- SMS spoofing victim reveals how a scammer took his Bitcoin
- Scammer fabricated texts from Revolut to ‘confirm’ receipt of payment
- Victim was used to receiving texts from the same number
An SMS spoofing victim has relayed his experience of being scammed out of his Bitcoin, revealing how the scammer managed to impersonate Revolut and falsify the sale. Relaying his tale to Reddit, the victim, who goes by the username of Gandeloft, posted numerous details about the incident in the hope of forewarning others to the menace of SMS spoofing.
Confirmation Messages Came From Revolut’s Number
Gandeloft’s problems began when he advertised some Bitcoin for sale on the website HodlHodl, a peer-to-peer Bitcoin exchange in the mold of LocalBitcoins. The amount for sale, ₿0.1747, was worth $1,850 at the time, money that Gandeloft was planning to use in order to move out of his current residence.
Gandeloft soon had an interested buyer and began negotiations. After the scammer said he would pay via Revolut, Gandeloft received a text message purportedly from Revolut saying that the money had been sent:
Gandeloft did not know it at the time of course, but this message was a prime example of SMS spoofing.
Gandeloft wanted to wait until the money was actually in his Revolut account before releasing the Bitcoin, but the scammer was insistent on the transaction being completed beforehand:
The scammer then sent Gandeloft screenshots seeming to show that he had sent the money, after which he received another text message to confirm that the money had arrived, even though his account was still empty. Gandeloft then released the Bitcoin before realizing that he had been scammed:
SMS Spoofing an Effective Tool
The scammer conducted what is known as a SMS spoofing attack, where they are able to mimic the phone number of an organization to make it look like an authentic text from that company. The process is worryingly simple, with such services available online for a fee. In this case it was particularly effective because Gandeloft had received text from Revolut on the same number in the past and so he had no reason to question its authenticity.
Gandeloft admits that he made the crucial mistake of releasing the Bitcoin before the funds had actually arrived in his account, which was the final check he needed to make after almost a day’s worth of negotiation and pressure from the buyer to release the Bitcoin.
Don’t Trust, Verify
When hackers are able to imitate a genuine transaction through SMS spoofing so accurately, it can be extremely hard to guard against them. However, when conducting a peer-to-peer transaction, it is always best to wait until the money you are due to receive has actually arrived either in your account or the agreed escrow account before releasing the funds, and don’t bow to pressure from the other person – pressure is usually a sign of something untoward going on.
As the saying goes, don’t trust, verify.