How to Protect Your Crypto From SMS Spoofing Attacks
SMS spoofing is a type of scam that relies on psychological manipulation to deceive victims into sending money or sharing sensitive information.
Attackers modify their sender identity to make their SMS message appear as if it’s coming from a trusted source.
Have you received a spoofed SMS? Report the incident to law enforcement immediately.
Learn about SMS spoofing and how to protect your crypto and personal data from attackers.
Trends in the fraud industry change as fast as anywhere else. Before, Nigerian prince email scams were all the rage; today, it is SMS spoofing attacks.
Unlike exploits where a hacker tries to use code to break into a user database, SMS spoofing attacks primarily use psychological manipulation. This means the scammer will try to pose as a trusted source in an attempt to deceive unsuspecting victims into sending money or sharing sensitive information, such as wallet details.
In this article, we’ll go over how SMS spoofing attacks work, the different ways attackers can target you, and how you as a user can protect your funds.
How Does SMS Spoofing Work?
The attacker modifies their sender identity (the name or phone number that appears on the recipient’s phone) to make their text message appear as if it’s coming from a trusted source. The goal is to trick the victim into following the instructions in the message.
A spoofed SMS can land in your phone inbox under a doctored name, phone number, or both. For example, a text appearing from “Binance” could be a scammer trying to deceive you into downloading malware, sharing your account details, or clicking on a malicious link.
Unfortunately, mechanisms that enable SMS spoofing lie in a legal grey area in many regions of the world. Some countries have outright banned the practice, while others are yet to address the abuse of changing the SMS sender’s identity.
There are, in fact, some legitimate use cases for altering the sender’s name as it appears on the recipient’s end. For example, a company might run an SMS marketing campaign and use a sub-brand identity instead of the main brand or phone number.
How to Identify and Avoid SMS Spoofing?
Even an industry-leading security infrastructure can do little to protect a user who willingly sends their password to a hacker. The first line of defense is always the user. If you want to keep your funds safe, you should remain vigilant at all times, making the following practices a habit.
1. Verify incoming messages
Always double-check the source of an incoming message before responding. Be cautious of any unsolicited messages or those that seem suspicious. You can verify Binance-specific messages by using the Binance Verify tool or by sending a screenshot of the message to our support team. For other services, you should message the relevant platform directly via their official website or other trusted channels.
2. Enable two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security from attackers trying to gain access to your accounts, including via SMS spoofing. Always enable 2FA for any account that supports it.
2FA codes, when used correctly, can help safeguard your account. Only enter your 2FA codes on official websites, and make sure to double-check the 2FA message to see what it’s being used for.
3. Don’t share personal information
Avoid sharing sensitive information (e.g., passwords, credit card numbers, social security numbers, and other government-issued identifiers) through text messages, especially with unverified contacts.
4. Avoid suspicious links
Don't click on any links sent to you via text message without first verifying their legitimacy. Links could lead to phishing websites that attempt to steal your login credentials or install malware on your device.
Don’t access sites with “No Lock” symbols or unencrypted URLs (HTTP instead of HTTPS); always check to see the URL before clicking. Make sure to use official websites only. For example, if you’re unsure whether a Binance-related link, email, phone number, WeChat ID, Twitter handle, or Telegram ID is official, you can verify it on Binance Verify.
Here’s a list of suspicious websites we’ve identified that attempt to look like they are affiliated with Binance. Steer clear of all of them. Their domain names also give you an idea of what a “fake Binance” website whose creators are trying to mislead users can look like.
Types of SMS Spoofing
SMS spoof attacks may vary in their targets and mechanics. What they all have in common is that the number or name of the real sender gets replaced, which allows scammers to appear as someone else. Common scenarios of how someone can target you with a spoofed SMS include money transfers and harassment spoofs.
In the former case, scammers will impersonate a legitimate financial services provider like Binance and text victims about, for example, a fake cashback transaction. Such messages typically instruct recipients to scan a QR code or access a link to claim their cashback.
SMS spoofing is also used by stalkers and cyberbullies who want to intimidate their victims by sending threatening or inappropriate messages from unknown numbers or under random names.
Real-Life Examples of SMS Spoofing Attacks
Example 1: Fake 2FA Message
A user, whom we’ll call Jack, receives a message that reads, “[Binance] Users need to upgrade Web 3.0 to avoid disabling accounts. Bianenc.net”
Jack sees that the sender is “Binance” and that the message has come through the same channel from which he typically receives his 2FA codes. Jack assumes this is an official message and logs into the phishing website, thereby giving his account details to the scammer.
Example 2. “Withdrawal Cancellation”
A user, whom we’ll call Brad, receives an SMS message from someone with a “Binance” sender address. The message reminds Brad to “cancel his current withdrawal.” Brad, believing that the message is official, logs into the phishing website.
The hacker manages to use Brad’s username, password, and 2FA to log into the official Binance website and initiate a cash withdrawal.
In this example, the user failed to do two things:
Verify the link on Binance Verify.
Double-check the real 2FA message, which actually read that the 2FA code was being used to initiate a withdrawal, not to cancel one.
Example 3. “Verify” or “Upgrade” Account
Many of our users have reported receiving a spoofed SMS with a link to verify or upgrade their account. As the message explained, failure to perform the required action would result in the account being blocked. In reality, the link in the text message leads to a phishing website designed to steal account details. Note that the domains in these text message are trying to appear as legitimate companies.
If You’ve Been Targeted by a Spoofed SMS
If you suspect someone has sent you a spoofed SMS , contact a relevant law enforcement authority immediately. If the spoofed SMS is Binance-related, please also file a report to the Binance Support team.
If your account has been compromised, freeze your credit to prevent criminals from opening new accounts in your name, in addition to freezing your credit cards and bank accounts. To protect your assets, you should also disable your account by following the steps in this FAQ guide: How to Disable My Binance Account.
Never text your Binance account details, 2FA code, or financial information to anyone, even if those who request it seem legitimate at first glance. Besides SMS spoofing, scammers may also attempt to defraud you via email or other channels.
Double-check any Binance-related domain on Binance Verify. Note, however, that the tool is not foolproof. You should still exercise caution if you feel that something is off.