Scammers Hid a Fake Cell Tower in a Car Trunk to Blast Phishing Texts to Everyone Nearby

When Greek police pulled over a vehicle in Spata, east of Athens, a routine document check revealed something unusual: the suspects presented fake identification. What officers found in the trunk was even more alarming.

Hidden behind the seats was a mobile computing system connected to a roof mounted transmitter disguised as a shark fin antenna. The setup was an SMS blaster, a device that creates a fake cell tower to hijack nearby phones and blast them with scam messages.

The technology isn't new to governments and law enforcement. But criminals are increasingly repurposing it for mass fraud.

How SMS Blasters Work

SMS blasters exploit a fundamental vulnerability in how mobile phones connect to cellular networks. Your phone constantly searches for the strongest signal and automatically connects to whatever tower appears most accessible.

The device found in Greece mimicked legitimate telecom infrastructure. When the suspects drove through populated areas, nearby phones connected to their fake tower instead of real cell sites.

Once connected, the system forced phones to downgrade from secure 4G or 5G connections to the older 2G standard. This matters because 2G lacks the security protections of modern networks. It doesn't authenticate base stations, meaning phones can't tell they're connecting to a fake tower. It also lacks encryption that would prevent message interception.

With phones connected, the attackers harvested subscriber identification data and blasted phishing messages directly to every device in range. These messages bypassed carrier spam filters entirely because they never touched the legitimate network.

The Scam

The phishing messages posed as communications from banks and courier companies. They contained links to fake websites designed to harvest payment card details and banking credentials.

Investigators have linked the operation to at least three documented fraud cases across Maroussi, Spata, and central Athens. The full scope of victims remains under investigation.

The technique is particularly effective because the messages appear legitimate. They arrive through normal SMS channels, show sender IDs that can be spoofed to look like real banks, and reach victims who have no reason to suspect their phone has been hijacked by a passing vehicle.

A Global Problem

Greece isn't the only country dealing with SMS blaster fraud. Similar operations have been discovered across Southeast Asia, where the devices can reportedly send 100,000 scam messages per hour.

The technology underlying these attacks, often called IMSI catchers or Stingrays, was originally developed for government surveillance. Law enforcement agencies use them to identify and track suspects. But as the equipment has become cheaper and more accessible, criminals have adopted it for financial fraud.

"None of our security controls apply to the messages that phones receive from them," explained Anton Reynaldo Bonifacio, Chief Information Security Officer at Globe Telecom in the Philippines. "Once phones are connected to these fake cell sites, they can spoof any sender ID or number to send the scam message."

The attack bypasses every protection carriers have built against spam and phishing because the messages never pass through the legitimate network.

Why 2G Is the Weak Link

The attack depends on forcing phones to use 2G, a technology designed in the 1990s before mobile security was a serious concern. While 4G and 5G networks authenticate base stations and encrypt traffic, 2G does neither.

Most countries have shut down their 2G networks or plan to do so. But your phone likely still supports 2G connections for backward compatibility. When an SMS blaster creates a strong 2G signal and jams or overpowers 4G signals, your phone will fall back to the older protocol.

This vulnerability has been known for years, but fixing it requires either disabling 2G support entirely or implementing network level authentication that many carriers haven't deployed.

How to Protect Yourself

You can reduce your risk by disabling 2G on your phone if your device supports it:

On Android: Go to Settings, then Network & Internet, then SIMs, then your carrier. Look for "Allow 2G" and turn it off. Some manufacturers place this setting in different locations, and not all devices support disabling 2G.

On iPhone: Apple doesn't currently offer a user accessible option to disable 2G on most models.

Beyond device settings, practice standard phishing awareness:

• Never click links in unexpected text messages, even if they appear to come from your bank
• Contact financial institutions directly through their official apps or websites
• Be especially suspicious of urgent messages about account problems or missed deliveries
• Remember that sender IDs can be spoofed to show any name or number

The Broader Threat

The Greek arrests highlight a troubling evolution in mobile fraud. Criminals are adopting surveillance technology that was once exclusive to nation states and using it for mass financial crime.

As long as phones support 2G and carriers don't implement stronger authentication, these attacks will remain possible. The scammers in Greece were caught because of a routine traffic stop and fake documents. Their equipment would have been nearly impossible to detect otherwise.

Somewhere, another vehicle with another fake cell tower is probably driving through another city right now.