SMS Déjà Vu? Securing Rich Messaging Channels Against the Scammer’s Playbook.
RCS-enabled rich messaging is rapidly inheriting the same fraud and abuse problems that have plagued SMS and MMS, but with richer content and AI tools making the stakes even higher. Building on last year’s focus on RCS (Rich Communication Services) security, Enea expert Nima Golchini led the discussion at the MEF Global Forum in Barcelona to explore the latest security developments and threats in rich messaging.
From SMS Lessons to RCS reality
In last year’s session we outlined the emerging security challenges in RCS and RCS Business Messaging (RBM), and warned that many SMS-era mistakes would be repeated on the rich media channel. This year’s presentation re-affirmed our prediction. We are now seeing the same types of fraud, just adapted to RCS’s richer capabilities, with impacts on brands, aggregators, CPaaS, RBM providers, mobile operators, and end users alike.
What Rich Messaging Threats are Happening Today?
RCS messaging behaves like any other messaging ecosystem: if a single link in the chain is left unprotected, the damage quickly spreads to other stakeholders running services over RCS. Bad actors target rich messaging channels with a multitude of attacks, including:
- Spoofing.
- Traffic injection.
- Interception and malware.
- Pre‑registration fraud (fraudsters registering as legitimate brands for malicious purposes) and message bypass.
- Phishing campaigns that masquerade as legitimate traffic.
Richer Content, Same Old Tricks: How Scams from SMS and MMS Exploit Rich Messaging
Scams and attacks on SMS are now clearly visible in RCS traffic, from classic phishing to SHAFT/illegal content and grey routes. Fraudsters are reusing psychological triggers such as “expiration notice”, “important notice” and “do not miss out” to push victims into action, while embedding fresh URLs that are often registered just hours before the campaign goes live, and hosted in other regions than the targeted subscribers. Enea’s threat intelligence unit have observed recent campaigns against US subscribers orchestrated by organised crime groups that originate from domains registered in Asia. So, we know that the same URL‑churn and cross‑border domain registration patterns seen in SMS attacks are present on RCS.
Spam in RCS
Scammers Weaponizing SIM Boxes & Emulators for RCS Scam Campaigns
Like we see with SMS, attacks aimed at subscribers in one market can be launched from SIM boxes or emulators located in multiple other regions, reusing campaign templates to target subscribers on a global scale. Enea has observed recent RCS scam campaigns originating from countries all around the world.
Illegal Image content
Illegal content that we have seen flowing over MMS, such as narcotics or firearms promotions packaged as images or long texts, is appearing in RCS traffic too. These spam campaigns are following the same patterns, but using rich content features to unlock more ways to package and scale messages containing illegal content. As RCS adoption continues to pick up, Restricted Image Detection Tools will become essential to keep SHAFT images off messaging channels and protect subscribers.
Illegal Image Content
Grey Routes are Still on the Map in RCS Messaging
RCS grey routes are also emerging, mirroring long‑standing SMS issues. In some cases, fraudsters create RCS group chats branded as known technology companies to deliver one‑time passwords or other security messages without going through legitimate RBM or CPaaS channels, depriving operators and aggregators of revenue and undermining trust.
RCS Group Chats
Last year, we explained how Group chat is being abused by spammers who rename groups to trusted brands. These attacks continue over RCS today, with attackers injecting brand‑related content to add credibility and encourage targets to engage with the scam. Scammers toggle between encrypted and unencrypted states to evade firewall detection and use rich media features to garner clicks. RCS group chat enables scammers to weaponize encryption mechanisms, social proof, and rich branding capabilities to elevate their scam campaigns. These scams often fly under the radar, allowing them to propagate and reach more victims.
Examples of RCS Attack Techniques
| type | RCS tactic | Impact on ecosystem |
| Phishing / spam | Templated “important notice” RCS messages with new domins per campaign | Credential theft, financial fraud, higher complaint rates for operators and brands |
| Group chat abuse | Renaming groups to brands (e.g. postal or banks), mixing rich content | Users misled by fake “official” chats, harder for operators to trace origins |
| Illegal SHAFT content | Images and long text offers for drugs or firearms | Regulatory risk for MNOs, compliance exposure for CPaaS and RBM providers |
| Grey routes | RCS groups used for 2FA without proper RBM/CPaaS path | Lost A2P revenue, lack of enterprise accountability |
Scaling Deception: How Scammers use AI for RCS Fraud
The same AI tools that help enterprises personalize RCS engagement are being weaponized by fraudsters to industrialize spam and fraud campaigns. Using generative AI, attackers can create localized, highly personalized messages in multiple languages at scale, tailoring tone and vocabulary to specific markets while following a consistent underlying template.
1. AI-Driven Personalization in Rich Messaging Scams
AI enables fraudsters to produce credible and contextually relevant personalized messages for scam targets. Bad actors combine personalization with urgent calls-to-action, URLs, and images, heightening credibility and interaction rates for phishing or malware delivery.
2. Globalized RCS Scam Campaigns
AI-orchestrated attacks launch identical templates from diverse global origins using SIM boxes or emulators, with localization and translation of scam content to match target regions.
3. Template Generation for Rich Messaging Spam Campaigns
Fraudsters deploy AI for templated RCS spam with minimal tweaks, such as carrier names, dates, and fresh URLs. Templates often include psychological lures such as “expiration notice” to invoke a sense of urgency and hook victims.
Spotting the Signs of AI-Powered Scams in RCS Messaging
AI leaves subtle fingerprints on these campaigns. For example, non‑native date suffixes such as “14st December” or “11st December” reveal that a machine, not a human, generated the copy, even though the rest of the language may look natural. The call‑to‑action lines remain fixed across variants, while URLs and dates are swapped programmatically, illustrating how AI templates are driving mass production of convincing lures. In a large RCS spam wave we observed running from mid‑December into the new year, the body of the messages remained almost identical while only a few elements changed: the targeted operator name, the date, and the destination URL – often obscure domains or shortened links designed to hide their true nature. Because these campaigns are launched simultaneously from multiple countries via SIM boxes or emulators, they create global “spam storms” that strike many networks in parallel and are difficult to tackle without AI-driven threat detection and coordinated intelligence.
Tackling Scams Over RCS and RBM: Next Steps for the Mobile Ecosystem
Fighting RCS fraud demands coordinated action across CPaaS providers, MNOs, RBM platforms, messaging app providers, regulators and industry bodies; securing one node is not enough when attackers exploit every available channel. Mobile operators should engage with Apple and Google to ensure spam reporting is enabled, and that processes exist to address RCS abuse. On the RBM side, where traffic is encrypted in transit rather than end-to end, CPaaS providers and operators need carrier‑grade firewalls capable of inspecting content at scale, enforcing each operator’s code of conduct, and blocking spam and malicious content before it reaches subscribers.
CPaaS providers, aggregators and RBM platforms should treat RCS as part of a holistic multi‑channel security strategy, using a firewall and threat‑intelligence layer that spans SMS, MMS and RCS, since fraudsters freely switch between these channels to maximize their return. This includes AI‑driven detection of illegal SHAFT content in text and images, real‑time URL analysis, fingerprinting of known scam templates, and global intelligence sharing so that techniques seen in one region can inform protections elsewhere.
For RCS to be seen as a trusted, rich business messaging channel, CPaaS providers, aggregators, and MNOs must invest in proactive security. That means deploying advanced AI‑powered firewalls, monitoring user spam reports, and continuously updating defenses based on global attack intelligence. With a proactive approach to rich messaging threats, enterprises can confidently use RBM while subscribers enjoy secure communications.
