3 min read

When using a SIM Farm may be a sin

Fraud and security
SIM farms thumbnail
Share to:

In this article:

Increased use of illegal channels for business SMS is exposing businesses texting European consumers to GDPR breaches and risk of fines. It’s got to stop.

Business SMS has become an essential part of our everyday lives. You may not be overly aware of it, but living in Europe, in an average month, you are likely to receive 14 business SMS. Companies, organizations, and governments are using business SMS more and more to operate their services, promote their products, or engage society on different issues. 

And of course they are! The handy SMS has many uses: from one-time pin codes to log in to your online bank, to doctors’ appointment reminders and notifications about flight delays. And it’s also used for critical communications – during the Covid-19 pandemic it helped governments with the roll out of national vaccination programmes. Sounding more familiar?

And it’s a growing sector. From banking to healthcare, business SMS helps drive economic growth and innovation across Europe and around the world, with an estimated €20.3 billion spent by companies using it every year (of which €1.6 billion is spent in Europe). And this is expected to increase by 8% annually until 2025. 

The ubiquity of SMS is key. It works across all mobile devices and networks worldwide. Not to mention its reliability and effectiveness in helping companies and organizations engage with their customers.

The continued success of the sector and the value it brings to business is, however, not without challenges. 

There are illegitimate players taking advantage of the market, exploiting backdoors and regulatory loopholes to make money. So-called SIM Farms expose consumers to fraud and data theft, and expose businesses to non-compliance with EU data protection legislation, which could result in litigation and fines. 

Get this: one third of all business SMS globally, and 19% in the EU, are not sent to consumers in the way mobile operators intended. Of those sent the wrong way, SIM Farms are the most common method.

So, what is a SIM Farm? 

Business SMS should only be sent via dedicated mobile operator systems. By using consumer SIM cards in unauthorized ways, SIM Farms can offer a cheaper means for companies to send business SMS – but often in breach of mobile operators’ Terms & Conditions. Many SIM Farms are operated by bad actors, often based outside the EU, and are non-compliant with the EU’s data and consumer protection rules. Some SIM farm operators harvest customer’s phone numbers and whatever other sensitive personal information they can use for illicit purposes. 

As data controllers, businesses that knowingly - or unknowingly - use SIM farms in their value chain therefore expose themselves to serious breaches of the GDPR.

In 2019, the total amount lost by consumers to communications fraud annually in the EU is estimated at around €12 billion. And 5% of such fraud cases are directly related to SMS, meaning that EU consumers lose at least €600 million per year due to SMS fraud. And the real number is probably significantly higher, as SMS is a very personable means of communications and therefore a more effective channel for fraud. 

In addition, fraud has grown significantly during the COVID-19 pandemic. Mobile operators in the EU alone suffer over €300 million in lost revenues a year due to unauthorized SMS.

As we head towards International Data Protection Day on January 28th, Sinch is taking a stand.

As an advocate for the sector, we call on all stakeholders across the value chain to join forces to address this issue through the adoption of best practices on how to manage the use of business SMS. 

In particular, we would like companies sending business SMS to European consumers to take proper responsibility for their SMS delivery chains and ensure they are free from bad actors.

Additionally, we want to promote increased commitment to initiatives such as the Mobile Ecosystem Forum’s Business SMS code of conduct, and the adoption of technical solutions such as sender ID registries in more countries and national spam reporting services to help detect, block, and prevent fraud. Mobile operators play an important part in the business SMS ecosystem, and we encourage them to continue their efforts to protect European subscribers.

We also call on policymakers and regulators to help raise awareness and ensure better enforcement of existing data protection regulations (GDPR and e-Privacy) to protect European consumers.

Customer trust is key to the sector's continued growth and success. We’re keen to talk to you about how we can potentially work better together to protect consumers and businesses. If you would like to find out more, please get in touch!


Robert Gerstmann is Chief Evangelist and co-founder at Sinch AB.

About Sinch

Founded in Sweden in 2008 and headquartered in Stockholm, Sinch is a European champion, a leading cloud communications platform. Sinch simplifies life by bringing all people and businesses together. Its leading cloud communications platform lets its 170,000 business customers reach every mobile phone on the planet, in seconds or less, through mobile messaging, email, voice and video. Sinch’s platform powers business-critical communications for many of the world’s largest companies and Sinch is a trusted software and services provider to mobile operators. Now operating in over 50 countries, it has become the largest in its sector in Europe and the second largest globally.