Binance customers may have received an SMS last week encouraging them to participate in a new lottery to win up to 100 EUR in cryptocurrencies.
Although these texts appeared in threads with official announcements from the exchange, they turned out to be scams. The platform is aware of such phishing attempts but admits it is powerless to stop them.
Binance Claims Eliminating Fake SMS Is "Unrealistic"
At the end of last week, Binance customers received SMS messages about winning in the "Binance Mystery Box." The texts informed that up to €100 in tokens were available for claiming and that the offer was expiring on the same day.
There is confirmed evidence that Binance's clients located in Poland received fraudulent SMS messages attempting to steal their account information. Multiple Polish Binance users, in discussions with Finance Magnates, validated that they had personally received these phishing texts.
The screenshot below shows a suspicious SMS that appeared in the same thread as other messages delivered by Binance regarding login codes or account verification processes.
The article continues under the screenshot:
Furthermore, posts on social media document the receipt of fraudulent offers. Some comments even suggested there might have been a potential data leak concerning phone numbers, although the exchange claims no such infringement occurred.
Finance Magnates asked the Polish branch of Binance to comment on this matter. The company said that to eliminate SMS security loopholes, modifying the entire GSM technology system would be necessary, which "seems unrealistic” to the company.
When we asked a local cryptocurrency expert about encountering such scams in Poland, he mentioned that he had never experienced these fraudulent SMS messages locally. However, he noted that this scam is frequently seen in other countries.
The Origin of the Fake SMS Scam
In response to Finance Magnates, Binance explained that the GSM system, which SMS messages operate on, allows the sender to fill in the "sender name" field arbitrarily. Standard SMS applications and tools typically insert the sender's phone number in this field. However, entities like companies often replace the phone number with a textual name, such as "Binance."
"The problem is that operators do not verify whether the sender sending the SMS is legally authorized to use such a name, allowing fraudsters to use the same name. As a result, a scam SMS has the same 'sender name' as legitimate SMS messages from Binance, leading the recipient's phone to attach this SMS to the message history from Binance," Binance Poland commented in Polish, auto-translated to English.
Binance added that Poland recently introduced regulations to reduce the prevalence of this exploit, at least to some extent. This is enabled by registering sender names and assigning them to specific entities by telecommunications operators.
“To eliminate this security loophole in SMS, the entire world would have to modify this technology, which seems unrealistic,” Binance Poland concluded in the statement in Polish, auto-translated to English.
Phishing and Pig Butchering
This strategy is a typical phishing attempt aimed at extracting data from customers of popular cryptocurrency exchanges. Several months ago, Binance users from Hong Kong fell victim to this, losing nearly $500,000. In that case, the scam was even more sophisticated. Individuals posing as representatives of Binance contacted users, calling to perform a supposed account verification.
Binance, along with other exchanges, has recently been alerting about the growing popularity of an investment scam called "pig butchering," which may be indirectly linked to phishing. The name refers to the practice of fattening a pig before slaughter. Victims are gradually lured into contributing more money into fraudulent crypto investments before ultimately being defrauded.
