy Policy and may receive occasional deal communications; you can unsubscribe anytime.
Dallas was the type of kid who would take apart his toys to see what made them tick, and he grew up to become a mechanic for a while. His innate curiosity for how things work led him to a career covering Android in 2014, and that’s where he found his true calling. He’s rooted every phone he ever owned, although he usually sticks with the stock ROM nowadays. When he’s not digging into Android, he’s either hiking, watching a Rockets game, or busy raising his young son.