On November 10th, hackers exploited a legitimate mass texting service to send hundreds of thousands of scam messages — including to New York State’s official alert subscribers. This incident, which leveraged public trust in emergency messaging channels, marks an evolution in SMS phishing (“smishing”) scams and raises pressing concerns for individuals and organizations alike.
What Happened?
Hackers gained unauthorized access to Mobile Commons, a high-volume SMS provider used by government and civic organizations. Using this access, the attackers sent scam texts from real, trusted short-code numbers typically reserved for official alerts. The fraudulent messages claimed there was a suspicious or declined bank transaction and provided a toll-free number, luring recipients into contacting the scammers directly. By exploiting the legitimacy of the sender, the attackers bypassed the skepticism people usually reserve for random smishing attempts, making their phishing campaign significantly more effective and dangerous.
How the Attack Works
This attack combined technical exploitation with clever social engineering. By breaching a legitimate mass messaging provider, hackers circumvented both anti-spam technology and user skepticism — all the usual signals of risk were absent, since the message came from a recognized and trusted source. The scam text’s urgency — warning users about supposed bank problems and instructing them to call a provided number — preyed on fear and confusion, pushing recipients to act without verifying the details. Unlike most smishing campaigns, which use random or spoofed numbers, this attack weaponized official systems, substantially increasing its likelihood of success.
Impact and Threat Analysis
This breach affected hundreds of thousands of people, leading to confusion and, in some cases, successful data theft or financial fraud. The scale highlighted just how vulnerable trusted communication channels can be — and how quickly trust can be eroded if those systems are abused. Had the scammers broadcasted different types of false alerts, the campaign could have caused wider panic, financial loss, or even public safety risks. The larger lesson: No alerting system is immune from attack, and malicious actors will always seek to exploit trust for personal gain.
How to Spot the Scam
Key warning signs include unexpected transaction alerts, messages urging urgent action, and requests to call or click links in the message. Even when texts appear to come from trusted alert sources, recipients should always verify these claims through official channels — such as calling their bank with the number on the back of their card, not the one in the text. Genuine organizations rarely request sensitive information or urgent action via SMS, especially unsolicited texts.
Remediation and Defensive Steps
For Individuals:
-
Do not reply to, click links, or call numbers in suspicious texts, even if they look official.
-
Block the sender and report the scam to your mobile carrier and to consumer protection agencies.
-
If you engaged with the message, immediately disconnect your device from the internet, scan for malware, and update passwords for important accounts.
-
Stay alert for any signs of financial fraud or unauthorized activity on accounts linked to the information in the scam message.
For Organizations:
-
Quickly notify all potentially affected users, offering clear instructions and updates about the scam.
-
Conduct a forensic review of the breach, shore up authentication and access controls on mass messaging platforms, and retrain staff in phishing awareness and incident response.
-
Establish playbooks and escalation plans for future breaches, emphasizing speed, transparency, and empathy in communications.
Lessons and Future Prevention
This attack shows the need for stronger security across communications supply chains — not just technical protections, but organizational vigilance as well. Enhanced authentication for bulk SMS systems, continuous monitoring for suspicious messaging activity, and greater public education on smishing are all crucial defenses. Companies and government agencies should regularly test and audit alerting platforms, ensuring that trust in critical communications can’t easily be weaponized against the public.
