This first appeared on my SAP Blog on May 23, 2017.
This is a piece about mobile messaging – SMS to be precise. Remember SMS, that mobile messaging medium that has been decimated by non-SMS chat applications like WhatsApp, Facebook Messenger, WeChat and many others? Well, it is still very much around, live and well and, I’ll say it: prospering.
Rumors of SMS’s death are greatly exaggerated.
So, what does this title mean and how does it pertain to SMS? Let’s start with Long Codes. Long Codes are in fact telephone numbers – any telephone number from any country. They can be mobile device numbers, landline or geographic numbers and even toll free numbers. That’s a long code. Sometimes in the industry, we call them MSISDNs; however, to be clear, that term is mostly used in the GSM network world. Phone numbers is the GSM world are called MSISDNs (or Mobile Station International Subscriber Directory Number). Phone numbers adhere to an international standard called a E.164.
In SMS, typically you have an originator long code and a destination long code (e.g. phone number) when someone sends a message to someone else. It’s how we address that party. In the Application to Person world where a business texts a consumer (e.g. mobile subscriber), the business might be identified with a long code.
Short codes are typically 4, 5, or 6 digit numbers that are exclusively used by businesses to identify themselves to the messaging ecosystem. For example, Chase Bank has a short code of 24273 (which spells C-H-A-S-E). Short codes that are pre-chosen and might spell out a business name are called Vanity Short Codes and have a greater cost than a non-vanity or random short code. In most countries, short codes are managed by some authority. For the United States, it is the Common Short Code Administration (CSCA), a CTIA initiative, managed by iConectiv. A major benefit of short codes is that they are interoperable across operators within the country – in other words, only subscribers of that particular country can exchange information with an enterprise within that country.
Short codes typically have a cost associated with them and can take up to several weeks to be approved and activated across all participating mobile operators within the country. Contrast that to long codes, which can be almost immediately activated after acquisition and at much lower prices per long code.
In the United States, the publication of the CTIA Messaging Principles and Best Practices, opened the door for the usage of long codes for consumer engagement (e.g. A2P messaging). As of this writing, many of the US mobile operators are still in the process of opening their messaging platforms to long code A2P traffic. Many other countries already allow both long code and short code A2P messaging.
It has been said that the opening of long code A2P traffic within the USA, specifically, will lead to the demise of short codes. I beg to differ and certainly don’t recommend the businesses that use and rely on short codes, all of the sudden give them up in lieu of long codes. CTIA has noted that short codes drive between $8-$12 billion in annual revenues.
Let’s look at a few facts:
- Short code campaigns are heavily vetted by mobile operators and messaging providers and consequently, one can almost always vouch for the consistent reliability of short codes. More so, if a business uses a vanity short code, then they have significant equity built into that code that ties them to the reputation of the business.
- 5 or 6 digit numbers are easy to remember and recognize. In situations where high-value traffic is delivered such as two-factor authentication (2FA) codes, the business should have a recognizable source address and teach their consumers to only expect 2FA traffic from that short code. Yes, a long code could be used, but 6 months after a consumer reads about that short code and receives a message from some random long code, it becomes more difficult to verify that it isn’t a phishing attack.
- In many markets, only short code traffic is viewed as legitimate, whereas long code traffic may utilize different, long cost routes and could be subject to blocking or filtering. Until all mobile operators in the US activate their platforms to use legitimate long codes for A2P, the United States could still be viewed in that category.
- Too many messaging providers over-use long codes to go around legitimate routes to mobile operators. Look at the example, below. The user (me!) signed up for SMS alerts for Mobile World Congress 2017. Every message received was from a different long code and they were scattered among all my other messages. I would question the legitimacy of many of these – especially if they had links to follow. This is extremely bad form and from the GSMA, no less. They should know better. At the expense of saving a few dollars here and there, they provided a less-than-adequate experience for users.
Receipt of SMS messages from a previously unknown or unexpected long code is no different than receiving a message from a previously unknown or expected email address. At best, it may be recognized; however, at worst, it could be a phishing attack. There is no legitimacy. At least with short codes, you have some measure of confidence that the message is legitimate as the sender is likely recognized. In fact, if an organization is sending important, time sensitive messages such as 2FA codes, then we would recommend that the originating address of the SMS messages should be an easy-to-remember and recognize short code.
Notwithstanding newer messaging ecosystems such as Facebook Messenger, WeChat, and even RCS with verified senders (with easy to remember alphanumeric aliases), short codes represent the next best thing to verified senders. In today’s hyper-sensitive environment of hacking, malware, and phishing, heavy usage of random long codes for certain high-value situations does nothing to further the SMS channel.
Certainly, some long code usage is fine – especially for general notifications, appointment confirmations, and small business engagement; however, if the business is a major business or brand, if the traffic is high value and subject to phishing, please heavily consider short codes.
Look at the example on the left. It is an appointment notification. Unfortunately, the phone number to call is not the sender of the SMS. It would be a much more effective communications by the salon, if they would have their SMS provider text-enable their phone number as it would further enable the “text or call” capabilities. Technically, this type of A2P SMS is still not acceptable in the US as the mobile operators have not fully rolled out their support for long code A2P traffic, but such traffic does persist in this market today.
If a messaging campaign relies on subscribers opting in such as sending a keyword to a number, make that number a short code. Again, this provides a level of confidence that some random long code does not provide. The only other exception that I would say would be if the long code was a number that had some brand equity, such as a vanity toll-free number or even non-toll-free number. Otherwise, it is hard to remember, recognize and doesn’t convey trust and security.
I’ve already seen some well-known companies shut off their short codes in favor of random long codes. In many cases, I have questioned the validity of any communications from their “new” long code. Fortunately, the class of traffic has been informational only and not of a critical nature (e.g. 2FA or critical notifications).
Today the SMS ecosystem has most certainly moved into a long code world; however, the long-suffering short code has continued to pay dividends and instill trust and confidence with subscribers. Just because long code SMS for A2P / consumer engagement becomes more accepted, does not mean that businesses should disable their well-known short codes. Examine your use-cases and campaigns. If there is any question as to possible reductions in your brand equity and/or reorganizability by switching to a long code – just don’t do it.