Detecting brand impersonation in Spanish SMS — the position trick
Phishing in Latin America has a pattern most detection systems miss: where the brand name appears in the message matters.
The insight
In legitimate bank notifications, the brand appears at the end as a signature:
Su transferencia por $500,000 fue exitosa. — Tu Banco
In phishing, the brand appears at the beginning as a fake sender identity:
Tu Banco: Su cuenta sera bloqueada en 24h. Verifique: bit.ly/xyz
This single heuristic (brand at position 0-2 words = impersonation pattern) catches ~70% of LATAM phishing messages before any URL analysis.
Implementation (simplified)
public static bool IsBrandImpersonation(string message, string[] knownBrands)
{
var firstSegment = message.Split([' ', ':', '-'], 3)[0].ToLowerInvariant();
return knownBrands.Any(b =>
firstSegment.Contains(b.ToLowerInvariant()));
}
Real implementation adds:
- Levenshtein distance for typosquatting ("Banamex" → "Banamx", "Nequi" → "Nequii")
- Alias matching (263+ brands across CO, MX, PE, CL, EC, AR)
- Position scoring (start = 0.9, middle = 0.3, end/signature = 0.1)
Combining with other signals
Brand position alone isn't enough. We stack 7 signals in a single pass:
| Signal | Weight | Cost |
|---|---|---|
| Brand at start (impersonation) | 0.25 | Free |
| Domain age < 7 days | 0.20 | 1 RDAP call |
| URL shortener → suspicious domain | 0.20 | 1 redirect follow |
| Spanish urgency language | 0.15 | Free (regex) |
| Safe Browsing match | 0.10 | 1 API call |
| Phone number not official | 0.05 | DB lookup |
| CTA pattern detected | 0.05 | Free (regex) |
Combined confidence > 75% = fraudulent verdict.
Results
Processing 10K+ real messages (crowdsourced from users across LATAM):
- 94% accuracy on fraudulent messages
- 2% false positive rate (legitimate marketing that starts with brand)
- < 200ms p95 response time
The false positives are almost always marketing SMS that mimic phishing patterns — which is a problem for the brands themselves.
Try it
curl -X POST https://mediavox.co/mvapi/api/v1/security/threats/analyze \
-H "Content-Type: application/json" \
-H "X-API-Key: your-key" \
-d '{"message": "TuBanco: Detectamos actividad inusual. Verifica tu cuenta: bit.ly/tb-verify"}'
Free tier: 500 analyses/month. No credit card.
We built this for Latin America because English-focused tools don't understand Spanish urgency patterns, regional brand aliases, or the specific phishing templates used in CO/MX/PE/CL. If you're building for LATAM, happy to chat about what we've learned.
Top comments (0)