The start of a new financial year is upon us, and with it changes. While some changes will undoubtedly affect your wallet, one big change could seriously impact the wallets of scammers and cybercriminals, and force them to shift their methods in a big way.
In 2026, SMS from businesses in Australia attempting to tell you who they are using the sender ID will need to be registered, as the government puts into place an approach designed to cut back on the amount of text messaging scams.
For businesses, it means two things: ensuring their brands are protected as a name when a message goes out, and registering the phone numbers with a centralised directory to verify those names in the first place.
Much like a domain registration system locks in a business using a www-dot domain name, so too will this lock in a business using specific mobile numbers to send out business-related texts. And just like a domain registration, only that business will be able to officially claim use of the brand and name using the sender ID in text messages.
Over the past decade, cybercriminals and scammers have been taking advantage of a lack of rules in text messaging, turning the sender ID field into a bit of a game.
Like many businesses, scammers have used SMS sending platforms to push out fake phishing texts, delivering a concept known as “smishing” to anyone with a phone. It meant receiving messages intended to look real from the likes of the government and ATO, shops like JB HiFi and Woolworths, and other brands such as Telstra and Linkt, all in an attempt to get you to trust them, believe them, click the link, and ultimately fall down the rabbit hole and give them your money.
And it worked. Australians have lost millions to SMS scams, contributing to the billions lost by to scam activity each and every year.
There technically are some protections already in place, but they invariably don’t do enough. While some text messaging platforms limit specific names scammers can use, there are ways these can be exploited, and so the text messaging scams have continued.
But with the 2026 roll out of the sender ID changes, scammers lose an obvious vector by becoming “not verified”.
What is a Sender ID?
Your phone has the ability to recognise people you send messages to. Typically, the recognition comes from your side, such as when you name a contact “mum”, “dad”, or just a name. That’s you assigning a name to a number.
Businesses can’t work that way, though, because you don’t know their number. And even if you did, you might still want to keep it unknown. Who goes out of their way to add a brand name to their phone?
With company-specific texts typically focused on a mixture of security information, help-desk activity, and marketing information, it makes sense why a brand would want you to know who is sending the message.
That’s where the sender ID field comes in handy.
Your phone can recognise your names for specific contacts, and it can also recognise the sender ID mapped to text messages sent from businesses.
It’s a feature businesses have long used, and that scammers have abused by taking advantage, using it to trick people into believing nefarious messages were from the company.
How the Sender ID verification works
Things are changing, though. From July 1 onwards, businesses have a new process to follow, and it changes how scammers send text messages from Australian mobile numbers, as well.
For the past half year or so, businesses have been encouraged to register a Sender ID through telcos, with the goal of the registry being a specific approval process for the use of sender names associated with a company and brand.
While focused on Australian numbers primarily, the Australian Communications and Media Authority (ACMA) has also encouraged international organisations to register a Sender ID, largely to prevent unverified numbers to come through without the words “not verified” on text messages.
Once registered and working, the Sender ID system essentially works on an approval process: if you have access to a specific name, it will come through as the sender. And if you don’t, it will show plainly for text messages that you haven’t been verified.
Some words and terms won’t be usable at all, such as “assist”, “account”, “bank”, “delivery”, “help”, “secure”, “package”, “tax”, “security”, and “verify”, as the government attempts to further prevent scammers from using manipulation tactics in its texts.
That’s definitely one approach, and Sender ID is likely to prevent a lot of SMS scams from working in Australia. The problem is it doesn’t affect everything.
Voice calls aren’t affected
While text messages are affected by the July 2026 changes to sender IDs, WhatsApp text messages will still come through without a Sender ID check (because it’s a different system), and phone calls remain unaffected completely. That means someone can potentially use another name as a Sender ID on voice calls, and there’s nothing you can do about it.
Google is attempting to solve part of this using Rich Communication Services (RCS) as a handshake mechanism to at least work out whether a caller is who they say they are.
As part of a feature rolling out to Pixel phones, Android owners will have some sense of verification applied to their handsets to determine whether the sender really is who they say they are. It’s a neat little handshake, but it’s also one specific to Android, meaning it probably won’t work if someone (like your parents) have an iPhone, or if you have an iPhone and they have an Android.
From July onwards, phone calls are the weak link in the Sender ID chain, and may still be affected by scammers alongside other platforms, such as the aforementioned WhatsApp, plus anything else you may use.
It’s worth being aware that you can still fall for a scam even if there’s no official Sender ID; all it takes is a phone number and a message to trick someone, so keeping your wits about you is incredibly important.
Remember that just like with email domains and website domains, a Sender ID from an Australian mobile number can’t be manipulated because of the registry, so trusting the name may actually be more obvious than simply trusting the phone number and the message attached.
But scammers can also try these approaches in other ways, and if you get a phone call from someone purporting to be from a bank, government organisation, or a company, consider hanging up and finding the real number online, and calling that back. At least that way you know if you’re talking to the real deal.
