/newsdrum-in/media/agency_attachments/2025/01/29/2025-01-29t072616888z-nd_logo_white-200-niraj-sharma.jpg){kind=logo}
/newsdrum-in/media/member_avatars/9Rj3p38eDEeibqzKtTLR.jpg )
Follow UsNew Delhi, Nov 18 (PTI) TRAI on Tuesday issued a direction to all access providers mandating the 'pre-tagging' of all variable components like URLs, application download links, or callback numbers used in SMS content templates for commercial communication.
According to TRAI, the measure represents a significant regulatory intervention to prevent misuse of registered templates, particularly by fraudsters who insert harmful links and call-back numbers to lure unsuspecting users, many times resulting in financial fraud, data theft and cyber harm.
"The Telecom Regulatory Authority of India (TRAI) has issued a direction to all access providers mandating the pre-tagging of all variable components used in SMS content templates for commercial communication," the regulator said in a statement.
This means all such SMS templates are required to clearly mark that there are changing parts like links or numbers, so telecom operators can detect fraud and stop fake or harmful commercial messages.
Variable components typically include elements such as URLs, application download links, or callback numbers that may change from recipient to recipient or time to time, while the rest of the message text remains static.
As per the new requirement, senders must explicitly tag each variable field at the time of template registration, that is, must specify the purpose for which the variable is going to be used.
For instance, tagging a variable as #url# implies that the variable contains a URL. Unless these variable fields are pre-tagged, access providers cannot identify or scrub them to determine whether the inserted values are from whitelisted domains, numbers, or links.
Pre-tagging, therefore, becomes essential for automated identification and scrubbing of variable fields, TRAI said.
"Evidence from multiple UCC investigations shows that the absence of predefined tagging has been routinely exploited for fraudulent and phishing activities, allowing unregistered or malicious URLs, app links, and callback numbers to be inserted into approved templates without detection," it said.
The direction aims to strengthen the anti-spam and anti-fraud framework by ensuring complete visibility of variable fields in SMS and enabling access providers to apply stringent content scrubbing.
With the introduction of mandatory pre-tagging, these variable elements will now have to be categorised and registered upfront by the principal entities (PEs), making them traceable and accountable," TRAI said.
PEs are entities like banks, financial institutions, insurance companies, trading companies and businesses, among others.
As per the latest direction, access Providers and Principal Entities have been asked to complete modification of existing templates within 60 days. After expiry of this compliance window, messages sent using non-compliant templates will be rejected and not delivered.
"This Direction reinforces the safeguards under the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018 and strengthens TRAI's framework for curbing unauthorised commercial communication," TRAI said.
By ensuring that every variable field in commercial SMS is validated before transmission, this initiative is expected to significantly enhance public safety and restore trust in digital messaging channels relied upon for banking, financial services, government and essential services communication, a TRAI statement added.
The move assumes significance given the rising instances of digital frauds where unsuspecting users are lured online and deceived by scamsters leveraging advanced techniques, malicious links and callback numbers. Clicking on malicious links can lead to serious consequences, including malware installation, data breaches, financial theft, identity fraud, and unauthorised access to personal bank accounts.
Such links can redirect users to fraud sites designed to steal sensitive information or may give attackers remote access to user devices. PTI MBI MR