Main conclusions
SMS impersonation is a type of scam that relies on psychological manipulation to trick victims into sending money or sharing sensitive information.
Attackers modify the sender's identity to make the SMS appear as if it is coming from a trusted source.
Have you ever received a fake SMS? Report the incident to law enforcement immediately.
Learn about SMS impersonation and how to protect your cryptocurrencies and personal data from attackers.
Like other sectors, trends in fraud change rapidly. Previously, email scams sent by a Nigerian prince were the most common, but today, SMS impersonation attacks predominate.
Unlike exploits in which a hacker attempts to use code to break into a user's database, SMS impersonation attacks primarily use psychological manipulation. This means that the scammer will try to pose as a trusted source in an attempt to trick victims into sending money or sharing sensitive information, such as wallet details.
In this article we will cover how SMS impersonation attacks work, the different ways attackers can target you, and how you as a user can protect your funds.
How does SMS impersonation work?
The attacker modifies the sender's identity (the name or phone number that appears on the recipient's phone) to make his text message appear as if it is coming from a trusted source. The goal here is to trick the victim into following the instructions in the message.
The fake SMS can arrive in your phone's inbox under a fake name, a fake phone number, or both. For example, a text message from Binance may actually be from a scammer trying to trick you into downloading malware, sharing your account details, or clicking a malicious link.
Unfortunately, the mechanisms that enable SMS spoofing are concentrated under ambiguous legal conditions in many regions of the world. Some countries have banned the practice completely, while others have yet to address SMS sender identity change abuse.
In fact, there are some legitimate use cases for changing the sender name that the recipient displays. For example, a company might run an SMS marketing campaign and use a sub-brand identity instead of the main brand or phone number.
How to identify and avoid SMS impersonation attacks?
No security infrastructure in the industry, no matter how strong, can protect a user who voluntarily sends his password to a hacker, as the first line of defense is always the user. If you want to keep your money safe, you must remain vigilant at all times and make the following practices part of your habit.
1. Check incoming messages
Always check the source of an incoming message before replying. Beware of any spam or suspicious-looking messages. You can verify messages for Binance using the Binance Verify tool or by sending a screenshot of the message to our support team. For other services, you must send a message to the relevant platform directly via its official website or other trusted channels.
2. Enable two-factor authentication
Two-factor authentication (2FA) adds an additional layer of security to protect against attackers who try to access your accounts in various ways, including impersonation via SMS. Always enable two-factor authentication (2FA) for any account that supports this feature.
When used correctly, two-factor authentication (2FA) codes can help protect your account. Only enter 2FA codes on official websites, and be sure to double-check the 2FA message to see what it's for.
3. Do not share personal information
Avoid sharing sensitive information (such as passwords, credit card numbers, Social Security numbers, and other government-issued identifiers) through text messages, especially with unverified contacts.
4. Avoid suspicious links
Don't click on any links sent to you via text message without first checking that these links are legitimate, as they may take you to phishing websites that attempt to steal your login credentials or install malware on your device.
Don't access sites with No Lock icons or unencrypted URLs (HTTP instead of HTTPS), and always check the URL before clicking. Make sure to use official websites only. For example, if you are not sure whether your Binance link, email, phone number, WeChat ID, Twitter account or Telegram ID is official, you can check it on Binance Verify
For general information on how to protect your cryptocurrency funds, you can browse the security sections of our FAQs or Binance Academy.
Below is a list of suspicious websites we have identified that attempt to appear to be affiliated with Binance. Stay away from them all. The domain names of these sites give you an idea of what a fake Binance website whose creators are trying to mislead users could look like.
Types of SMS impersonation attacks
SMS impersonation attacks may vary in their goals and mechanisms, but they all have in common the replacement of the sender's real number or name, allowing fraudsters to impersonate someone else. Money transfers or spam are common scenarios when someone tries to target you with a fake text message.
In the first case, scammers impersonate a legitimate financial services provider like Binance and send victims text messages about a fake cashback transaction, for example. These messages usually ask recipients to scan a QR code or click on a link to claim the cash back.
SMS impersonation is also a method used by stalkers and cyberbullies who want to intimidate their victims by sending threats or inappropriate messages from unknown numbers or random names.
Real-life examples of SMS impersonation attacks
Example 1: Fake 2FA message
The user, we'll call him Jack, receives a message that reads: “[Binance] users should upgrade to Web 3.0 to avoid accounts being disabled. Bianenc.net”
Jack sees that the sender is Binance and that the message arrived through the same channel from which he normally receives his 2FA codes. Jack assumes this is an official message and logs into the phishing site, thus giving his account details to the scammer.
Example 2. “Cancel withdrawal”
A user, we'll call him Brad, receives an SMS from someone with a Binance sender address. The message includes a reminder for Brad to "Cancel current withdrawal." Brad thinks the message is official, so he logs on to the phishing site.
The hacker was able to use Brad's username, password, and two-factor authentication code that was sent to log in to the official Binance website and perform a cash withdrawal transaction.
In this example, the user did two things:
Verify the link on Binance Verify.
Double-check the real 2FA code message which actually states that the 2FA code was used to initiate the withdrawal, not to cancel it.
Example 3. “Verify” or “upgrade” an account
Many of our users have reported receiving a fake SMS with a link to verify or upgrade their account. According to the message, failure to perform the required action will result in the account being blocked. But the link in the text message takes the user to a phishing website designed to steal account details. Note that these text messages are trying to appear as if they are from legitimate parties.
If you have been targeted by SMS impersonation attacks
If you suspect that someone has sent you a fake SMS, contact the relevant law enforcement authority immediately. If the SMS scam is related to Binance, please also report it to the Binance Support Team.
If your account has been hacked, freeze your credit to prevent criminals from opening new accounts in your name, and also freeze your credit cards and bank accounts. In order to protect your assets, you should also deactivate your account by following the steps in this FAQ guide: How to deactivate my Binance account.
Never send your Binance account details, two-factor authentication code, or financial information to anyone via text, even if the entity requesting this data appears legitimate at first glance. In addition to SMS impersonation, scammers may also try to scam you via email or other channels.
Double-check any Binance-related domain on Binance Verify. However, be aware that the tool is not completely foolproof, and you should be careful if you feel that something is suspicious.
Related articles
Learn about scams
Stay safe: What are account hijacking attacks?
A guide to fake apps: how to spot and avoid them
