Why Fake SMS Messages Can Appear Inside Real Brand Conversations

From 1 July 2026, Australia's SMS Sender ID Register will become a major new control against SMS impersonation scams. Businesses and organisations that send branded SMS messages — such as messages that appear from “ATO”, “AusPost”, “myGov”, or a bank name — will need to register those Sender IDs. If they do not, their messages may appear as coming from “Unverified” instead of the brand name.

For everyday users, this change may sound technical. In reality, it addresses one of the most confusing and dangerous parts of SMS scams: fake messages that appear to come from a trusted brand, sometimes even inside the same message thread as legitimate messages from that brand.

This article explains how SMS Sender ID works, why scammers can abuse it, why fake messages can appear under real brand conversations, and how Australia's new Sender ID registration system helps reduce this risk.

1. What is an SMS Sender ID?

When you receive a normal text message, your phone usually shows a mobile number at the top of the conversation. But many businesses and organisations do not send messages from a normal-looking mobile number. Instead, the message may appear to come from a name, such as ATO, AusPost, myGov, CommBank, or Linkt.

That name is called a Sender ID. ACMA describes a Sender ID as the branded name at the top of text messages from a business or organisation, telling the recipient who the message is from.

A simple way to understand this is to think of Sender ID as the “display name” of a text message. When a business sends an SMS, the sending system can include a sender value in the message. In branded business messaging, the sender value can be an alphanumeric name — meaning it can contain letters and numbers rather than just digits.

This is useful for legitimate organisations because it makes messages easier to recognise. But the same convenience creates a security weakness.

2. Why Sender ID is different from a saved contact name

It is important to separate two things:

• A contact name is created by the user. If you save your friend's number as “David”, your phone shows “David” because that name is in your address book.
• A Sender ID is provided by the sender's messaging system. If a text message appears from “ATO”, that display name is part of the SMS message route, not something you personally created.

This difference matters because many users naturally treat the displayed name as proof of identity. That assumption is exactly what scammers exploit.

3. What is Sender ID spoofing?

Sender ID spoofing is when a scammer sends a text message using a Sender ID that looks like a trusted brand or organisation.

For example, a scammer may send a message that appears to come from myGov: “Your account has been suspended. Please verify your identity immediately: [fake link]”

Or the scammer may send a message that appears to come from AusPost: “Your parcel could not be delivered. Please update your address and pay the redelivery fee: [fake link]”

The user sees a familiar brand name and may believe the message is real. The scammer does not need to hack the user's phone. The attack works because the visible sender field can be abused if there is no strong verification behind it.

ACMA has stated that the new Sender ID Register is intended to stop scammers using Sender IDs in text messages to impersonate brands and organisations. Australians lost almost $18 million to text message scams in 2025, and many text scams pretend to come from trusted businesses or organisations by impersonating them through Sender IDs.

4. Why do fake SMS messages appear inside real brand conversations?

This is one of the most confusing parts for consumers. Many people have seen a scam text message appear directly underneath real messages from a trusted organisation. For example, a user may have an existing SMS thread with real delivery updates from AusPost — then a fake message appears in that same thread.

The reason is simple: SMS apps usually group messages by the visible sender. For branded SMS messages, the grouping key may be the Sender ID. If a scammer successfully sends a message using the same Sender ID as a real organisation, the phone may group the fake message with the genuine messages.

A simple example:

• You receive a real SMS from myGov with a one-time code.
• Later, a scammer sends a fake SMS using the same visible Sender ID “myGov”.
• Your phone sees the same sender label.
• The fake SMS may appear in the same conversation thread as the real message.

This creates a dangerous illusion. The scam message inherits the trust created by previous genuine messages. A user may think: “This must be real because it is in the same conversation as the official messages I received before.” But that conclusion can be wrong.

5. Why this is difficult from a server-side perspective

From a server and telecommunications perspective, Sender ID is difficult because SMS was not originally designed as a modern identity-verification system.

The SMS ecosystem involves many parties: the business sending the message, the SMS provider, upstream messaging aggregators, carriers, international routes, local telcos, and finally the recipient's phone. A message may pass through several systems before reaching the user.

In this chain, the Sender ID is a display value. Historically, in many markets, it has not always been strongly bound to a verified legal entity. This is why enforcement cannot rely only on the user's phone. The better control point is earlier in the message delivery chain.

6. What changes under Australia's SMS Sender ID Register?

From 1 July 2026, branded SMS messages sent with an organisation's name at the top of the message will need to use a registered Sender ID. ACMA says businesses and organisations should contact their telco or message provider to register their Sender IDs before that date.

Under ACMA's rules for telcos:

• Originating telcos must offer to register Sender IDs on behalf of customers.
• They must also verify that customers have a clear and legitimate reason to use a Sender ID.
• From 1 July 2026, telcos that send or terminate text messages must over-stamp unregistered Sender IDs with “Unverified”.

This creates a new trust model. Before the register, a brand-like Sender ID could be easier to misuse. After the register, a branded Sender ID should be linked to an authorised business or organisation.

7. What does “Unverified” mean?

“Unverified” means the branded Sender ID has not been registered under the new system. For consumers, this is a warning sign. A message from “Unverified” should be treated with caution, especially if it asks the user to:

• click a link
• provide personal information
• enter a password or verification code
• make a payment or transfer money
• call an unknown number urgently

For businesses, “Unverified” is also a reputational risk. If a legitimate organisation does not register its Sender ID, its real messages may no longer appear under the brand name.

8. How does registration help stop spoofing?

The register helps in four main ways:

First, it creates ownership over brand-like Sender IDs. If a business wants to send SMS messages under a brand name, it needs to register that Sender ID. This makes it harder for a scammer to simply choose a famous brand name and send messages under that label.

Second, it requires verification. Telcos and message providers have a role in checking that a customer has a legitimate reason to use a Sender ID.

Third, it changes how unregistered Sender IDs are presented. From 1 July 2026, unregistered Sender IDs must be over-stamped with “Unverified”. This reduces the chance that a scammer can make a message appear as if it came from a trusted brand.

Fourth, it gives consumers a clearer signal. After the register takes effect, the presence of “Unverified” should become a clear warning sign.

9. What are the limits of the Sender ID Register?

The register is a major improvement, but it is not a complete solution to all SMS scams:

• It mainly targets branded Sender ID impersonation. Scammers can still send messages from ordinary phone numbers.
• It applies to SMS and MMS, not every messaging platform. It does not apply to WhatsApp, Facebook Messenger, or iMessage.
• Scammers may adapt — moving to other channels, using lookalike wording, or sending messages from mobile numbers.
• Even a message from a registered brand should not be treated as a reason to share sensitive information without care.

10. What should consumers do?

Consumers should understand that the name at the top of a text message is not the same as guaranteed identity.

Be especially cautious if the message says:

• Your account will be suspended.
• Your parcel cannot be delivered.
• You must pay a small fee now.
• Your tax refund is waiting.
• Enter your verification code here.
• Call this number immediately.

A safer approach:

• Do not click the link in the SMS.
• Open the official app or website yourself.
• Contact the organisation through a number listed on its official website.
• Never share one-time passcodes with anyone.
• Treat “Unverified” messages as high-risk.

11. What should businesses do?

Businesses that send branded SMS messages to Australian mobile users should review their Sender IDs and register them before 1 July 2026. They should also:

• avoid direct login links where possible
• use consistent wording across campaigns
• tell customers how official SMS messages will look
• warn customers that they will never ask for passwords or one-time codes by SMS
• monitor fake messages that impersonate their brand
• combine Sender ID registration with digital risk protection and takedown, domain monitoring, and customer education

For financial institutions, SMS scam prevention should also connect with scam payment destination intelligence, because many SMS scams ultimately attempt to move victims toward mule accounts, fintech identifiers, or crypto wallets.

Conclusion

SMS Sender ID is useful because it lets businesses send messages under recognisable names. But the same feature has been widely abused by scammers. When a fake message uses the same Sender ID as a real organisation, the user's phone may place it in the same conversation thread as genuine messages. This makes the scam feel more trustworthy than it really is.

Australia's SMS Sender ID Register is designed to reduce that risk. By requiring organisations to register branded Sender IDs, requiring telcos and message providers to verify legitimate use, and marking unregistered Sender IDs as “Unverified”, the system makes brand impersonation harder and gives consumers a clearer warning sign.

The change will not end all SMS scams. But it directly addresses one of the most deceptive parts of SMS fraud: the false appearance that a message comes from a trusted brand.

This change also sits within a broader shift toward stronger scam prevention obligations across Australia's Scams Prevention Framework (SPF). Sender ID registration is a strong control, but it works best as part of a broader anti-scam strategy.