As SMS phishing (smishing) evolves into a global cybersecurity crisis, telecom infrastructure itself is coming under scrutiny. Can AI led tools and network-level reforms really keep pace with threats that exploit the very design of mobile communication? Experts across the cybersecurity and telecom spectrum weigh in.
The Rising Tide of Smishing Attacks
In a world increasingly dependent on mobile devices, SMS phishing or smishing has emerged as one of the most effective and scalable cyberattack vectors. A recent report suggests up to 3.3 billion Android devices globally are at risk. Unlike email phishing, which is better policed by mature spam filters and sender authentication protocols, SMS remains a loosely protected frontier an open door for cybercriminals.
India, one of the world’s largest telecom markets, is facing a sharp rise in link based cyber frauds. While most operators are still catching up, Bharti Airtel has taken the lead by becoming the first in the world to roll out an AI powered fraud detection system designed to proactively protect its users a level of security currently unmatched by Jio or Vi.
Also Read: Why Airtel’s Spam-Blocking Proposal Could Do for Indian Telecom What UPI Did for Payments
RCS, SIMs, and the Architecture Problem
“The telecom ecosystem is decentralised, global, and loosely regulated,” says Joshua McKenty, CEO of cybersecurity firm Polyguard. “Phones and phone numbers don’t work the way consumers think they do. Everything from SIMs, numbers, CNAM, to RCS Verified Senders is exploitable. That’s the real loophole.”
The shift from SMS to RCS (Rich Communication Services) was meant to modernise messaging with encryption and multimedia capabilities. But it’s created unintended consequences. According to Danny Rogers, CEO of mobile security firm iVerify, “RCS is a gift to the privacy-conscious, but also to scammers. Carriers can’t inspect encrypted messages and in places like the EU, even unencrypted message scanning is often legally restricted.”
In other words, the same encryption meant to protect users is also shielding attackers.
The Myth of AI as a Cure-All
In May 2025, Airtel launched a “world-first” AI-powered fraud detection system that works across SMS, OTT apps (like WhatsApp, Telegram), browsers, and email. The system claims to block malicious domains in real time and alert users with contextual warnings. It’s free for all mobile and broadband users and is enabled by default. While the move is widely welcomed,
“Spam filters have been around for over a decade. AI helps refine them, sure, but scammers evolve too,” says Aimee Simpson, Director of Product Marketing at Huntress, a cybersecurity firm founded by ex-NSA operatives. “Threat actors test variations until they slip past filters. Without structural fixes and user education, the arms race will continue.”
Simpson also highlights a key difference: “Unlike email, where senders can be verified easily, SMS messages come from anonymous numbers. That’s a design flaw not just a security failure.”
More Than Just Filters: The Need for Policy, Identity, and Infrastructure Reform
The challenge isn't just technical. It's strategic. “Humans can’t detect deepfakes. And neither can AI consistently,” says McKenty. “What we need is identity-based provenance verifiable origins of messages. STIR/SHAKEN is a start, but it's stuck in slow-moving telecom standards.”
Amit Modi, CTO of Movius, emphasises a multi pronged strategy: “Telcos must use machine learning for fraud detection, yes, but also implement behavioural analysis, identity verification systems, and stricter policy enforcement. And user education must be ongoing not one time.”
McKenty agrees, adding that telcos can no longer play both sides. “You can’t defend both user anonymity and hacker control. Telcos need to pick a side fight for the user or risk irrelevance.”
The Final Frontier: Endpoints and Users
As encryption limits carrier level visibility, experts argue the fight must increasingly shift to the user’s device. “Most future detections will have to happen on device, since telcos can’t see encrypted content,” says Rogers. “That’s why endpoint security solutions like iVerify are critical. Telcos simply don’t have the access or legal mandate anymore.”
But even endpoint tools have limits. The most scalable defense? User awareness. “Never click links from numbers you don’t know,” says Simpson. “That advice is simple, but it’s powerful. And it buys time for telcos to evolve their tech.”
Fighting Smishing Requires More Than Tech
Smishing represents a convergence of weak infrastructure, legal blind spots, and evolving cyber tactics. Airtel’s AI firewall is a bold step but one operator, or one AI, won’t be enough. Real progress demands industry-wide cooperation, user centered design, and policy frameworks that keep pace with digital threats.
The architecture of global mobile communication must evolve from reactive spam filtering to proactive, identity-led, privacy-balanced systems. Until then, smishing will remain not just a threat, but a symptom of deeper systemic vulnerability.
