Stephen’s phone rang on a Tuesday afternoon. The caller ID showed a number he didn’t recognise. When he answered, a voice explained they were from New Zealand’s Inland Revenue Department, calling about mandatory two-factor authentication setup.
“I was like, yeah right,” Stephen later told reporters. He hung up, convinced it was another scam.
The call was real. The IRD had just launched a security initiative, dialing 34,000 taxpayers to enroll them in stronger account protection. Only four people filed official complaints, but countless others reacted exactly like Stephen. They saw an unknown number, heard an unexpected request, and did what every cybersecurity expert advises: they hung up.
This is the trust paradox facing businesses today. Organizations spend millions building brand credibility, then send messages that trigger every scam warning bell in their customers’ heads. The result isn’t just ignored texts. It’s eroded trust, flooded support lines, and customers who start doubting the real warnings.
The Hyper-Vigilance Problem
Consumer NZ recently dropped a sobering statistic: 78 percent of people now distrust unexpected messages from organizations they otherwise trust. The reason is simple math. For every legitimate text a person receives, they get dozens of phishing attempts. Their phone becomes a minefield where one wrong click means identity theft or emptied bank accounts.
This hyper-vigilance creates a hair-trigger response to common elements. Generic sender IDs like “BANK-ALERT” or “TAX-NOTICE” raise immediate suspicion because scammers spoof them daily. Shortened URLs from bit.ly or tinyurl hide malicious destinations, so any link that doesn’t show a full domain gets treated as dangerous. Urgent language like “Act NOW” or “24 hours to respond” bypasses rational thought, exactly as scammers intend.
The damage extends beyond deleted messages. HMRC in the UK reported 135,500 scam contacts in just ten months, forcing them to shut down 25,000 fake websites and phone numbers. Each fake message makes the real ones less effective. When the California Franchise Tax Board sends a legitimate refund notification, taxpayers already primed by scam warnings reflexively delete it.
Four Texts That Trained Customers to Stop Trusting
The Bank Alert That Got Treated as Fraud
A major US bank sent this message to thousands of customers: “BANK-123: Unusual transaction detected. Verify NOW at [shortened link] to avoid account lock.” The short code sender ID looked fake. The shortened URL hid the destination. The urgent language created panic.
One customer posted on a finance forum: “I get so many scam texts, I ignore the real ones now.” The bank’s fraud team watched response rates plummet. Scammers had so thoroughly poisoned the well that legitimate fraud alerts went unread, costing the bank millions in preventable theft.
The bank’s response was telling. They moved critical alerts to their mobile app and added disclaimers to their website: “We will never ask for passwords via text.” But they kept using the same short codes for SMS, missing the core issue. Customers couldn’t verify who sent the message.
The Delivery Notice That Delivered Malware Instead
Package tracking texts from USPS, UPS, and FedEx have become scammer favorites. A typical fake reads: “USPS-Alert: Your package is held. Confirm delivery address within 24 hours: [shortened link].” The sender ID looks official. The urgency feels real. The link steals personal data.
The Better Business Bureau ranked delivery scams in the top five fraud categories for 2024. Real carriers contributed to the confusion by using similar tactics. They sent texts from generic IDs like “USPS-Alert” with links to reschedule deliveries. Customers had no way to distinguish between a legitimate text and a dangerous one.
Carriers now state clearly on their websites: “We never ask for payment via text.” But they continue using short codes that can’t receive replies, preventing customers from verifying suspicious messages.
The Tax Authority That Sounded Too Threatening
HM Revenue & Customs faced a nightmare scenario. Scammers sent texts with spoofed sender IDs showing “HMRC” and threatening language: “Urgent: You owe £2,340 in unpaid tax. Pay within 24 hours to avoid legal action.” Victims panicked and paid fake websites.
In just ten months, HMRC recorded 4,800 Self Assessment scams and 29,000 fake refund schemes. Their security team shut down 25,000 fraudulent sites and numbers, but the real damage was psychological. When HMRC sent legitimate deadline reminders, taxpayers couldn’t tell them apart from the fakes.
HMRC’s response focused on education. They published guides telling customers to “search ‘report an HMRC scam’ on GOV.UK” to verify messages. But they lacked a simple technical solution. Their legitimate texts came from different numbers than their customer service line, creating a verification dead end.
The IRS Payment That Wasn’t
The Internal Revenue Service announced real economic impact payments in 2025. Scammers immediately exploited the news, sending texts claiming: “IRS: You have a $1,400 stimulus payment. Verify your information: [link].” The timing matched real IRS announcements. The payment amount was accurate. Only the link was fake.
The Better Business Bureau warned taxpayers nationwide. The IRS repeatedly stated: “We are not communicating via text message for stimulus payments.” But the agency had no official SMS channel to counter the fakes. Their legitimate communications arrived only by mail, leaving a vacuum that scammers filled.
Why Smart Organizations Make These Mistakes
The technical root of the problem is invisible to most customers. Businesses choose between two types of phone numbers for SMS: short codes and long codes.
Short codes are five or six-digit numbers designed for mass messaging. They’re cheap, fast, and can handle huge volumes. They also look anonymous. A text from “BANK-123” gives customers nothing to verify. They can’t call it back. They can’t save it as a contact. It arrives, delivers its message, and disappears into the void.
Long codes are standard 10-digit phone numbers. They cost more and carriers limit how many messages can be sent per minute. But they feel familiar. They’re the same format as friends, family, and local businesses. Customers can save them. More importantly, they can call them.
This voice-text disconnect destroys trust. When the IRD called Stephen from an unrecognised number, he had no way to verify it. The number that appeared on his caller ID didn’t match any published IRD contact. When HMRC texts customers from one number but answers calls at another, they create a verification gap.
One-way messaging compounds the problem. Short codes typically don’t support replies. Customers receive a command but can’t ask questions. This feels impersonal and automated, exactly like spam. The National Cyber Security Centre NZ noted that legitimate calls get reported as scams simply because “they did not recognise the number.” Without a return path, recognition never develops.
The Phone Number That Fixes This
Businesses are solving this by moving to dedicated long codes, specifically 10DLC numbers registered for business messaging. These are regular 10-digit numbers with one critical addition: voice capability.
A customer receives a text from +64-4-XXX-XXXX. They can save that number as “My Bank” or “Tax Office.” If they’re suspicious, they can call it back and reach the same organization that sent the text. This creates a verification loop that short codes cannot match.
Two-way messaging becomes possible. Customers can reply “Is this real?” and get immediate confirmation. They can ask questions about the message they received. This conversational exchange builds trust through interaction, not just broadcast.
Consistency across channels becomes automatic. The same number appears on letters, websites, mobile apps, and text messages. Customers see it repeatedly, building recognition and familiarity. When they receive a text from that number, they don’t need to wonder if it’s legitimate. They already know it.
Mobile gateway services provide these dedicated long codes as part of business messaging platforms. The registration process itself adds a layer of trust. Carriers verify business identity before approving 10DLC numbers, creating a public record of legitimate use.
What Businesses Should Do Now
-
Publish one voice-enabled long code for all SMS communications. Put it on your website, in your app, and at the bottom of every email. Let customers save it as a contact.
-
Never include links in sensitive messages. Instead, tell customers: “Log into your account at [official domain] to view this message.” Eliminate the primary phishing vector.
-
Announce SMS campaigns before they start. Send an email or letter explaining when texts will begin and what number they’ll come from. Set expectations so messages aren’t unexpected.
-
Enable replies on your SMS number. When customers respond with questions, answer them. Two-way conversation transforms suspicious messages into trusted communication.
The trust problem won’t solve itself. Every scam text makes your legitimate messages harder to deliver. But a simple, verifiable phone number, one that customers can call back and save in their contacts, cuts through the noise. It’s the difference between looking like a potential scam and looking like a real business.
