In what is considered to be a first of its kind in the UK, City of London Police have made two arrests surrounding an unsanctioned telephone mast that was used to launch mass smishing campaigns.

On June 7, City of London Police made two arrests while investigating a campaign that saw thousands of SMS based phishing (smishing) messages being aimed at the UK public.

Facilitating this was a homemade telephone antenna - an illegitimate telephone mast believed to have been used as an “SMS blaster” - that could be used to send a large volume of messages over a considerable distance.

The use of a homemade antenna allows threat actors to bypass the usual network of telephone masts, allowing threat actors to bypass security controls embedded into that network.

The text messages themselves were phishing messages posing as financial institutions and other official organisations.

One arrest was made on May 9 in Manchester and on May 23, a further arrest was made in London.

Huayong Xu, 32, of Alton Road, Croydon was charged on May 23 with possession of articles for use in fraud and was remanded in custody. He will appear at Inner London Crown Court on June 26. The other arrested person was bailed.

Officers from the Dedicated Card and Payment Crime Unit (DCPCU), worked with mobile network operators, Ofcom and the National Cyber Security Centre (NCSC).

Temporary Detective Chief Inspector David Vint, head of the Dedicated Card and Payment Crime Unit (DCPCU), said:

This type of cyber-enabled crime is possible due to the lack of security controls surrounding the SMS network. For example, every user of the network is assigned a unique 15-digit number that can be used to identify them, this is called the International Mobile Subscriber Identity (IMSI). The IMSI is used to authenticate a user to the network, however the network is not required to authenticate back. This opens the door for homemade antennas to operate without detection.

Similar activity has been seen on several occasions: in 2023, Vietnam released details of fake stations sending mass smishing messages; a woman in Paris was arrested in 2022 after driving an IMSI catcher through the city; and last year a man was arrested in Norway on suspicion of espionage after running an IMSI catcher near the Norwegian Prime Minister’s Office and Ministry of Defence.

How to protect yourself from potential phishing text messages

Most phone providers are part of a scheme that allows customers to report suspicious text messages for free by forwarding it to 7726. If you forward a text to 7726, your provider can investigate the origin of the text and arrange to block or ban the sender, if it’s found to be malicious.

If you’ve lost money or provided financial information as a result of a phishing scam, notify your bank immediately and report it to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. In Scotland, call Police Scotland on 101.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).