Learning

SMS Spoofing

| 1 min read

My bank sends me legitimate One-Time codes for authorizing transactions. They look exactly the same apart from the transaction information (amount, vendor, etc).

Today, I got a similar message. But, it was in another language. And it wasn’t my card number that was there but the bank account number of the destination. And it said, “if you don’t recognize this transaction, call us at ”.

I was pretty sure it was a scam, but I didn’t know why or how it was coming from the same contact as my legit bank.

Turns out, there’s this whole technique called SMS Spoofing that lets anyone indicate who they are sending the message as. The scammers just need to find the number and name of the legit bank and send messages like they are coming from the legit bank.

I had no idea!!! Turns out SMS is not the best way for authorization stuff like this.

I can’t imagine how many people fall for this, though.