Sms marketing: the upsurge in SMS scams (smishing) calls for tougher security measures. Mobile operators, aggregators and professional associations (AF2M) recall that a "significant number of cases of fraud" have necessitated the adoption of new contractual rules. The sender identifier (SenderID or OADC - Originator Address Code) of messages is now closely monitored to prevent identity theft. These provisions, which have been in force since March 10, 2025, are designed to protect subscribers against costly scams, often directed against well-known brands or institutions.
What is smishing and what does it mean for SMS marketing?
Visit smishing (SMS-phishing) est une escroquerie où l’attaquant envoie un SMS frauduleux en usurpant l’identité d’une entité légitime. Le message invite la victime à cliquer sur un lien ou à fournir des données personnelles ou bancaires, sous prétexte d’une situation alarmante (virement suspect, livraison de colis, facture en souffrance, etc.).
Dans 95 % des cas, ce SMS frauduleux contient un lien redirigeant vers un faux site web usurpant une marque connue afin de subtiliser les données bancaires. Les enjeux sont importants : en plus du vol de données et des pertes financières, ces attaques détériorent la confiance des utilisateurs et des partenaires dans les services de téléphonie mobile. C’est pourquoi le renforcement des contrôles sur le SenderID s’inscrit dans une stratégie plus large de lutte contre le phishing par SMS.
Nouvelles exigences sur les Sender ID
For business SMS ("Push SMS"), the sender can be a numeric short code (5 digits starting with 36xxx or 38xxx) or an alphanumeric SenderID (OADC) d’au plus 11 caractères. La nouvelle charte Business Messaging AF2M impose que cet identifiant personnalisé ne comporte que des lettres et éventuellement des chiffres et soit limité à 11 caractères. Tout SenderID constitué uniquement de chiffres, outside official short numbers is prohibited. Likewise, aucun caractère spécial ni espace n’est autorisé.
AF2M has listed some generic terms that should no longer be used as SenderIDs. Identifiers such as ALERT, RDV, PAYMENT, BANK, PACKAGE, DELIVERYetc., are no longer permitted. These generic words, which do not refer to a specific brand, are not permitted in the sender field.
In addition, the AF2M charter defines two categories of sensitive SenderID: "Strictly Forbidden" (SI) and "Forbidden Unless Authorized" (ISA). A marked OADC IF, par exemple des noms d’institutions publiques ou de banques est proscrit : all SMS sent with such an OADC will be systematically blocked by operators. A classified OADC ISA, des marques commerciales comme Netflixor Amazon may only be used with the explicit authorization of the brand concerned and after declaration to AF2M.
Consequences of SMS marketing non-compliance
Failure to comply with these rules will result in strict measures:
-
- SMS blocking Any message with a non-compliant SenderID (in particular an "SI" OADC) may be systematically refused delivery by the operator.
-
- Automatic replacement Sending platforms can crush the invalid identifier by replacing it with a default code or short number, thus ensuring delivery of your SMS marketing under a different sender.
-
- Fines and penalties Sending fraudulent messages or prohibited SenderIDs can result in fines imposed by the operator. For example, the operator generally charges a financial penalty for each non-compliant message sent, which is passed on to the sender of the message.
-
- Contractual penalties Repeated breaches of these commitments may result in contractual penalties, or even suspension or termination of service contracts.
Recommendations for compliance
-
- Vérifier le format des Sender ID SMS marketing means ensuring that each sender identifier is no longer than 11 characters, exclusively alphanumeric, with no special characters.
-
- Avoid pure digital SenderID: in SMS marketing, it's best not to use a SenderID made up of numbers only (except for validated official short codes).
-
- Avoid generic terms Do not use common words such as Alert, Payment, Deliveryetc., in the sender field.
-
- Follow AF2M procedure For all branded SenderIDs (ISA status), obtain written authorization from the owner and declare this code in the AF2M Business Messaging charter. Regularly check the list of sensitive or prohibited OADCs published by AF2M.
-
- Use a certified platform For example, use an SMS aggregator or a supplier that implements AF2M controls upstream, automatically filtering out non-compliant senders and blocking suspicious links.
-
- Training your teams To raise awareness of the new rules among marketing and IT managers, so that they systematically check sender lists before sending any mailings.
Quick checklist
-
- Alphanumeric SenderID, ≤ 11 characters
-
- No special characters or spaces for SMS marketing
-
- No all-digit SenderID (except short code)
-
- No generic words (alert, bank, delivery, etc.)
-
- AF2M authorization obtained for all "Forbidden Except Authorization" OADCs
-
- Up-to-date AF2M list of OADCs controlled by your aggregator
Conclusion: act now
Implementing these new obligations is imperative to ensure SMS deliverability and guard against the risks of SMS marketing fraud. In practice, this means reviewing your sender lists without delay, and ensuring that every SenderID used complies with AF2M specifications. Since the transition on March 10, 2025, it is strongly advised to take immediate action to update your sending tools and internal processes. Adopt these recommendations now to protect your customers, avoid service blockages and contractual penalties.
To learn more and discover common mistakes to avoid in SMS marketing, read our article : 10 marketing mistakes to avoid SMS.
