Google wants to help you tell which texts are legitimate, not scams

The twin plagues of text-message spam and robocalls have been teaching phone users a harsh lesson: Trust no one.

While measures to block those annoyances grind on, two efforts are proposing a different solution that amounts to “trust someone.” They take the blue-checkmark approach of social networks that verify users and apply it to texts and calls from legitimate businesses.

The higher-profile venture comes from Google, which on Dec. 12 announced what it calls Verified SMS. The technology lets participating businesses send texts that arrive in Google’s Messages app for Android with the logo and title of their choice, plus a checkmark verification badge.

This happens without Google seeing the content of any messages. Instead, a company’s agent app and its customer’s Messages app send paired encryption keys and then compare “hashes”—mathematical abstractions of the message—to confirm that both the sender and the content match. This required exchange necessitates a data connection, which is not true of garden-variety SMS.

Google lists 1-800 Flowers, Banco Bradesco, Kayak, Payback, and Sofi as participating firms; it’s also using Verified SMS to send its own two-step verification text messages. One of the firms providing Verified SMS services, the business-communications company Twilio, lists Expensify as another early adopter.

“As rich channels for business messaging (WhatsApp, RCS, Messenger, and so on) pop up with features like profile branding and verification, SMS has to keep up,” said Simon Khalaf, Twilio’s senior vice president and general manager for messaging, in an email sent by a publicist. He added that Twilio isn’t “currently” charging for the technology.

The big catch is that Verified SMS only works with Google’s own Messages app. It isn’t compatible with the one Samsung provides on its Galaxy phones—and certainly not with Apple’s Messages app. So it’s even more limited in its potential audience than RCS messaging, the long-stalled update to text messaging that Google has been pushing wireless carriers to support.

“Whether any other operating system or apps will ever get a service that’s compatible, or even similar, remains to be seen,” said Sophos principal research scientist Paul Ducklin, in an email sent by a publicist. “The whole system still seems a bit experimental—it’s only available in eight countries at the moment—so it’s probably too early to say how it will play out.”

Verified SMS doesn’t do anything for phone calls, but third parties are working on that. In August 2018, a Little Rock, Arkansas, company called First Orion started testing its own caller idea: a service called Engage that puts a company’s name, logo, and why-it’s-calling message on a phone’s screen.

But the technology doesn’t depend on a particular smartphone or app; wireless carriers have to support it on their networks. First Orion lists Sprint and T-Mobile as doing that. T-Mobile was among the first companies to adopt Engage’s branded calling for its own customer support.

At a demo during the MWC Barcelona trade show in February, First Orion executives said T-Mobile saw its call pick-up rate go from 30 to 80% after adopting that feature.

But that leaves the two largest wireless carriers, AT&T and Verizon, not supporting this feature.

“The other carriers have been slow to move here,” Gavin Macomber, First Orion’s senior vice president for marketing and communications, acknowledged in an email. He estimated that about 20% of U.S. mobile users can receive Engage-branded calls from companies.

Then there’s the fact that First Orion’s service only helps when companies decide to pay for it, based on their call volume and the level of personalization in a call. “Brands will pay more to display an urgent, detailed fraud message, for example,” Macomber said.

First Orion will have competition at some point: In August, Twilio announced its own verified-call service that will provide the same sort of branded identification of calls from companies. But for now, it’s like a lot of products in tech: confined to an invitation-only beta.