Verified SMS lets you know when Google can confirm the identity of a business that sends you messages.
It can be difficult to trust the identity of a business sending you SMS messages. Some messages may be misleading and pretend to be from businesses you trust. These messages may ask for private information or link to dangerous websites--this is called phishing.
Verified SMS can help you know the true identity of the business sending you messages in order to prevent phishing.
When Verified SMS is on and you receive a message from a business registered with Google, Google translates the message you receive into an unreadable authenticity code, all on your device. Then, Google compares this code with unreadable authenticity codes sent to Google by the business. If these codes (also referred to as message hash or message HMAC) match, Google confirms that the message content was sent by the business, and Google Messages shows you information about the business, such as the business' logo with a "verified" icon.Google uses your device’s phone number to create authenticity codes. For devices with multiple SIMs, Google uses your SIMs' identifier numbers (IMSIs) to identify which phone number received the SMS to create authenticity codes. Google doesn't read your messages, including when authenticity codes are sent to Google directly from the business. If Verified SMS is enabled in the Google Messages app on a given device, participating businesses are able to determine that the phone number associated with your device is eligible to receive verified messages in the Google Messages app.
Verified SMS performs authenticity code matching without sending your message content to Google.
Verified SMS compares authenticity codes to verify business senders
When businesses register with Verified SMS, Google works with them to confirm their real identities. When a registered business wants to send you a message, it creates an unreadable authenticity code (also known as a message hash) for the message, sends the code to Google, and sends the message to you over SMS. An authenticity code is a cryptographic technique that can be used to prove the authenticity of a message without revealing the message. To create an authenticity code, the business uses a public key for your device, a private key that they generate, and the message content they plan to send you to generate an unreadable code that is unique to you, the business, and that specific message content.
Once the Google Messages app receives your message, it checks the sender against a list of registered businesses. If the business is registered with Verified SMS, the Google Messages app retrieves the public key for the business, uses the public key and your private key to generate an authenticity code of the message, and sends the code to Google. Google compares the code sent by Google Messages to the code sent by the registered business. If they match, this means the message content was sent by the real business. Google does not track or store which business is sending you messages.
Even if someone were able to read the authenticity code, they wouldn’t be able to decode it, as they would need either your or the business’ private key. This allows Google to confirm that the message content you receive was truly sent by a business without having access to the message content.
Google attempts to verify each message sent by participating businesses
As part of this feature, Google attempts to verify all messages that appear to be sent by a business that is registered with Verified SMS. If Google can't verify the message, the Google Messages app displays "Sender could not be verified." A sender might not be verified because:
- The associated business didn't ask Google to verify that message.
- Technical errors prevented Google from verifying the message.
- Someone attempted to impersonate the associated business.
Because verification requires a data connection, if you have a weak data connection, the Google Messages app may display "Verifying sender…". If you have no data connection, the Google Messages app displays "Waiting for connection to verify sender." Until the sender of a message has been verified, Google doesn't recommend replying with sensitive info or opening links that you aren't sure you trust.
Verified SMS is turned on automatically. To turn it off:
- Open the Google Messages app .
- Tap More Settings.
- Tap Verified SMS.
- Next to "Verify business message sender," toggle the switch to the left.