The messages are spoofed. The attacker has access to a SS7 signalling link and you can set the source number to anything you want. Telco's share some blame in facilitating this. I tried to stop of of this in the 90's and was told to help the scammers send messages faster. I wanted to terminate their SS7 links but I would have been fired for doing so. To clarrify, the individual scammer may not even know what a SS7 link is. It's usually a tiered system, where one shady person has access to a link, then sells access via bitcoin to other shady people via some tor web interface.
As for the domain name, that problem isn't going away. If anything, it will only get worse, as people are lazy and push UX designers to show less and less information. And the UX devs are right, the users won't know what to do with the extra info most of the time anyway.
And then there are payment processors, who also teach people BAD habits, by sending HTML messages, clickable links, etc. And that isn't going to change because it would increase customer support cases which costs them money. Banks won't implement secure authentication beyond phone MFA for the most part. I can think of a dozen ways to make this more secure, but all the ideas would be rejected as adding too much friction.
All that is left is educating the masses and that fails as well. Most people learn by making mistakes. About 40% of people will click on the scammers links. About 10% of people will enter their credentials.
> All that is left is educating the masses and that fails as well.
That is not always true. You can have regulations which force banks to change. Banks don't like it but politicians don't like an unstable banking sector, especially if it causes sharp changes in the stock market.
As an example, the recent money laundering scandals in Sweden has caused some changes in credit card security. Politicians want to reassure the public and increase trust in Swedish banks, so the last years has seen several notable banking regulations. I would guess that they actually want noticeable friction in order to reassure the public that they have things under control.
I don't get why the phone companies don't implement something akin to bogon filtering on their interconnect points.
If the incoming call or txt has an internal source number, but is coming from an external network, reject it. If its an outgoing session with an external source, drop it and follow up with the account holder.
A similar concept applies in the SS7 [1] network, B-number [2] analysis, but is not used that way, as telco's have no way to properly manage which switches may originate which numbers as they are portable. They just do routing and trust the sender is allowed to have the number presented in the SS7 packet.
This would be problematic e.g. in the case of ported numbers, or if a customer is using a third party to send their SMS for a fraction of the cost. Implementing such blocks without covering these use cases would likely (rightfully) result in antitrust issues.
As for the domain name, that problem isn't going away. If anything, it will only get worse, as people are lazy and push UX designers to show less and less information. And the UX devs are right, the users won't know what to do with the extra info most of the time anyway.
And then there are payment processors, who also teach people BAD habits, by sending HTML messages, clickable links, etc. And that isn't going to change because it would increase customer support cases which costs them money. Banks won't implement secure authentication beyond phone MFA for the most part. I can think of a dozen ways to make this more secure, but all the ideas would be rejected as adding too much friction.
All that is left is educating the masses and that fails as well. Most people learn by making mistakes. About 40% of people will click on the scammers links. About 10% of people will enter their credentials.