How Verified SMS works
It can be difficult to trust the identity of a business sending you SMS messages. Some messages may be misleading and pretend to be from businesses you trust. These messages may ask for private information or link to dangerous websites--this is called phishing.
Verified SMS can help you understand the true identity of the business sending you messages in order to prevent phishing.
When Verified SMS is on and you receive a message from a business registered with Google, Google translates the message you receive into an unreadable authenticity code, all on your device. Then, Google compares this code with unreadable authenticity codes sent to Google by the business. If these codes (also referred to as message hash or message HMAC) match, Google confirms that the message content was sent by the business, and Messages shows you information about the business, such as the business' logo with a "verified" icon.
Google uses your device’s phone number to create authenticity codes. Google doesn't see your messages, including when authenticity codes are sent to Google directly from the business.
How Google protects your messages
Verified SMS performs authenticity code matching without sending your message content to Google.
Verified SMS compares authenticity codes to verify business senders
When businesses register with Verified SMS, Google works with them to confirm their real identities. When a registered business wants to send you a message, it creates an unreadable authenticity code (also known as a message hash) for the message, sends the code to Google, and sends the message to you over SMS. An authenticity code is a cryptographic technique that can be used to prove the authenticity of a message without revealing the message. To create an authenticity code, the business uses a public key for your device, a private key that they generate, and the message content they plan to send you to generate an unreadable code that is unique to you, the business, and that specific message content.
Once the Messages app receives your message, it checks the sender against a list of registered businesses. If the business is registered with Verified SMS, the Messages app retrieves the public key for the business, uses the public key and your private key to generate an authenticity code of the message, and sends the code to Google. Google compares the code sent by Messages to the code sent by the registered business. If they match, this means the message content was sent by the real business. Google does not track or store which business is sending you messages.
Even if someone were able to read the authenticity code, they wouldn’t be able to decode it, as they would need either your or the business’ private key. This allows Google to confirm that the message content you receive was truly sent by a business without having access to the message content.
Google attempts to verify each message sent by participating businesses
As part of this feature, Google attempts to verify all messages that appear to be sent by a business that is registered with Verified SMS. If the authenticity codes don’t match, and Google can't verify the message, the Messages app displays “Message could not be verified.” Because verification requires a data connection, if you have a weak data connection, the Messages app may display “Verifying sender…”. If you have no data connection, the Messages app displays “Waiting for connection to verify sender.” Until the sender of a message has been verified, Google doesn't recommend replying with sensitive info or opening links that you aren't sure you trust.
You're in control
1. Open the Messages app .
2. Tap More Settings.
3. Tap Verified SMS.
4. Next to "Verify business message sender," toggle the switch to the left.