"Beware of This Dangerous SMS Scam: How to Block and Stay Safe Online"

by

RCS Spam and Phishing Scams Surge: How to Protect Yourself from Fraudulent Messages

San Francisco — If you’ve received a suspicious message claiming to be from a trusted organization like your bank, healthcare provider, or a delivery service, you’re not alone. A growing wave of spam and phishing attacks is targeting users through Rich Communication Services (RCS), the next-generation messaging protocol designed to replace traditional SMS. Unlike SMS, RCS offers features like read receipts, high-quality media sharing, and enhanced security—yet fraudsters are increasingly exploiting these capabilities to deceive users. Security experts warn that these scams are becoming more sophisticated, often mimicking legitimate communications with alarming accuracy.

From Instagram — related to Protect Yourself, Rich Communication Services

Recent reports highlight a troubling trend: attackers are leveraging RCS to send phishing messages that appear to come from verified sources, complete with logos, branding, and even verified sender badges. These messages often urge recipients to click on malicious links, enter sensitive information, or confirm personal details under false pretenses. The consequences can be severe, ranging from financial loss to identity theft and unauthorized access to medical or corporate systems. With RCS adoption accelerating globally, the urgency to address these vulnerabilities has never been greater.

Linda Park, Technology Editor at World Today Journal, explains: “RCS was intended to modernize messaging, but its advanced features are being weaponized by scammers. The same tools that make RCS more engaging—like branding and verified sender status—are now being used to trick users into lowering their guard. The challenge for consumers and businesses alike is distinguishing between legitimate and fraudulent messages in an environment where the lines are increasingly blurred.”

What Is RCS, and Why Is It a Target for Scammers?

RCS, or Rich Communication Services, is a messaging protocol developed as an upgrade to SMS. It enables features like group chats, typing indicators, high-resolution media sharing, and end-to-end encryption in some cases. Unlike SMS, which relies on cellular networks, RCS operates over data connections, making it more versatile and interactive. Major carriers and tech companies, including Google, have embraced RCS as the future of mobile messaging, with Google Messages serving as the default RCS client for many Android users.

But, the very features that make RCS appealing also make it an attractive target for scammers. For example, RCS supports verified sender branding, which allows businesses to display their logos and verified badges in messages. While this feature is designed to build trust, it can also be spoofed by attackers to create convincing phishing messages. RCS messages can include interactive buttons, such as “Confirm” or “Verify Now,” which fraudsters use to trick users into clicking malicious links.

What Is RCS, and Why Is It a Target for Scammers?
Google Messages Health Mobile Ecosystem Forum

In November 2023, Dario Betti, CEO of the Mobile Ecosystem Forum (MEF), shared his firsthand experience with an RCS phishing message on LinkedIn. The message, which appeared to come from a UK-based sender, was correctly flagged as spam by Google Messages, but Betti’s post underscored the growing threat. “It’s unfortunate to see RCS being exploited so quickly,” Betti wrote. “This is a reminder that we need to tackle this issue before it becomes as pervasive as the SMS grey route epidemic.” His warning was echoed by other industry experts, including Tim Atkinson of Google, who noted that migrating traffic from SMS to Rich Business Messaging (RBM) could assist improve security for Android users.

How RCS Phishing Scams Work

RCS phishing scams often follow a familiar pattern, but with a modern twist. Here’s how they typically unfold:

  • Impersonation: Scammers send messages that appear to come from trusted organizations, such as banks, healthcare providers, or delivery services. These messages often include the organization’s logo, branding, and even a verified sender badge, making them difficult to distinguish from legitimate communications.
  • Urgency and Fear Tactics: The messages often create a sense of urgency, warning recipients that their account has been locked, a payment has failed, or a package delivery requires confirmation. For example, a recent scam in Poland targeted healthcare professionals with messages claiming their access to the e-Health (P1) system had been suspended. The messages urged recipients to click a link to “verify” their credentials, redirecting them to a fake login page designed to steal their usernames and passwords.
  • Malicious Links: The messages include links that appear legitimate but lead to fake websites or download malware onto the user’s device. These websites are often designed to mimic the real thing, complete with login forms and branding. Once users enter their credentials, the scammers gain access to their accounts.
  • Data Theft and Fraud: With access to compromised accounts, scammers can steal sensitive information, such as medical records, financial data, or personal identification details. In the case of the Polish e-Health scam, attackers used stolen credentials to generate fraudulent prescriptions and medical leave certificates, posing a significant risk to patient privacy and public health.

CERT Orange Polska, the cybersecurity team of Orange Poland, issued a warning in April 2025 about the e-Health phishing scam, identifying domains like p1-zdrowie[.]eu and GabinetLekarski[.]info as being used in the attacks. The team emphasized that users should avoid clicking on suspicious links and verify the authenticity of messages by contacting the organization directly through official channels.

Why RCS Scams Are Harder to Detect

Unlike traditional SMS, which is limited to plain text and basic formatting, RCS messages can include rich media, interactive buttons, and verified sender branding. This makes them more convincing and harder to detect as fraudulent. Here are some of the key challenges users face:

Block the scam likely calls on iPhone or Android .
  • Verified Sender Badges: RCS allows businesses to display verified badges, which are intended to reassure users that the message is legitimate. However, scammers can spoof these badges, making it difficult for users to distinguish between real and fake messages.
  • Interactive Elements: RCS messages can include buttons, carousels, and other interactive elements that encourage users to engage with the content. Scammers use these features to create a sense of urgency, such as “Click here to confirm your delivery” or “Verify your account now.”
  • Lack of Awareness: Many users are still unfamiliar with RCS and its features, making them more vulnerable to scams. Unlike SMS, which has been around for decades, RCS is relatively new, and its security implications are not yet widely understood.
  • Cross-Platform Exploitation: RCS scams are not limited to a single region or carrier. For example, Michał Czyż of Polkomtel noted in 2023 that RCS phishing messages were being sent from UK-based numbers to users in Poland, highlighting the global nature of the threat.

Mayte Martín of iBASIS, a global communications provider, emphasized the importance of education in combating RCS scams. “Users need to know how to easily differentiate fraud from real communications,” she wrote in response to Betti’s LinkedIn post. “This is on everyone involved in RCS—carriers, tech companies, and regulators—to address.”

How to Protect Yourself from RCS Phishing Scams

While RCS scams are becoming more sophisticated, You’ll see steps users can take to protect themselves:

  • Verify the Sender: Check the sender’s details carefully. Legitimate RCS messages from businesses will often include a verified badge and the organization’s logo. However, be cautious—scammers can spoof these elements. If in doubt, contact the organization directly using a verified phone number or email address.
  • Avoid Clicking on Links: Never click on links in unsolicited messages, even if they appear to come from a trusted source. Instead, navigate to the organization’s official website or app to verify the information.
  • Use Built-in Spam Detection: Many RCS clients, including Google Messages, have built-in spam detection features that flag suspicious messages. Enable these features and report any spam or phishing attempts to your carrier or messaging provider.
  • Enable Two-Factor Authentication (2FA): Two-factor authentication adds an extra layer of security to your accounts by requiring a second form of verification, such as a code sent to your phone or email. This can help prevent unauthorized access even if your credentials are compromised.
  • Block Suspicious Contacts: If you receive a suspicious message, block the sender immediately. Most messaging apps allow you to block and report spam contacts with just a few taps.
  • Stay Informed: Keep up to date with the latest scams and security advisories from trusted sources, such as your carrier, cybersecurity organizations, or government agencies. For example, the Federal Communications Commission (FCC) in the U.S. Provides resources on how to recognize and report spoofing and phishing scams.

The Role of Carriers and Tech Companies

While users play a critical role in protecting themselves, carriers and tech companies also have a responsibility to address the growing threat of RCS scams. Here’s what they’re doing—and what more can be done:

The Role of Carriers and Tech Companies
Google Messages Carriers Regulators
  • Improving Spam Detection: Companies like Google are enhancing their spam detection algorithms to identify and flag fraudulent RCS messages. For example, Google Messages now automatically detects and alerts users to potential spam or phishing attempts, as noted by Tim Atkinson in his response to Betti’s LinkedIn post.
  • Educating Users: Carriers and tech companies are increasingly providing resources to help users recognize and avoid scams. This includes in-app warnings, educational campaigns, and partnerships with cybersecurity organizations.
  • Collaborating with Regulators: Industry groups, such as the Mobile Ecosystem Forum (MEF), are working with regulators to establish best practices for RCS security. This includes efforts to standardize verified sender badges and improve cross-carrier spam reporting.
  • Enhancing Encryption: While RCS supports end-to-end encryption in some cases, not all messages are encrypted by default. Expanding encryption to all RCS communications could help protect users from eavesdropping and man-in-the-middle attacks.

Despite these efforts, challenges remain. For example, the lack of a unified RCS standard across carriers and regions can create gaps in security. The rapid adoption of RCS means that scammers are constantly evolving their tactics, requiring carriers and tech companies to stay one step ahead.

What Happens Next?

The fight against RCS spam and phishing is far from over. As adoption of the protocol continues to grow, so too will the sophistication of scams targeting users. Industry experts agree that a multi-pronged approach is needed, combining improved technology, user education, and regulatory oversight.

For now, users are advised to remain vigilant and follow best practices for recognizing and avoiding phishing scams. Carriers and tech companies, meanwhile, are expected to continue enhancing their spam detection and security measures. Regulators, such as the FCC and the European Union Agency for Cybersecurity (ENISA), are also likely to play a more active role in addressing the issue, particularly as RCS becomes more widely adopted.

The next major checkpoint in this effort will likely come later this year, as industry groups like the MEF and the GSMA release updated guidelines for RCS security. These guidelines are expected to address key issues such as verified sender branding, spam reporting, and cross-carrier collaboration. In the meantime, users should stay informed and report any suspicious messages to their carriers or relevant authorities.

Key Takeaways

  • RCS is the future of messaging, but it’s also a growing target for scammers. The protocol’s advanced features, such as verified sender badges and interactive buttons, are being exploited to create convincing phishing messages.
  • Phishing scams via RCS often impersonate trusted organizations. Messages may appear to come from banks, healthcare providers, or delivery services, urging users to click on malicious links or enter sensitive information.
  • Users can protect themselves by verifying senders, avoiding suspicious links, and enabling spam detection. Two-factor authentication and blocking suspicious contacts can also help prevent unauthorized access to accounts.
  • Carriers and tech companies are enhancing spam detection and user education. However, challenges remain, including the lack of a unified RCS standard and the rapid evolution of scammer tactics.
  • Regulators and industry groups are working to address RCS security. Updated guidelines and best practices are expected later this year, but users should remain vigilant in the meantime.

Have you received a suspicious RCS message? Share your experience in the comments below, and don’t forget to share this article with friends and family to help them stay safe from phishing scams.

Leave a Comment