Sms marketing: the upsurge in SMS scams (smishing) calls for tougher security measures. Mobile operators, aggregators and professional associations (AF2M) recall that a "significant number of cases of fraud" have necessitated the adoption of new contractual rules. The sender identifier (SenderID or OADC - Originator Address Code) of messages is now closely monitored to prevent identity theft. These provisions, which have been in force since March 10, 2025, are designed to protect subscribers against costly scams, often directed against well-known brands or institutions.
What is smishing and what does it mean for SMS marketing?
Visit smishing (SMS-phishing) is a scam in which the attacker sends a fraudulent SMS message impersonating a legitimate entity. The message invites the victim to click on a link or provide personal or banking data, under the pretext of an alarming situation (suspicious bank transfer, parcel delivery, overdue invoice, etc.). In 95 % of cases, this fraudulent SMS contains a link redirecting the victim to a fake website usurping a well-known brand in order to steal bank details. The stakes are high: in addition to data theft and financial losses, these attacks damage the confidence of users and partners in mobile telephony services. This is why tightening controls on SenderID is part of a broader strategy to combat SMS phishing.
New SenderID requirements
For business SMS ("Push SMS"), the sender can be a numeric short code (5 digits starting with 36xxx or 38xxx) or an alphanumeric SenderID (OADC) of no more than 11 characters. Under the new AF2M Business Messaging Charter, this personalized identifier is limited to 11 characters and may only include letters and numbers. In other words, any SenderID consisting solely of digits, outside official short numbers is prohibited. Likewise, no special characters or spaces allowed in the SMS sender.
AF2M has listed some generic terms that should no longer be used as SenderIDs. Identifiers such as ALERT, RDV, PAYMENT, BANK, PACKAGE, DELIVERYetc., are no longer permitted. These generic words, which do not refer to a specific brand, are not permitted in the sender field.
In addition, the AF2M charter defines two categories of sensitive SenderID: "Strictly Forbidden" (SI) and "Forbidden Unless Authorized" (ISA). A marked OADC IF, such as the names of public institutions or banks is strictly forbidden: all SMS sent with such an OADC will be systematically blocked by operators. A classified OADC ISA, for example, trademarks such as Netflixor Amazon may only be used with the explicit authorization of the brand concerned and after declaration to AF2M.
Consequences of SMS marketing non-compliance
Failure to comply with these rules will result in strict measures:
-
- SMS blocking Any message with a non-compliant SenderID (in particular an "SI" OADC) may be systematically refused delivery by the operator.
-
- Automatic replacement Sending platforms can crush the invalid identifier by replacing it with a default code or short number, thus ensuring delivery of your SMS marketing under a different sender.
-
- Fines and penalties Sending fraudulent messages or prohibited SenderIDs can result in fines imposed by the operator. For example, the operator generally charges a financial penalty for each non-compliant message sent, which is passed on to the sender of the message.
-
- Contractual penalties Repeated breaches of these commitments may result in contractual penalties, or even suspension or termination of service contracts.
Recommendations for compliance
-
- Check SenderID format SMS marketing means ensuring that each sender identifier is no longer than 11 characters, exclusively alphanumeric, with no special characters.
-
- Avoid pure digital SenderID: in SMS marketing, it's best not to use a SenderID made up of numbers only (except for validated official short codes).
-
- Avoid generic terms Do not use common words such as Alert, Payment, Deliveryetc., in the sender field.
-
- Follow AF2M procedure For all branded SenderIDs (ISA status), obtain written authorization from the owner and declare this code in the AF2M Business Messaging charter. Regularly check the list of sensitive or prohibited OADCs published by AF2M.
-
- Use a certified platform For example, use an SMS aggregator or a supplier that implements AF2M controls upstream, automatically filtering out non-compliant senders and blocking suspicious links.
-
- Training your teams To raise awareness of the new rules among marketing and IT managers, so that they systematically check sender lists before sending any mailings.
Quick checklist
-
- Alphanumeric SenderID, ≤ 11 characters
-
- No special characters or spaces for SMS marketing
-
- No all-digit SenderID (except short code)
-
- No generic words (alert, bank, delivery, etc.)
-
- AF2M authorization obtained for all "Forbidden Except Authorization" OADCs
-
- Up-to-date AF2M list of OADCs controlled by your aggregator
Conclusion: act now
Implementing these new obligations is imperative to ensure SMS deliverability and guard against the risks of SMS marketing fraud. In practice, this means reviewing your sender lists without delay, and ensuring that every SenderID used complies with AF2M specifications. Since the transition on March 10, 2025, it is strongly advised to take immediate action to update your sending tools and internal processes. Adopt these recommendations now to protect your customers, avoid service blockages and contractual penalties.
To learn more and discover common mistakes to avoid in SMS marketing, read our article : 10 marketing mistakes to avoid SMS.
