Fake Cell Towers Are Sending You Scam Texts From Your Bank

You get a text from "Chase" or "Bank of America" warning that your account has been compromised. The sender name looks exactly right. It even appears in the same thread as your real bank messages. But it's a scam -- sent from a portable fake cell tower parked in a van down the street.

How Fake Base Stations Work

What Is an IMSI Catcher?

An IMSI catcher (also called a Stingray, fake base station, or rogue cell tower) is a portable device that mimics a legitimate cell tower. It forces nearby phones -- within a few hundred meters -- to connect to it instead of the real network.

The SMS Spoofing Process

1. Deploy the device -- Scammers set up the IMSI catcher in crowded areas: shopping malls, transit stations, downtown streets
2. Force phone connections -- Your phone automatically connects to the strongest signal, which is now the fake tower
3. Broadcast spoofed SMS -- The device sends texts with any sender name it wants: "Chase", "Wells Fargo", "USPS", "IRS"
4. Harvest credentials -- Messages contain links to convincing phishing sites that steal your login details

The terrifying part: these messages appear in the same conversation thread as your legitimate bank notifications.

Why This Is Different From Regular Spam

Feature	Regular Spam SMS	IMSI Catcher SMS
Sender	Random number	Exact bank name
Thread	Separate conversation	Mixed with real messages
Carrier filter	Often caught	Bypasses all filters
Detection	Easy to spot	Nearly impossible

Why Your Phone Can't Tell the Difference

Your phone is designed to connect to the strongest cell signal available. This is normal cellular behavior. Scammers exploit this fundamental weakness:

• 2G networks don't authenticate towers -- Your phone doesn't verify if a cell tower is legitimate
• SMS has no sender verification -- The protocol has no built-in way to confirm who actually sent a message
• Messages merge into existing threads -- Your phone groups messages by sender name, so fakes land alongside real ones

Even modern smartphones with 4G/5G fall back to 2G when the fake tower forces a downgrade.

Real Examples and Incidents

United States

The FCC has documented cases of IMSI catchers operating near financial districts in major cities. In 2024-2025, smishing losses in the US exceeded $1.3 billion, with fake bank texts being the leading vector.

United Kingdom

Action Fraud reported a surge in "brandname spoofing" attacks where victims received texts appearing to be from Barclays, HSBC, and Lloyds -- all generated by portable fake base stations operating from vehicles.

Southeast Asia

Vietnam, Thailand, and the Philippines have seen widespread deployment of IMSI catchers, particularly targeting bank customers. Vietnamese authorities seized multiple devices capable of sending 100,000+ spoofed messages per day.

Common Patterns

• Messages create urgency: "account suspended", "unauthorized transaction", "verify immediately"
• Links lead to pixel-perfect copies of bank websites
• Attacks often happen in high-traffic areas during business hours

How to Protect Yourself

1. Never Click Links in SMS Messages

This is the golden rule. Legitimate banks do not send links via SMS that require you to log in. If you need to check your account, open your banking app directly.

2. Use Official Banking Apps

• Download your bank's app from the official App Store or Google Play
• Log in directly through the app, never through a browser link from a text
• Enable push notifications from the app for real transaction alerts

3. Enable Two-Factor Authentication (2FA)

• Set up app-based authentication (not SMS-based, which is also vulnerable)
• Use biometric login (fingerprint, Face ID) for banking apps
• Never share OTP codes with anyone, even if they claim to be your bank

4. Recognize Urgency Tactics

Scam Message Says	What Your Bank Actually Does
"Account locked immediately"	Calls you directly or sends a letter
"Click to verify now"	Asks you to visit a branch
"24 hours to respond"	Never pressures with deadlines

5. Share Sensitive Info Safely

When you need to share account numbers, passwords, or sensitive documents via iMessage or Messenger, use LOCK.PUB to create a password-protected link. Only the person with the password can access the content -- preventing exposure if your messages are intercepted.

What to Do If You Received a Suspicious Text

Immediate Steps

1. Do not tap any links in the message
2. Screenshot the message as evidence
3. Call your bank directly using the number on the back of your card (not any number in the text)
4. Check your accounts through the official app
5. Report the message to your carrier (forward to 7726 / "SPAM" in the US)

Report to Authorities

• US: Report to the FTC at reportfraud.ftc.gov and forward texts to 7726
• UK: Forward to 7726 and report to Action Fraud
• Canada: Report to the Canadian Anti-Fraud Centre at 1-888-495-8501
• Australia: Report to Scamwatch at scamwatch.gov.au

Safe Link Sharing in the Age of SMS Scams

With SMS spoofing becoming increasingly sophisticated, sharing sensitive information through regular text messages carries real risk. Attackers who can intercept your SMS can also read your messages.

LOCK.PUB lets you create password-protected links for sharing sensitive content. Whether it's account numbers, documents, or credentials -- everything is protected and only accessible to someone who knows the password.

Conclusion

Fake cell towers and brandname SMS spoofing are a growing global threat. Remember: never click links in text messages, use official banking apps, and enable 2FA. When you need to share sensitive information, use LOCK.PUB to keep it protected.

Share this article with friends and family so they can stay safe too.