TritonArk Logo
    Back to Blog
    March 02, 2026Abshir Warsame | CCISO | CISM | CISA

    How the SPF and Sender ID Register Work Together to Fight SMS Scams

    A customer glances at their phone and sees an SMS from "CommBank." It looks identical to every other message they've received from their bank — same sender name, same format, same reassuring tone. They click the link. Within minutes, their account credentials are compromised.

    This isn't a hypothetical. It's the mechanics of SMS sender ID spoofing, and it has been one of the most effective scam vectors targeting Australians for years. Now, two interlocking regulatory frameworks are closing that loophole — and businesses that haven't yet mapped their obligations under both are already behind.

    The Problem: How Sender ID Spoofing Actually Works

    You don't need to be a cybercriminal to understand the basic technique. When a business sends a branded SMS — say, from the name "MyBank" or "AusPost" — the sender name (the Sender ID) is set alphanumerically rather than from a phone number. Until recently, there was no system to verify that the entity sending an SMS as "MyBank" was actually MyBank.

    Scammers exploited this gap ruthlessly. By simply setting their Sender ID to match a trusted brand, fraudulent messages would land in the same conversation thread as genuine ones on many devices. The visual credibility was built in — no additional deception required.

    Telcos operating under existing industry codes have made significant progress. Australian carriers blocked approximately 1.4 billion scam calls and 336 million scam SMS messages under their existing voluntary code arrangements. But blocking known scam infrastructure is reactive. The Sender ID Register takes a different approach: it verifies legitimacy before a message is ever sent.

    The Sender ID Register: Closing the Verification Gap

    The Australian Communications and Media Authority (ACMA) opened the SMS Sender ID Register on 30 November 2025. From 1 July 2026, registration becomes mandatory. Any business that sends branded SMS messages using an alphanumeric Sender ID and hasn't registered by 15 May 2026 will see those messages either display as "Unverified" or be blocked outright by participating telcos.

    The mechanism is straightforward: businesses register their Sender IDs with the ACMA. Telcos then check outgoing messages against that register. If a message claims to come from "ANZ" but the Sender ID isn't registered to ANZ, the telco can suppress or flag it. Spoofing a registered brand becomes significantly harder.

    For legitimate businesses, registration is the authentication signal that protects your brand name in the SMS channel. For scammers, it closes off the easiest spoofing vector. For customers, it means an SMS from a registered sender carries a verifiable trust signal — not just an assumed one.

    The ACMA has outlined the registration pathway and timeline in detail. Many Australian businesses have already begun the registration process. If yours hasn't, the 15 May 2026 deadline is not generous.

    The Scams Prevention Framework: Addressing the Broader Ecosystem

    The Sender ID Register solves one problem: spoofed sender names. But the broader scam ecosystem is more complex, and that's where the Scams Prevention Framework (SPF) comes in.

    The SPF has been passed into law, amending the Competition and Consumer Act 2010. It applies to telcos, banks, and digital platforms — sectors that sit at the intersection of scam delivery and financial harm. The SPF is not a voluntary industry code. It carries penalties of up to AUD $50 million and is jointly administered by the ACCC and ACMA.

    Under the SPF, regulated entities must demonstrate compliance across six interconnected obligations:

    • Anti-scam strategy — a documented, board-approved plan
    • Prevention — proactive measures to stop scams from reaching consumers
    • Detection — systems to identify scam activity in near real time
    • Disruption — active intervention to stop scams in progress
    • Response — defined protocols when scams are identified
    • Reporting — timely disclosure to regulators

    Banks must comply with core SPF obligations by 30 June 2026. Telcos and digital platforms face staggered timelines, but the expectation of a documented anti-scam strategy applies broadly and immediately.

    The SPF isn't asking businesses to prevent every scam. It's asking them to demonstrate that they took reasonable, documented steps across the full scam lifecycle — and that they can prove it to regulators if asked.

    Where the Two Frameworks Intersect

    The Sender ID Register and the SPF are complementary by design. Think of it as two layers of the same defence.

    The Register addresses channel integrity — ensuring that the SMS channel itself carries verified senders. The SPF addresses institutional accountability — ensuring that businesses operating in scam-adjacent sectors have robust, documented programmes to prevent and respond to scam activity.

    For a bank, compliance with the SPF's prevention obligations will naturally include ensuring their SMS communications are sent through verified Sender IDs. A telco's "disruption" obligations under the SPF will directly leverage the Sender ID Register to identify and flag or block unregistered senders. The two frameworks aren't parallel — they're layered.

    For businesses outside the core SPF sectors — retailers, fintechs, insurance providers, and others who send branded SMS — the Sender ID Register may be their primary direct obligation right now. But the SPF's influence on customer expectations and industry norms will be felt broadly. Customers are increasingly aware that verified, trusted messaging exists. An "Unverified" label on your messages creates doubt — and that doubt has commercial consequences.

    What This Dual Framework Means for Your Business

    If your business sends branded SMS messages, you are operating inside a compliance framework whether or not you've engaged with it. The question isn't whether these obligations apply — it's whether your organisation has built the posture to meet them.

    Sender ID registration is the immediate, operational requirement. It requires identifying all Sender IDs in use, verifying ownership, and submitting them through your SMS provider or directly with the ACMA.

    SPF readiness is the strategic layer. For businesses in regulated sectors, it means a documented anti-scam strategy, defined detection and response protocols, and board-level visibility of scam risk metrics.

    These aren't separate projects. Forward-thinking organisations are treating Sender ID registration as the first step in a broader digital trust programme — one that demonstrates to customers, partners, and regulators that they've built their communications infrastructure on verified foundations.

    Our Sender ID readiness service is designed to get businesses through the registration process efficiently — identifying all active Sender IDs, mapping provider relationships, and preparing the submission. For organisations that need to go further, our SPF readiness programme provides the strategic framework: documented strategy, detection and response protocols, and the reporting infrastructure regulators will expect to see.

    The Early Compliance Advantage

    Businesses that register before 15 May 2026 aren't just ticking a compliance box. They're building a visible trust signal at a moment when the market is shifting toward verification as a baseline expectation.

    When the register goes live and unregistered messages start displaying as "Unverified," there will be two kinds of businesses: those whose messages carry a clear trust signal, and those whose messages trigger a warning. The first group will have done the work early. The second group will be scrambling — and their customers will notice.

    Many Australian businesses have already begun this work. The ones moving now aren't doing so because they're particularly cautious. They're doing so because they understand that being the first to carry the verified signal in their sector is a competitive position, not just a compliance outcome.

    If your business sends SMS under a branded Sender ID and you haven't mapped your registration requirements yet, that work needs to start now — not after the May deadline becomes a crisis. TritonArk's team works with Australian businesses across both the Sender ID registration process and broader SPF compliance posture. The conversation about where you stand is worth having before the window closes.

    Ready to Secure Your Sender IDs Before the July 2026 Deadline?

    Request a confidential assessment. We'll map your messaging inventory, identify your gaps, and give you a clear action plan — no jargon, no lock-in.

    CISA, CISM & CCISO Credentialed
    TritonArk
    Hi there! Have a question? we’ll guide you through your readiness and compliance and next steps.