SMS Blaster Scam: how a fake cell tower in a car blasts smishing texts straight to your phone
A new wave of smishing skips the carrier entirely. A device the size of a backpack, riding in a car trunk, becomes a fake cell tower and forces every phone nearby to receive its scam texts.
What is an SMS blaster?
An SMS blaster is a piece of hardware that pretends to be a real mobile phone tower. Engineers call the real thing a base transceiver station, or BTS. The blaster imitates one. Some units are small enough to fit in a backpack, and the ones police keep finding are bolted into the boot of an ordinary car so the operator can drive through a city sending texts as they go.
It exploits a basic rule built into every phone: your handset always connects to whichever tower has the strongest signal. Park a powerful fake tower in the middle of a crowd or in stop-and-go traffic, and the phones around it drop their real carrier and latch onto the rogue device instead. The blaster usually then downgrades the connection to old, weakly-secured 2G, because 2G does not authenticate the tower back to the phone. At that point the device can push a text message straight into every captured handset.
This is the same family of hardware that surveillance researchers call an IMSI catcher or a "Stingray." Used by a criminal, its job is narrower and uglier: blast as many phishing texts as possible to everyone in range before driving on.
It just happened: Vienna, May 2026
On 14 May 2026, Austrian police arrested a 32-year-old man in Vienna who had been driving a car with an SMS blaster in the trunk. He had positioned himself near where crowds were gathering for the Eurovision Song Contest. According to Austrian authorities and reporting by Cybernews and Commsrisk, the device can push around 100,000 fraudulent texts per hour, and police estimated that several million messages had likely already gone out. The texts impersonated popular delivery services and mobile phone providers. A search of his home turned up a second SMS blaster, two laptops, ten phones, tablets, batteries and voltage converters - a full mobile smishing rig.
This is not a one-off. In France, 14 defendants face a Paris criminal trial over an IMSI-catcher smishing operation that authorities estimate caused around 20 million euros (roughly 23 million US dollars) in losses, with thousands of victims still unidentified. The case began when police in Paris found one of the devices and, not recognising it, called in a bomb squad to neutralise what they thought was an explosive. It turned out to be a fake base station that had been driven slowly around the suburbs sending texts impersonating Ameli, France's public health-insurance service. The driver said she was paid 100 euros a day to keep the device moving.
Police forces in the UK, Canada, and several other countries have made similar arrests in the past year. The pattern is consistent: a vehicle, a hidden device, and a flood of scam texts to everyone nearby.
Why the carrier's spam filter never sees it
Normal smishing still travels over the mobile network. The scammer buys a SIM or uses an online SMS gateway, the message passes through carrier infrastructure, and the carrier gets at least a chance to score the sender, throttle a suspicious number, or block a known-bad pattern. That is also why forwarding junk texts to 7726 can help: the report feeds network-level signals that carriers use to catch future campaigns from the same source.
An SMS blaster removes the carrier from the equation completely. The fake tower talks straight to your phone. The message is delivered locally, device to device, and your real operator is never involved and never even aware it happened. So:
- Carrier spam filtering does not apply. There is no network hop to inspect. The filter is downstream of an attack that never goes downstream.
- Reporting to 7726 does not stop it. 7726 routes your report to your carrier. The blaster text was never on your carrier's network, so there is nothing on their side to match it against. (It is still worth reporting the destination link to other channels - more on that below.)
- Blocking the sender number does nothing. The number was spoofed and can change with the next message.
Why the text can appear inside your bank's real thread
This is the part that catches careful people. Once your phone is connected to the fake tower, the blaster can set the sender ID to anything it likes. It can put a real bank name, a courier name, or a telecom brand in the "from" field. Your phone has no way to verify that field over a downgraded 2G link, so it displays whatever the device claims.
On most phones, messages are grouped by sender name. So if the blaster spoofs the exact alphanumeric sender ID your bank already uses, the scam text can drop into the same conversation thread as your bank's genuine past messages - the one-time codes, the balance alerts, all of it. The fake sits directly under the real. That visual continuity is the whole trick. People who would never trust a random number trust a thread they have used for years.
So the usual advice - "check the sender number" - fails here. The sender is forged, and it can be forged to match a known-good identity exactly.
The one thing an SMS blaster cannot fake
Strip away everything the blaster controls - the network path, the spam filter, the sender ID, the message thread - and one element is still completely outside its reach: the web address you are sent to.
Every smishing text exists to make you tap a link and land on a fake page that harvests your login, card, or one-time code. The attacker can spoof the sender to say "YourBank," but they cannot make their phishing page live at your bank's real domain. They do not control your bank's domain. So the link points somewhere else, and that somewhere is the tell. It is almost always one of these shapes:
- Brand keyword on the wrong TLD - yourbank-secure[.]top, parcel-redelivery[.]xyz, telco-rewards[.]live. The brand word is there, but the registered domain is not the brand's own.
- Brand keyword on a free-hosting subdomain - yourbank-login[.]pages[.]dev, delivery-confirm[.]vercel[.]app. Free platforms spin up a working HTTPS site in minutes.
- A shortener hiding the real destination - bit[.]ly/secure-verify, t[.]ly/parcel-fee. The SMS preview does not unwrap it, so you cannot see where it actually goes until you have already tapped.
- A lookalike of the real domain - a swapped letter, a doubled letter, or a Unicode character that renders like a Latin one, so the address looks right at a glance but resolves somewhere else.
(Those red links above are illustrative examples. They are deliberately broken and not clickable.)
This is why the link is the single point where the whole attack can still be caught - even when the message slipped past every carrier defence and even when it is sitting inside your bank's real thread. The text can lie about who sent it. The destination cannot lie about where it lives.
Got a suspicious text? Check the link first
Do not tap a link from any SMS. Long-press to copy it instead, then paste it here. Our 3-layer engine (Local + APIs + AI) returns a verdict in a few seconds. Free, no signup.
What the texts usually say
The wording mirrors ordinary smishing, because the goal is identical - get you to a fake page. The Vienna device impersonated delivery firms and telecom providers. The Paris case impersonated a national health service. In practice the templates rotate through a handful of high-trust pretexts:
- Delivery problem. "Your parcel could not be delivered. Confirm your address and pay a small redelivery fee." The fee is bait; the target is your card. The same pattern drives the fake USPS delivery text, the FedEx delivery scam text, and the DHL tracking text scam.
- Telecom / account alert. "Your mobile account is suspended" or "claim your loyalty reward." The page asks you to log in, and your credentials go straight to the attacker.
- Bank fraud alert. "Suspicious login detected. Verify now." Spoofed into your bank's real thread, this is the most convincing version.
- Government / fee notice. An unpaid toll, a fine, or a benefit that needs "confirming" - the same engine behind the toll and traffic-fine text scam.
How to stay safe from fake cell tower smishing
You cannot stop a blaster from delivering a text to your phone. What you control is what happens after the text arrives. The defence is simple and it does not depend on spotting a forged sender:
- Never tap a link in any text message. Not from a courier, not from your bank, not from your phone company. This single rule defeats the entire attack regardless of how convincing the message looks.
- Verify inside the official app or by typing the address yourself. If your bank "texts" about a problem, open the bank's own app or type the bank's known web address into your browser. If a parcel "needs" a fee, check the courier's official app or tracking page directly. Real organisations never need you to use a link from an SMS.
- Assume the sender field is fake. Even if the message lands in a thread you trust, the sender can be forged. Trust the channel you opened yourself, never the one that opened to you.
- If a link is unavoidable, copy it and scan it - do not tap it. Long-press the link to copy it, then paste it into a checker like the SafeBrowz URL checker before you ever open it.
- Turn off 2G on your phone if your device supports it. Most blasters rely on downgrading you to 2G. Android offers a "2G off" or "Allow 2G" toggle under network/SIM security settings, and recent iPhones have Lockdown Mode, which restricts 2G. Removing 2G removes the easiest path the blaster uses.
- Keep your phone software updated. Some recent OS versions warn when a connection is downgraded or unencrypted. Updates are how you get those protections.
On reporting: forwarding the text to 7726 will not catch a blaster (the message never hit your carrier), but it costs nothing and still helps against ordinary smishing. More useful here is reporting the destination link to anti-phishing services and to the impersonated brand, and - if you saw a vehicle parked oddly in a crowd pushing the texts - reporting it to local police, since these arrests often start with a public tip.
What to do if you already tapped or entered information
If you only opened the page but typed nothing, you are most likely fine. Close the tab and clear cookies for that site. If you entered details, act on what you gave up. The full step-by-step is in our guide on what to do after you have been scammed, but the priorities are:
- Card details: call your card issuer using the number printed on the back of the card (not a number from any text or search result) and have the card frozen and reissued. Dispute any charge you do not recognise.
- Bank login or one-time code: contact your bank through its official app or printed number immediately, change the password, and turn on app-based two-factor authentication. A code you entered on a fake page may already be in use - speed matters.
- Personal identity data (name, address, ID): watch for follow-up phishing built from what you gave, and place a fraud alert or credit freeze with your country's credit bureaus.
How SafeBrowz blocks this threat
SafeBrowz cannot stop a fake cell tower from delivering a text - no app can, because that happens below the operating system, on the radio. What SafeBrowz protects is the exact step where the attack is still catchable: the moment you open the destination link. The text can defeat carrier filtering and spoof its sender, but the phishing page still has to live at a web address the attacker controls, and that is what we scan.
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL patterns and 550+ brand-specific signatures (including Punycode and Cyrillic homograph variants) plus a community whitelist/blacklist, all running inside the extension before the page renders. It instantly flags brand-keyword-on-wrong-TLD, free-hosting subdomains, and lookalike domains - the exact shapes a blaster's link takes.
- Layer 2 - API checks: cross-references Google Safe Browsing, PhishTank, URLhaus, and domain-age and scam-TLD data, and unwraps URL shorteners so the verdict runs against the real destination, not the shortener.
- Layer 3 - AI deep scan (Premium): content-aware analysis in 100+ languages that recognises a fake bank, courier, or telecom landing page even when the domain is brand-new and not yet on any blacklist.
SafeBrowz is a free browser extension for Chrome, Firefox, and Edge (with a Safari version pending). The core protection is free; Premium adds wallet-drainer JavaScript detection and unlimited daily AI scans for $14.99 per year, and one key covers 3 devices. For one-off checks with no install, the same engine runs at the free public URL checker.
Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Install SafeBrowz free
The text can fake almost everything. It cannot fake the link. SafeBrowz checks every link the moment it opens, on every page, before it renders - so a blaster's fake page is caught even when the message slipped through. Free forever.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
What is an SMS blaster?
An SMS blaster is a portable device that impersonates a mobile phone tower (a fake base station, also called an IMSI catcher). It broadcasts a strong signal so nearby phones automatically connect to it instead of their real carrier, then sends smishing texts directly to those phones - up to about 100,000 per hour. Because the messages never travel over the real mobile network, carrier spam filters never see them.
Why did a scam text come on my bank's real message thread?
Once your phone is connected to a fake cell tower, the device can set the sender ID to any name it wants, including the exact alphanumeric sender ID your bank uses. Phones group messages by sender name, so the spoofed text drops into the same conversation as your bank's genuine alerts. The continuity is the trick. Checking the sender does not help here because the sender is forged. Only verify by opening your bank's official app or typing its real web address yourself.
Does reporting to 7726 stop SMS blaster texts?
No. Forwarding to 7726 sends the report to your mobile carrier, which feeds network-level filtering. But an SMS blaster delivers the message directly to your phone without ever touching the carrier's network, so there is nothing on the carrier side to match. Reporting to 7726 still helps against ordinary smishing, but it will not stop a blaster. The reliable defence is to never tap the link and to scan it instead.
How do I stay safe from fake cell tower smishing?
Never tap a link inside any text message. Verify by opening the official app or typing the real web address yourself - real banks, couriers, and telecoms never need you to use an SMS link. Assume the sender name can be faked, even in a trusted thread. If you must check a link, long-press to copy it and scan it (for example with the SafeBrowz URL checker) rather than tapping. Where supported, turn off 2G on your phone, since most blasters rely on downgrading you to 2G.