With verified sender identities, branded conversations and richer media formats, the channel promises to eclipse traditional A2P SMS and close the experience gap with OTT apps. Yet beneath the optimism sits a growing concern: that the industry is sleepwalking into a new era of threats that could erode user trust at the very moment RCS reaches scale.
Few people understand the stakes as clearly as Tomas Hedqvist, senior director of product marketing at Enea, who argues that the industry has been lulled into a false sense of security by verification badges and encryption.
Speaking to Capacity, Hedqvist warns that the arrival of RCS is already attracting malicious actors who see richer content not as a barrier, but as an opportunity.
Hedqvist believes the shift from SMS to RCS has created a perfect storm. SMS, despite its vulnerabilities, offered limited scope for manipulation. RCS, by contrast, brings carousels, images, suggested actions and embedded media.
“If scammers can persuade consumers with a plain text SMS, imagine what they can do with an interactive, visually branded message,” he explains.
“The more engaging the experience, the more convincing a scam can become.” He notes that the industry has seen similar abuse patterns in MMS and other digital channels, where images and rich media became conduits for malware, phishing and harmful payloads. The risk for RCS, he says, is not hypothetical but historical.
Despite this, many in the CPaaS ecosystem have placed their faith in verification programmes and trust marks. Hedqvist supports such initiatives but views them only as a starting point. A badge beside a brand name may reassure users, he says, but without layered controls it offers no guarantee that the content is legitimate. Verified accounts can still be compromised, onboarding checks can be manipulated, and attackers are adept at socially engineering their way into approved profiles.
“If verification is the only line of defence, it creates a false sense of safety,” Hedqvist argues. “You still need traffic screening, behavioural analysis and strict enforcement of compliant sending. Without that, verification becomes a cosmetic measure that sophisticated actors will exploit.”
In his view, protecting the channel is not simply about keeping attackers out, but preserving the reputation of legitimate enterprises, whose brands would be tainted by a single high-profile breach through a supposedly trusted identity.
The evolution of the threat is being accelerated by artificial intelligence. Hedqvist points out that fraudsters are already using generative AI to mass-produce convincing messages and scale multilingual attacks at speeds never seen in mobile messaging. Yet he also sees AI as central to the defence.
AI-powered firewalls, he argues, can detect anomalies, analyse traffic in real time and identify harmful or non-compliant media before it reaches the user. “Humans cannot screen content at the volume and velocity RCS will generate. AI becomes essential if we want to protect the channel proactively rather than reactively.”
Waiting for regulation, he warns, would be a strategic mistake. Across digital communications, lawmakers have historically trailed attackers, not led them. Hedqvist fears a repeat of the early email era, when rampant spam eroded user confidence long before security standards and enforcement caught up.
“If consumers encounter a wave of spam and fraud during the formative period of RCS adoption, the damage will be lasting. Trust is slow to build and quick to lose. The industry cannot afford that kind of setback.”
For Hedqvist, there is a clear call to action. CPaaS providers must treat security not as a compliance necessity or an optional add-on, but as the foundation of the channel. Investing early in layered defences will protect brands, satisfy future regulation and ensure that RCS fulfils its commercial promise.
“RCS can transform business messaging,” he says, “but only if consumers trust it. Channel trust is not a by-product of innovation. It has to be engineered from the start.”
RELATED STORIES
Capacity Europe 2026
The 24th anniversary edition of Capacity Europe 2025 will bring together 3,500+ decision-makers from the global connectivity and digital infrastructure community.
