New phishing tool Xeon Sender is causing ripples in the cyber security world. This versatile piece of software is being weaponised by cyber criminals to launch large scale SMS phishing campaigns, also known as “smishing”.

Xeon Sender’s potency lies in its ability to exploit legitimate cloud-based SMS providers. By using stolen API credentials from providers such as Amazon and Twilio, attackers can send out huge volumes of spam and phishing messages with ease.

The tool is extremely user-friendly, adding to the concerns. Initially developed as a Python-based program, Xeon Sender has evolved into a web-based version with a graphical interface, making it accessible to all, including less tech-savvy actors.

Xeon Sender is not the first bulk SMS services, which were initially designed for legitimate marketing purposes but have been abused to send unsolicited and malicious messages to unsuspecting victims.

Also increasing in popularity are SIM-swapping attacks in which a victim’s phone number is transferred to a new SIM card, after which attackers can intercept SMS-based messages including multi-factor authentication and password reset messages.

The implications are significant. Not only does Xeon Sender increase the volume and sophistication of Smishing attacks, it also underscores the importance of safeguarding API credentials and bolstering defences against SMS-based threats. As this tool continues to evolve, staying informed about its capabilities and usage is crucial for individuals and organisations alike.

Report a text message you think is a scam

Most phone providers are part of a scheme that allows customers to report suspicious text messages for free by forwarding it to 7726. If you forward a text to 7726, your provider can investigate the origin of the text and arrange to block or ban the sender, if it’s found to be malicious.

iPhone or iPad: How to forward a text message:

1. Take a note of the number that sent you the message.

2. Press and hold on the message bubble.

3. Tap More.

4. Select the message or messages you want to forward.

5. Tap the arrow on the bottom right of your screen.

6. Input 7726 and send.

Android: How to forward a text message:

1. Take a note of the number that sent you the message.

2. Enter the conversation then press and hold on the message bubble.

3. Tap on the three vertical dots on the top right of your screen.

4. Tap Forward.

5. Input 7726 and send.

Read Google’s official advice on reporting spam.

If 7726 doesn’t work, you can find out how to report a text message by contacting your phone provider.

Report a scam text using a screenshot or screen recording

You can also take a screenshot or screen recording of the text message and send it the NCSC at report@phishing.gov.uk

Why you should report suspicious text messages

The purpose of a scam text message is often to get you to click a link. This will take you to a website which criminals use to download viruses to your computer, or steal passwords or other personal information. This is known as 'phishing'. Most people either delete or ignore these texts. But reporting a suspicious text is free and only takes a minute. By reporting, you can:

• reduce the amount of scam texts you receive

• make yourself a harder target for scammers

• protect others from cyber crime online

Did you know...

21,000 scams were removed as of July 2024 as part of the 7726 service.

If you've responded to a scam text message

• Learn how to protect yourself if you think you’ve shared personal information.

• If you’ve visited a website you think is suspicious, you can report a scam website or link to the NCSC.

  
  

If you’ve lost money or have been hacked as a result of responding to a suspicious phone call, you should report it:

• In England, Wales or Northern Ireland, visit www.actionfraud.police.uk or call 0300 123 2040.

• In Scotland, report to Police Scotland by calling 101.

  
  

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).