Cybercriminals Now Use Portable Fake Cell Towers to Deliver Scam Messages

by
Cedric Solidon
from Techreport on (#70BBN)
cybercriminals-portable-fake-cell-towers-scam-sms-1200x800.png

Key takeaways:

  • Criminals are using backpack-sized rogue base stations to impersonate cell towers and blast smishing SMS, up to 100,000 texts/hour within ~1 km by forcing 2G fallback.
  • These messages bypass carrier defenses (SMS firewalls, SS7/SMPP monitoring) because they never traverse the operator's network.
  • First seen in Southeast Asia, the tactic is spreading to Europe, South America, Japan, and New Zealand, with losses poised to surge at scale.
  • Protect yourself: disable 2G (Android) / enable Lockdown Mode (iPhone), avoid unsolicited links, verify with the purported sender, and report to 7726 (SPAM), FTC (US), or Action Fraud (UK).
cybercriminals-portable-fake-cell-towers-scam-sms-1200x800.png

Scammers have found a new way to infiltrate our devices, causing a never-before-seen headache for law enforcers.

Criminals are now using portable base-station devices, which are so small they can be hidden in backpacks. What do they do? Impersonate cell towers and bombard your SMS inbox with scammy texts.

Known as smashing," this is an old scam technique with a new delivery method. Traditionally, criminals relied on large lists of numbers and network-based spoofing to send fraudulent messages.

Now, however, criminals can simply drive a vehicle and send these scam texts to anyone within a 1-kilometer radius.

Once the portable cell tower connects to a nearby mobile device, it automatically downgrades the device's connection to 2G (known as 2G fallback), which has weaker security and authorization.

The SMS is sent directly to the device without passing through the network provider's security checks, thereby escaping detection. Worse, all of this happens in less than 10 seconds, so you won't even notice that your network has been downgraded to 2G.

This campaign was first seen in Southeast Asia, with countries like Thailand, Vietnam, Indonesia, and Hong Kong emerging as the major epicenters.

However, law enforcement agencies have also observed this delivery method spreading to Europe and South America over the past year, along with countries like Japan and New Zealand.

Inadequacies of Current Defence Mechanisms

Network carriers employ multiple defense layers to detect and block such spam messages. For example, an SMS firewall scans every text message entering or leaving a network and blocks texts based on the sender's reputation, message content, etc.

Carriers also use volume-rate anomaly detection to flag bulk messages on their network and monitor signalling protocols such as SS7 and SMPP to detect irregular behaviour or routing anomalies.

For instance, Virgin Media blocked 600 spam SMS on its O2 network in 2025 so far (until August). This is already more than the combined volume of the last two years.

However, as Anton Reynold Bonifaco, Chief Information Security Officer at Globe Telecom, points out, none of these security controls work because the messages do not pass through the network in the first place.

They are delivered directly to the recipient's device using a rogue base station, which compounds problems for both providers and law-enforcement, making system-level detection almost impossible as of now.

Phishing-email-used-by-threat-actor-1200x910.png

As per data from the FTC, users lost around $470M to text message scams in 2024, which is five times more than the amount lost in 2020. Most of these spam texts were fake delivery package notifications or bogus job opportunity messages.

This was when scammers stuck to old scam methods. Now, with an easier way to deliver millions of messages in a day, one can only imagine the magnitude of these losses in the current year.

The Potential of the Scam

Old methods required technical expertise, such as radio-engineering and system skills, to deliver smishing SMS. However, these portable devices are low-effort.

Scammers can pay a couple of hundred bucks to anyone to drive around with these devices, and within hours, they have all the phones in the neighbourhood buzzing with these texts.

While that already sounds scary, here's something that'll help you catch the seriousness of this. In Bangkok, a single portable cell tower was found delivering 100,000 texts in just an hour. Now, SMS click-through rates are usually between 8.9% to 14.5%.

Even if we calculate at a conservative rate of just 5%, that's 500 people clicking on the malicious link, potentially losing thousands (again, conservative) of dollars. What's even more terrifying is that this is just 1 hour of driving with just 1 cell tower around a random neighbourhood.

Extrapolate this to a thousand devices in hundreds of cities working 6 hours a day, and you have a major catastrophe at hand.

How Can You Protect Yourself

To protect yourself from these fake cell tower SMS attacks, you can first disable 2G on your Android device. Doing so prevents any 2G fallback and keeps you secure on your current 4G or 5G connection.

Android-2G.jpg

For iPhone users, enabling Lockdown Mode automatically disables 2G support.

ios-26-iphone-16-pro-settings-privacy-and-security-lockdown-mode.png

Now, scammers sending you an SMS is just one side of the coin. You don't become a victim simply because the message lands on your device but only if you act on it without caution.

When clicked, these messages usually contain malicious links, which can eventually overtake your device and steal sensitive information like your name, address, phone number, social security number, bank details, passwords, and social media credentials.

The key thing to understand is that all of this only happens when YOU act without thinking. Even if an SMS makes its way to your device (through any method), awareness and vigilance are your best defenses.

Most scam messages carry an undertone of urgency, urging you to act instantly. Take the popular Hi Mum / Hi Dad' scam for example. Parents receive a text from a scammer pretending to be their child, with a message that reads: Hi Mom, I have lost my phone. This is my temporary number, please save it."

The conversation usually ends with the scammer asking for money on the pretext that they (pretending to be the child) cannot access their bank accounts since the phone is lost. As per the ACCC, 11,100 victims have collectively lost $7.2M to this modus operandi so far.

A little bit of vigilance or patience could have helped thousands avoid monetary loss in this case. For instance, as a parent, you could have reached out to your child on their personal phone number or waited for them to get home to ask about the message.

Question Every Text Message

Here's another pro tip: read the message carefully. Scam texts often contain grammatical and spelling errors, which can easily tell them apart from genuine texts. Although scammers now use AI to draft accurate messages, you can still look out for red flags such as unusual sentence structure or inconsistent tone.

If the message seems to be from a government source or your bank, avoid clicking the link and instead reach out to their customer support to verify if they actually sent the message.

Another thing you can do is inspect the URL before clicking on it. If you long-press or hover over the link with your mouse, you can see the complete address. Look for inconsistencies such as wrong domain names - for example, paypa1.com instead of paypal.com, or yourbank.net, instead of yourbank.com.

If you receive such spam texts, you can forward it to 7726 (SPAM), which sends the text and the metadata to your provider for further inspection. You can also report to the FTC at ReportFraud.ftc.gov.

If you're in the UK, you can also reach out to authorities at actionfraud.police.uk or call 0300 123 2040.

The post Cybercriminals Now Use Portable Fake Cell Towers to Deliver Scam Messages appeared first on Techreport.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments