The main point
SMS spoofing is a type of fraud that relies on social engineering to trick victims into sending money or sharing sensitive information.
Attackers change the sender's identity to make SMS messages appear as if they come from a trusted source.
Have you received spoofing SMS? Immediately report the incident to law enforcement.
Learn about SMS spoofing and how to protect your crypto and personal data from attackers.
Trends in the fraud industry change just as quickly as in any other industry. Previously, the Nigerian prince email scam was very popular. Currently, the most common fraud is SMS spoofing attacks.
In contrast to exploits, which are attempts by hackers who try to use code to break into user databases, SMS spoofing attacks primarily use social engineering. This means that fraudsters will try to impersonate a trusted source to trick unsuspecting victims into sending money or sharing sensitive information, such as wallet details.
In this article, we will discuss the mechanics of SMS spoofing attacks, the various ways attackers can target you, and how you as a user can protect your funds.
How Does SMS Spoofing Work?
Attackers modify the sender's identity (the name or phone number that appears on the recipient's phone) to make the text message appear as if it came from a trusted source. The goal is to trick the victim into following the instructions in the message.
Spoofing SMS can be sent to your phone's inbox with a fake name or phone number, or both. For example, text appearing from "Binance" may be from a scammer trying to trick you into downloading malware, sharing account details, or clicking on a malicious link.
Unfortunately, the mechanisms that enable SMS spoofing are in a legal gray area in many regions of the world. Some countries have outright banned the practice, while others have yet to address the misuse of changing the identity of SMS senders.
In fact, there are several legitimate use cases for changing the sender's name as it appears on the recipient's end. For example, a company might run an SMS marketing campaign and use a sub-brand identity instead of the main brand or phone number.
How to Recognize and Avoid SMS Spoofing?
Even industry-leading security infrastructure can do little to protect users who voluntarily submit their passwords to hackers. The first line of defense is always the user. If you want to store your funds safely, you must remain vigilant at all times and make the following practices a habit.
1. Verify incoming messages
Always double-check the source of incoming messages before responding. Be wary of unexpected messages or messages that appear suspicious. You can verify Binance custom messages by using the Binance Verify tool or by sending a screenshot of the message to our support team. For other services, you must message the respective platform directly via its official website or other trusted channels.
2. Enable two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security from attackers trying to gain access to your account, including through SMS spoofing. Always enable 2FA for every account that supports it.
If used correctly, 2FA codes can help protect your account. Only enter your 2FA code on the official website. Make sure you double-check your 2FA messages to see what they're used for.
3. Don't share personal information
Avoid sharing sensitive information (for example, passwords, credit card numbers, social security numbers, and other government-issued identifiers) via text messages, especially with unverified contacts.
4. Avoid suspicious links
Don't click on any links sent to you via text message without verifying their legitimacy first. The link may lead to a phishing website that tries to steal your login credentials or install malware on your device.
Don't access sites with the "No Key" symbol or unencrypted URLs (HTTP, not HTTPS). Always check the URL before clicking. Make sure you only use official websites. For example, if you are not sure whether a link, email, mobile number, WeChat ID, Twitter account, or Telegram ID associated with Binance comes from an official source, you can verify it at Binance Verify.
For general information about how to protect your crypto funds, you can explore the security section of our FAQ or Binance Academy.
Below is a list of suspicious websites we have identified that try to look like they are affiliated with Binance. Avoid all these websites. The domain name also gives an idea of what a “fake Binance” website that tries to mislead users looks like.
Types of SMS Spoofing
The targets and mechanisms of SMS spoofing attacks can vary. The equivalent is that the actual sender's number or name is replaced, so that the fraudsters can appear as someone else. Common scenarios for how someone could target you with SMS spoofing include money transfers and harassment spoofs.
In the first case, fraudsters will impersonate a legitimate financial service provider, such as Binance, and then send short messages to the victim, for example about fake cashback transactions. Such messages usually ask recipients to scan a QR code or access a link to claim cashback.
SMS spoofing is also used by stalkers and cyberbullies who want to intimidate their victims by sending threatening or inappropriate messages from unknown or randomly named numbers.
Real Examples of SMS Spoofing Attacks
Example 1: Fake 2FA Message
One user, let's call him Jack, received a message that read, "[Binance] User needs to upgrade Web 3.0 to prevent his account from being disabled. Bianenc.net"
Jack saw that the sender was “Binance” and that the message came from the same channel he usually received his 2FA code from. Jack assumes this is a legitimate message, so he logs into the phishing website, and gives his account details to the scammer.
Example 2. "Withdrawal Cancellation"
A user, let's call him Brad, received an SMS message from someone with the return address "Binance". The message reminded Brad to “cancel his withdrawal at this time.” Believing the message to be official, Brad logged into the phishing website.
The hacker managed to use Brad's username, password and 2FA to log into the official Binance website, then make a cash withdrawal.
In this example, the user failed to do two things:
Verify the link on Binance Verify.
Double-check the actual 2FA message which actually contains information that the 2FA code is used to make a withdrawal, not to cancel it.
Example 3. “Verify” or “Upgrade” Account
Many of our users have reported receiving spoofing SMS containing links to verify or upgrade their accounts. As explained in the message, the account will be blocked if it fails to take the required actions. In reality, the link in the text message led to a phishing website designed to steal account details. Note that the domains in these text messages try to appear to be legitimate companies.
If You Are a Target of SMS Spoofing
If you suspect someone has sent SMS spoofing to you, contact the relevant law enforcement authorities immediately. If the SMS spoofing is related to Binance, please also submit a report to the Binance Support team.
If your account has been compromised, freeze your credit cards and bank accounts, and freeze your credit to prevent criminals from opening new accounts in your name. To protect your assets, you should also deactivate your account by following the steps in this FAQ guide: How to Deactivate My Binance Account.
Never send your Binance account details, 2FA code or financial information to anyone, even if the person requesting it appears legitimate at first glance. In addition to SMS spoofing, fraudsters may also try to trick you via email or other channels.
Double-check the domain associated with Binance in Binance Verify. However, please note that this tool does not guarantee that you will be free from fraud. You still have to be careful if you feel something is not right.
