Republished on June 27 with new advice and defenses for smartphone users.

A timely caution for smartphone users this week, with the police warning criminals can push malicious SMS texts directly onto their phones, bypassing mobile networks. This is why Google warns all smartphone users to change their networks settings.

The threat comes from so-called SMS blasters, which trick phones into making a direct connection with an attacker’s radio device, thinking it’s a real network access point.

The texts themselves are no different to the ones coming via normal networks — but for an attacker there’s no need to have a list of target numbers, they can select a target location instead. This means they can prioritize areas with richer pickings.

Police in the U.K, when one SMS-blasting cyber criminal was jailed this week, warn that criminals will try "to bypass fraud prevention measures designed to protect consumers [to]

Google warns that “this method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters.” The company has now seen this “SMS Blaster fraud” in multiple countries.

Google also says that increasing evidence “of the exploitation of weaknesses in cellular communication standards leveraging cell-site simulators” means users need to act.

The solution is to disable 2G networks on your phone. This is still dependent on manufacturer and model, but you can search for 2G or phone or cellular settings to check if it’s available. 2G is woefully insecure compared to more recent networks, particularly 5G but also 4G (LTE) and even 3G.

This is why Google and Samsung are upgrading devices to prevent Android phones connecting to these less secure networks. 2G is also disabled by default if Android 16’s new Advanced Protection Mode is enabled. The police advice is to disable 2G.

Remember, even in locations where 2G has been sunsetted, the phone will still connect to a fake cell access point if it has 2G enabled. This is a device level problem.

As a rarity, this is one security area where Androids beat iPhones. You cannot currently disable 2G on an Apple device unless you use Apple’s Lockdown Mode sledgehammer. But you can filter texts from unknown numbers and treat them all with suspicion. And the advice not to click links is the same however a text was sent to your phone.

And on that note, while SMS blasters might be a risk to users unlucky enough to find themselves in the vicinity of one, the real dangers remain network based. According to Trend Micro’s latest report, the primary threat last month was “cybercriminals using their regular tactics in trying to scam consumers, with scammers impersonating well known brands such as PayPal, Netflix, Mater Lotteries, Toyota and Google.”

The security firm says “the golden rule of any scam, online or otherwise, is that if something sounds too good to be true, it probably is.” And that holds true however a text is sent to your phone, and whatever lure is used to trick you into engaging.

Trend Micro advises users to watch for these danger signs:

For Google’s Pixel users at least, there’s now some good news as the fight against phone scams continues. At least where calls are concerned. But the Android-maker is also using similar technology to flag scams texts, and has highlighted the growing threat.

As first seen by Android Authority, “Google seems to be planning to integrate Scam Detection and Call Screen features into the Pixel device setup process. Currently, these protective features need to be manually enabled by users, so there’s a fair chance many people don’t know these features exist on their phones in the first place.”

This is important because while Google is to be lauded for these new security features, it’s all for nothing if they’re not on by default or easily set up. And this seems to be the fix. “This change could thus increase user adoption of these crucial security features.”

As Google explains, scam detection on Pixel phones “is off by default. The user has to actively opt in to turn on the feature. You can always turn off Scam Detection in Settings or from the in-call menu for a particular call.”

This is one of the new security features leveraging on-device AI processing, ensuring user data is not being shared indiscriminately with cloud processing, which is important given the sensitive nature of data contained in private calls and messages.

“Data processing for Scam Detection is all done on-device,” Google says. “No conversation audio or transcription is stored on the device, sent to Google servers or anywhere else.” Contrast that with the privacy issues in doing the same for Gmail.

Whether calls or texts, the full extent of defenses against such scams should be on by default and should require users to actively disable features if they want to switch them off. Such is the extent of this threat, drastic measures are now required. Arguably, 2G should also be disabled by default, as it is with Android’s Advanced Protection Mode.

As Check Point warns, the scale of these new SMS scams are “among the most widespread smishing attacks reported in the U.S. in recent memory. The coordinated impersonation of government agencies via state-branded phishing sites and mass-distributed SMS messages [has] led to a multi-state impact.”