Law enforcement organizations across Europe, Asia and South America are warning of a surge in criminals using so-called ‘SMS Blasters’ - portable devices that can send thousands of fake SMS, bypassing network protections entirely.
It’s a growing threat that led to one victim losing £2,000 in a matter of minutes.
Head of Industry Security at GSMA.
Once expensive “phone-mast” technology can now be bought over the dark web for the price of a laptop and fit undetected into a criminal’s backpack.
This isn’t just a problem for the public, they are increasingly being used for targeted smishing attacks on employees and enterprise networks, as they allow criminals to get physically close to a business, bypass network security and trick employees into giving out passwords and security credentials.
The hidden risk in everyday business SMS
While smishing (or SMS-based phishing) has existed in initially small volumes since the early days of the first GSM mobile networks, back then fraudsters would focus on directing victims to calling premium-rate numbers or trick them into handing over personal data.
But, nowadays, the tech stack costs criminals only a few hundred pounds yet can deliver phenomenal returns. The Global Anti Scam Alliance reports that scammers have stolen $442 billion over the past year, with SMS the second most common extortion method for criminals, ahead of emails.
The integration of SMS into verification processes, such as one-time passwords and two-factor authentication, and use as a common communication channel for delivering information such as credentials, payment links, and service updates, is accentuating this threat.
This not only creates reputational threats for businesses whose customers are exploited, but also enterprise security threats, when employees are targeted.
SMS’s limited security features mean companies need to be mindful of how and where they deploy it in their communications and authentication processes. Otherwise, they run the risk of eroding consumer trust in digital services.
Recent GSMA research in Asia Pacific shows over two-thirds (67%) of people are deeply worried about smishing, and with good reason. As criminals exploit the gap between SMS’s original purpose and its modern-day use, the line between consumer and enterprise risk has disappeared.
The SMS blaster: new tool, new scale
The spread of SMS Blasters marks a new phase of fraud sophistication. These portable fake phone masts allow attackers to broadcast thousands of SMS in seconds, often impersonating delivery firms, banks, or even suppliers or internal IT teams.
Because SMS are transmitted locally, they can completely bypass legitimate network protections.
But SMS Blasters are only one technique used to exploit these weaknesses in SMS security. Most smishing attacks still exploit legitimate and conventional telecom routes: spoofed SMS messages thrown across networks from arbitrary spam sources or via international interconnections.
The result is a hybrid threat environment that blends localized spam with cross-border campaigns, making response coordination more complex.
How to block the fraud – not the business
Protecting against smishing requires a balance between usability and control. For example, some operators in Asia Pacific are now blocking all clickable links in SMS.
But while this can eliminate many scams, it can also disrupt legitimate business communication. Filtering technologies can help, but they remain limited by the fragmented nature of global messaging networks.
In the UK, momentum is building for more consistent protections. Ofcom recently proposed new rules that would require mobile networks to block scam SMS more proactively, addressing current gaps in protection for both consumers and businesses.
The proposals include measures like blocking fake sender names, setting volume limits on pay-as-you-go SIMs, and conducting due diligence on business message senders. However, these protections will have more limited impact on SMS blaster originated messages.
Progress is also coming from network evolution, such as Rich Communication Services (RCS) introducing encryption and stronger authentication, reducing the risk of spoofed SMS.
The ongoing retirement of 2G and 3G networks also simplifies defenses and limits opportunities for radio-side attacks. In the meantime, we must work closely as an industry with governments and law enforcement to stamp out SMS Blasters.
The GSMA’s Open Gateway initiative is another important advance. Through federated, standards-based APIs, operators and technology firms can offer enterprises identity and verification capabilities that replace older SMS-based processes.
APIs such as SIM Swap and Number Verification allow enterprises to verify changes in mobile identity in real time, reducing opportunities for fraud following device or number transfers. Identity-based APIs can also help banks and service providers authenticate users without exposing them to phishing-prone SMS.
The importance of intelligence sharing
Technology alone cannot match the pace of social engineering.
Another key countermeasure is information sharing mechanisms, such as the GSMA’s Telecommunications Information Sharing and Analysis Centre (T-ISAC), which enables operators to exchange threat data in near real time and share industry intelligence with law enforcement.
For example, when one operator detects a new smishing campaign or malicious domain, other operators can block it before it spreads.
This collaborative model has proven vital as attackers reuse scripts, domains, and infrastructure across regions. Every data point shared through T-ISAC shortens the window of vulnerability for the entire ecosystem. Cross-industry collaboration is equally critical.
Banks, retailers, and telecom providers are increasingly pooling intelligence through regional initiatives such as the Asia-Pacific Cross-Sector Anti-Scam Taskforce (ACAST). Joint action across sectors is what exposes large-scale patterns early, helping authorities disrupt operations before they reach consumers or enterprises.
Cyber hygiene still matters: training is first line of defense
Even the most advanced filtering and APIs will fail if employees remain unaware of the threat.
Awareness training and cyber hygiene need to evolve alongside technology, with staff recognizing that legitimate organizations rarely (if ever) send urgent SMS requests for credentials, and that all links in SMS should be treated as suspicious unless the receiver can fully verify the validity of such requests through official channels.
Enterprises must also review where and why SMS is used. If authentication or communication remain essential, additional safeguards should be standard, such as device management tools, secondary verification layers, and continuous monitoring.
Smishing has exposed a weak point in enterprise defenses that cannot be solved by technology alone. It demands a coordinated response between operators, enterprises, and consumers, through initiatives like Open Gateway and T-ISAC.
Smishing may have started as a consumer nuisance, but it now very much a threat to businesses. By understanding both the threat and the tools available to combat it, enterprises can better protect themselves against this silent but significant risk.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.