Texts of Deception: Unveiling Smishing, the Dark Side of SMS in Crypto

by Damian Chmiel
  • While Telegram and WhatsApp grab headlines, the old-school SMS is still going strong for scammers.
  • The reason: Outdated GSM technology leaves exchanges helpless.
phishing
Join our Crypto Telegram channel

In an era where free messenger apps have almost completely dominated traditional text messages, it might seem that after over 30 years, popular “texts” have already become obsolete. Although we do not use them in everyday communication, they are still willingly used as a common medium for marketing and promotion. Unfortunately, not only among legitimate businesses but also among scammers.

After conducting our own analysis and conversations with industry experts Finance Magnates can clearly confirm that SMS scams are still a common problem, especially in the cryptocurrency industry. Unscrupulous actors exploit very simple loopholes in outdated technology by impersonating popular brands, trying to steal user data. Exchanges, on the other hand, are helpless to stop them and honestly admit that nothing can be done about it. But, is that really the case?

WhatsApp Most Popular, SMS Still Most Ubiquitous

90% of the world's population (over 7 billion people) use mobile phones. And, although the vast majority of them get some kind of coverage, only half have regular access to mobile internet.

Statistics clearly show that in recent years the number of messages exchanged via internet messengers has outclassed SMS. WhatsApp has 2.4 billion active users every month, Facebook Messenger 2.1 billion, and WeChat gathers 1.2 billion.

Even with these huge numbers, traditional texts are still the most common way to reach the widest possible audience. For the purposes of this article, I specifically reviewed my SMS history. 90% of them are advertisements or messages with security codes used for logging into various services and two-factor authentication (2FA). This is exactly where scammers see their chance. And, as it turns out, the imperfect technology of sending SMS makes it much easier for them.

According to the recent "Scam Prevention Survey" by the Finance Magnates Group and FXStreet, nearly 22% of respondents admitted that SMS is one of the most common forms of scam they encounter, more frequent than scams on Twitter. Participate in the survey.

Infographic
Fraser Edwards, the CEO at cheqd
Fraser Edwards, the CEO at cheqd

“Banks and exchanges still offer SMS for 2FA despite it being one of the worst 2FA options,” explained Fraser Edwards, the CEO at cheqd, the infrastructure provided for Trusted Data markets. “It carries a potential of SIM swap fraud or sim hacking where a fraudster uses stolen identity documents to have a network provider reassign a phone number to a SIM under the fraudster's control.”

How Easy It Is to Become a Victim of Crypto Scammers

The inspiration to write this article was an SMS I received some time ago, allegedly from Binance. It informed that a reward was waiting for me to collect. The message appeared in a thread signed by my phone as "Binance", displaying also previous texts from the exchange with verification codes for logging in.

Fake Binance SMS
Fake Binance SMS

Before I clicked the link full of euphoria, I noticed that the page address (binance.token-mbox) was far from the official domain used by the world's largest crypto exchange by volume. It turned out that at the same time, many other Binance clients from Poland received a similar SMS. I asked the exchange itself for comment on this matter, which openly stated that to eliminate texts security loopholes, the entire GSM technology would have to be modified. This, however, seems unrealistic at the moment.

“To eliminate this security loophole in SMS, the entire world would have to modify this technology, which seems unrealistic,” Binance commented.

Two years earlier, the exchange's former CEO, Changpeng Zhao, had already warned about frequent attempts at phishing and data theft via messages impersonating the platform.

Back in October 2023, 11 Binance's customers from Hong Kong lost nearly $500,000 due to the SMS scams. The question is, however, why is SMS spoofing possible, and why is it so easy?

How SMS Spoofing Works

The value of cryptocurrency fraud in 2023 reached $2 billion. Of this, about $300 million was lost due to phishing scams. A large part of the data was obtained by scammers thanks to SMS spoofing and extorting sensitive user data via links contained in text messages. This phenomenon even got its own name and is called smishing (SMS phishing).

scams
Charlotte Day – Creative Director, Contentworks Agency
Charlotte Day, the Creative Director at Contentworks Agency

“Social engineering scams are still widely used in crypto which means they do still work,” commented Charlotte Day, the Creative Director, at Contentworks Agency. “Crypto is the perfect lure for scammers because most people don’t really understand it, and there have been stories of overnight millionaires associated with it.”

When you send an SMS message from your phone, certain identification information is included with the message that identifies you as the sender. This includes your phone number and sometimes your contact name. SMS spoofing involves using technology to override this sender identification information and replace it with something else.

Technically, this works by exploiting weaknesses in the SS7 signaling protocol that is used to route messages across telecom networks. The spoofer essentially impersonates the sender by providing false identification credentials.

"The problem is that operators do not verify whether the sender sending the SMS is legally authorized to use given name. A scam SMS has the same 'sender name' as legitimate SMS messages from Binance, leading the recipient's phone to attach this SMS to the message history from Binance,” Binance Poland representatives explained.

As a result, with a little bit of tech skills, it is very easy to impersonate other companies using SMS. To the point that the phone will not distinguish between senders and throw them into one bag, as in the Binance case described above. Why, however, are only text messages at risk, and not popular messaging apps? Telegram and WhatsApp use data connections and the internet to send messages, while SMS uses cellular networks. So, they are separate systems that don't interact with each other to send messages.

James Young, the Head of Compliance at Transak
James Young, the Head of Compliance at Transak

“Blocking such scam messages is challenging because scammers constantly adapt their tactic,” James Young, the Head of Compliance at Transak, commented. "Additionally, SMS infrastructure lacks robust authentication, making it easier for malicious actors to manipulate sender information. The biggest safeguard users can employ to defend themselves is through education and engagement."

7 Million Crypto Leads

The mere fact that allows for impersonating someone via SMS is not enough to obtain the phone numbers and contact details of individuals, such as clients of a particular exchange.

However, as it turns out, the Internet is full of offers for selling massive packages of leads. The entire process, from using SMS gateways, through hiding one's identity, to the possibility of purchasing 7 million crypto-related phone numbers for only $200, was described by Security Boulevard. The procedure, in brief, goes as follows:

  • Scammers can use low-cost SMS gateways to send hundreds of thousands of SMS phishing messages for as little as €0.004 ($0.0044) per message.
  • SMS gateways provide an interface linked to SIP trunks. that enable mass SMS spamming to reach people's phones quickly. SIP trunk is a solution for companies that want to replace traditional analog telephony with modern VoIP telephony that enables call routing and advanced features.
  • Scammers can remain anonymous by purchasing SIP trunk access with cryptocurrency or compromising SIP devices.
  • Some SMS gateways have integrated one-time password bots to bypass two-factor authentication used by many online services.
  • Scammers can easily obtain large amounts of phone numbers to target and create SMS phishing campaigns.
Source: securityboulevard.com
Source: securityboulevard.com

By planning an entire "campaign" of fake SMS messages targeted at 7 million people, scammers can achieve much better results than trying to find vulnerabilities in the software of a given exchange. They exploit the weakest element of any security system: the human factor, which is much easier, and cheaper.

Some Countries Introduce Regulations

SMS spoofing exploits fundamental weaknesses in the underlying protocols and networks that mobile communication relies on. Although it is technologically difficult to block, some countries are trying to introduce appropriate regulations to counter this dangerous practice.

In January 2024, Hong Kong joined the SMS sender registration scheme. The scheme will see participating banks use registered SMS sender IDs with the prefix "#" to send messages to local subscribers of mobile services. Texts with sender IDs containing "#" but not sent by registered senders will be screened out by telecom providers. Currently, 28 banks are using this system, which are also often victims of SMS spoofing.

Similar regulations were also introduced in Poland in the middle of last year. Telecommunications companies are now required to block phone numbers and SMS whose senders impersonate other firms and entities. To enable this, the law imposes new rules for sending texts by registered companies and public institutions. Moreover, telecom firms will be able to block suspicious smishing messages themselves.

Looking at the fact that users from Poland received texts from a fake Binance firm shows that regulations in this area may be working only on paper.

In the United States, similar ones were introduced back in 2019, allowing the banning of malicious caller ID spoofing of text messages. However, this did not curb the problem.

Who Is Most at Risk

According to a study conducted by the British Office for National Statistics in 2022, the group most vulnerable to phishing and smishing are older individuals who may be more trusting of messages and fall for scams offering prizes or rewards.

However, as it turns out, people aged between 25 and 44 are also highly vulnerable. This is because they are the ones most often targeted by scammers as the most frequent users of their mobile devices and, at the same time, hurried or distracted. Sources say these users are more likely to respond without thinking critically about the legitimacy of SMS messages.

Vugar Usi Zade, the COO of Bitget
Vugar Usi Zade, the COO of Bitget

“The effectiveness of this technique is growing due to the high automation of our daily processes and the increasing volume of information,” said Vugar Usi Zade, the COO of Bitget. “As a result, users are more reliant on applications and gadgets, leading to a loss of vigilance when checking links or messages. Criminals exploit this by altering the sender's information and using text tricks to deceive victims into revealing confidential information or transferring money.”

There is also a large group of those not aware of common SMS phishing tactics and unable to identify scam messages, making them more likely to respond or click links. Despite technological shortcomings in this area, the human factor is still the weakest link enabling the success of smishing.

Therefore, check the domain name it directs to several times before clicking on any link in an SMS message.

In an era where free messenger apps have almost completely dominated traditional text messages, it might seem that after over 30 years, popular “texts” have already become obsolete. Although we do not use them in everyday communication, they are still willingly used as a common medium for marketing and promotion. Unfortunately, not only among legitimate businesses but also among scammers.

After conducting our own analysis and conversations with industry experts Finance Magnates can clearly confirm that SMS scams are still a common problem, especially in the cryptocurrency industry. Unscrupulous actors exploit very simple loopholes in outdated technology by impersonating popular brands, trying to steal user data. Exchanges, on the other hand, are helpless to stop them and honestly admit that nothing can be done about it. But, is that really the case?

WhatsApp Most Popular, SMS Still Most Ubiquitous

90% of the world's population (over 7 billion people) use mobile phones. And, although the vast majority of them get some kind of coverage, only half have regular access to mobile internet.

Statistics clearly show that in recent years the number of messages exchanged via internet messengers has outclassed SMS. WhatsApp has 2.4 billion active users every month, Facebook Messenger 2.1 billion, and WeChat gathers 1.2 billion.

Even with these huge numbers, traditional texts are still the most common way to reach the widest possible audience. For the purposes of this article, I specifically reviewed my SMS history. 90% of them are advertisements or messages with security codes used for logging into various services and two-factor authentication (2FA). This is exactly where scammers see their chance. And, as it turns out, the imperfect technology of sending SMS makes it much easier for them.

According to the recent "Scam Prevention Survey" by the Finance Magnates Group and FXStreet, nearly 22% of respondents admitted that SMS is one of the most common forms of scam they encounter, more frequent than scams on Twitter. Participate in the survey.

Infographic
Fraser Edwards, the CEO at cheqd
Fraser Edwards, the CEO at cheqd

“Banks and exchanges still offer SMS for 2FA despite it being one of the worst 2FA options,” explained Fraser Edwards, the CEO at cheqd, the infrastructure provided for Trusted Data markets. “It carries a potential of SIM swap fraud or sim hacking where a fraudster uses stolen identity documents to have a network provider reassign a phone number to a SIM under the fraudster's control.”

How Easy It Is to Become a Victim of Crypto Scammers

The inspiration to write this article was an SMS I received some time ago, allegedly from Binance. It informed that a reward was waiting for me to collect. The message appeared in a thread signed by my phone as "Binance", displaying also previous texts from the exchange with verification codes for logging in.

Fake Binance SMS
Fake Binance SMS

Before I clicked the link full of euphoria, I noticed that the page address (binance.token-mbox) was far from the official domain used by the world's largest crypto exchange by volume. It turned out that at the same time, many other Binance clients from Poland received a similar SMS. I asked the exchange itself for comment on this matter, which openly stated that to eliminate texts security loopholes, the entire GSM technology would have to be modified. This, however, seems unrealistic at the moment.

“To eliminate this security loophole in SMS, the entire world would have to modify this technology, which seems unrealistic,” Binance commented.

Two years earlier, the exchange's former CEO, Changpeng Zhao, had already warned about frequent attempts at phishing and data theft via messages impersonating the platform.

Back in October 2023, 11 Binance's customers from Hong Kong lost nearly $500,000 due to the SMS scams. The question is, however, why is SMS spoofing possible, and why is it so easy?

How SMS Spoofing Works

The value of cryptocurrency fraud in 2023 reached $2 billion. Of this, about $300 million was lost due to phishing scams. A large part of the data was obtained by scammers thanks to SMS spoofing and extorting sensitive user data via links contained in text messages. This phenomenon even got its own name and is called smishing (SMS phishing).

scams
Charlotte Day – Creative Director, Contentworks Agency
Charlotte Day, the Creative Director at Contentworks Agency

“Social engineering scams are still widely used in crypto which means they do still work,” commented Charlotte Day, the Creative Director, at Contentworks Agency. “Crypto is the perfect lure for scammers because most people don’t really understand it, and there have been stories of overnight millionaires associated with it.”

When you send an SMS message from your phone, certain identification information is included with the message that identifies you as the sender. This includes your phone number and sometimes your contact name. SMS spoofing involves using technology to override this sender identification information and replace it with something else.

Technically, this works by exploiting weaknesses in the SS7 signaling protocol that is used to route messages across telecom networks. The spoofer essentially impersonates the sender by providing false identification credentials.

"The problem is that operators do not verify whether the sender sending the SMS is legally authorized to use given name. A scam SMS has the same 'sender name' as legitimate SMS messages from Binance, leading the recipient's phone to attach this SMS to the message history from Binance,” Binance Poland representatives explained.

As a result, with a little bit of tech skills, it is very easy to impersonate other companies using SMS. To the point that the phone will not distinguish between senders and throw them into one bag, as in the Binance case described above. Why, however, are only text messages at risk, and not popular messaging apps? Telegram and WhatsApp use data connections and the internet to send messages, while SMS uses cellular networks. So, they are separate systems that don't interact with each other to send messages.

James Young, the Head of Compliance at Transak
James Young, the Head of Compliance at Transak

“Blocking such scam messages is challenging because scammers constantly adapt their tactic,” James Young, the Head of Compliance at Transak, commented. "Additionally, SMS infrastructure lacks robust authentication, making it easier for malicious actors to manipulate sender information. The biggest safeguard users can employ to defend themselves is through education and engagement."

7 Million Crypto Leads

The mere fact that allows for impersonating someone via SMS is not enough to obtain the phone numbers and contact details of individuals, such as clients of a particular exchange.

However, as it turns out, the Internet is full of offers for selling massive packages of leads. The entire process, from using SMS gateways, through hiding one's identity, to the possibility of purchasing 7 million crypto-related phone numbers for only $200, was described by Security Boulevard. The procedure, in brief, goes as follows:

  • Scammers can use low-cost SMS gateways to send hundreds of thousands of SMS phishing messages for as little as €0.004 ($0.0044) per message.
  • SMS gateways provide an interface linked to SIP trunks. that enable mass SMS spamming to reach people's phones quickly. SIP trunk is a solution for companies that want to replace traditional analog telephony with modern VoIP telephony that enables call routing and advanced features.
  • Scammers can remain anonymous by purchasing SIP trunk access with cryptocurrency or compromising SIP devices.
  • Some SMS gateways have integrated one-time password bots to bypass two-factor authentication used by many online services.
  • Scammers can easily obtain large amounts of phone numbers to target and create SMS phishing campaigns.
Source: securityboulevard.com
Source: securityboulevard.com

By planning an entire "campaign" of fake SMS messages targeted at 7 million people, scammers can achieve much better results than trying to find vulnerabilities in the software of a given exchange. They exploit the weakest element of any security system: the human factor, which is much easier, and cheaper.

Some Countries Introduce Regulations

SMS spoofing exploits fundamental weaknesses in the underlying protocols and networks that mobile communication relies on. Although it is technologically difficult to block, some countries are trying to introduce appropriate regulations to counter this dangerous practice.

In January 2024, Hong Kong joined the SMS sender registration scheme. The scheme will see participating banks use registered SMS sender IDs with the prefix "#" to send messages to local subscribers of mobile services. Texts with sender IDs containing "#" but not sent by registered senders will be screened out by telecom providers. Currently, 28 banks are using this system, which are also often victims of SMS spoofing.

Similar regulations were also introduced in Poland in the middle of last year. Telecommunications companies are now required to block phone numbers and SMS whose senders impersonate other firms and entities. To enable this, the law imposes new rules for sending texts by registered companies and public institutions. Moreover, telecom firms will be able to block suspicious smishing messages themselves.

Looking at the fact that users from Poland received texts from a fake Binance firm shows that regulations in this area may be working only on paper.

In the United States, similar ones were introduced back in 2019, allowing the banning of malicious caller ID spoofing of text messages. However, this did not curb the problem.

Who Is Most at Risk

According to a study conducted by the British Office for National Statistics in 2022, the group most vulnerable to phishing and smishing are older individuals who may be more trusting of messages and fall for scams offering prizes or rewards.

However, as it turns out, people aged between 25 and 44 are also highly vulnerable. This is because they are the ones most often targeted by scammers as the most frequent users of their mobile devices and, at the same time, hurried or distracted. Sources say these users are more likely to respond without thinking critically about the legitimacy of SMS messages.

Vugar Usi Zade, the COO of Bitget
Vugar Usi Zade, the COO of Bitget

“The effectiveness of this technique is growing due to the high automation of our daily processes and the increasing volume of information,” said Vugar Usi Zade, the COO of Bitget. “As a result, users are more reliant on applications and gadgets, leading to a loss of vigilance when checking links or messages. Criminals exploit this by altering the sender's information and using text tricks to deceive victims into revealing confidential information or transferring money.”

There is also a large group of those not aware of common SMS phishing tactics and unable to identify scam messages, making them more likely to respond or click links. Despite technological shortcomings in this area, the human factor is still the weakest link enabling the success of smishing.

Therefore, check the domain name it directs to several times before clicking on any link in an SMS message.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}