Anatomy of a scam: protecting yourself against smishing attacks

One of the most insidious aspects of this attack is SMS spoofing, where attackers exploit weaknesses in certain telecom providers to manipulate the sender ID of an SMS message. This allows them to masquerade as trusted entities, such as Bitpanda, and even insert their fraudulent messages into legitimate message threads. In countries where telco providers do not validate sender IDs, attackers have found fertile ground to exploit unsuspecting users this way. Here's an example:

How we’re protecting you

At Bitpanda, we take these threats seriously and have been actively working to protect our users. Here’s how:

• Developing new features: We’re in the process of launching additional security features this September to give you more tools to protect yourself from these attacks.
  
  
• Monitoring and taking action: Our team continuously monitors for phishing domains created daily to lure users into revealing their credentials. We work closely with our partners to take these down as quickly as possible.
  
  
• User alerts and support: We listen to our users and help them check if their personal information has been compromised in known data breaches. We show warning messages during the withdrawal flow to remind them of various forms of scams. Additionally, we send out warning SMS messages to users in areas where telecom providers allow for SMS spoofing.
  
  
• Going the extra mile: If scammers prompt users to call a “Bitpanda hotline,” we take action by calling the number ourselves. Our colleagues spend hours talking to these scammers to learn their techniques, mindset, and weaknesses. These conversations are logged and protocols are sent to law enforcement as part of criminal reports.

The anatomy of a smishing scam

To give you a better understanding, let’s walk through a common smishing scenario that has been targeting our users:

• Initial contact: The scam often starts with an SMS from a supposed Bitpanda representative. The message might even appear in the same thread as legitimate Bitpanda communications due to the lack of capability of the Telco provider(s) in the region (Note: Bitpanda employees will never text you to ask you for a call!).
  
  
• The setup: A scammer, often using aliases like "Nigel" and "Adam," calls you to collect basic information and explain how your device might have been compromised by malware or other urgent situation that puts your funds at Bitpanda in danger. Through a series of “verification” questions, they assess whether you’re “worth their time” by validating your crypto portfolio.
  
  
• The scam: Once you’ve been deemed a worthwhile target, you’re handed over to a “security specialist.” They might instruct you to download a legitimate crypto wallet app like Trust Wallet. You’ll then receive reassuring spoofed SMS messages, one of which contains a 12-word recovery phrase to “set up” the wallet. This of course is meant to make you feel safe that you have a legit app and your “own” wallet to which you will temporarily send the funds - in reality this is the worst practice as recovery phrases should only be set up and known by you to keep your funds secure.
  
  
• The theft: You’re asked to copy a wallet address and send your crypto to this address to “secure your funds temporarily.” In reality, this wallet is controlled by the attacker, who quickly funnels your funds away.

There are, of course, other methods we’ve observed, where scammers convince users to hand over their entire account by obtaining credentials or transferring account ownership to an email they control, along with multi-factor authentication (MFA) codes. In some cases, they may ask you to install remote control software like TeamViewer so they can “help” directly, or simply guide you through the withdrawal process, providing the target wallet address.

Staying safe: the best defence is common sense

At Bitpanda, we will never ask you to call back on any number or request that you move your funds to another wallet for security reasons. If you receive such messages or calls, they are scams and therefore avoid any interaction with such people.

Your best defence against smishing is awareness and common sense. Be sceptical of unsolicited messages, and always double-check any requests related to your account or funds. If something doesn’t feel right, contact our support team directly through the contact form on our official website here . If you believe that someone may have access to your account then you can lock it by using the instructions found here before reaching out to us.

 If you feel unsafe or if you have already suffered damages, please contact your local police and provide them with the information about the online scammers so they can pursue this criminal offence. Bitpanda cooperates with prosecutors and the police in such cases and does everything possible to support them in their search for the suspects.

Final thoughts

While we continue to enhance our security measures and work closely with authorities to combat these threats, your vigilance remains the most powerful tool against smishing. Stay informed, stay alert, and together, we can outsmart the scammers. Remember, if in doubt, reach out to us—we’re here to help.