SMS Blasters: scam texts on steroids, and Pakistan may be next

Scam texts are usually something we swipe away without much thought. A fake bank alert here, a courier delivery hoax there, but security researchers warn the game is changing. According to Wired, cybercriminals are now deploying “SMS blasters”. These are portable devices posing as a cell tower to trick nearby phones into connecting to it, after which it sends out a mass broadcast of fake SMS messages. Once they hijack that connection, the devices can unleash up to 100,000 texts an hour, swamping whole neighborhoods with phishing attempts.

Unlike the run-of-the-mill spam we’re used to rolling our eyes at, this new approach industrializes the process of scamming by tricking people on a much larger scale. SMS blasters sneak under the radar, which means carriers can’t filter or block them. The attacks bypass traditional defenses and land directly in people’s inboxes, carrying links that can lead to credential theft, financial fraud, or malware.

The craziest part? These aren’t high-end, spy-agency toys. Blaster kits are sold online for a few thousand dollars, and tutorials float around dark-web forums. For crooks, the math is easy: even if only 1% of people click the link and hand over details, that’s still a huge payout when you’re blasting tens of thousands of phones in minutes.

A Global problem, not just a niche scam 

Regulators and telecoms are sounding the alarm. In the UK, Commsrisk reported that British telco issued a warning after seeing a surge in text-based fraud attempts, noting that more advanced campaigns are now being detected. In Malaysia, the telecom watchdog went further, conducting raids and seizing equipment worth around $24,000 that was used to power blaster-based scams (Commsrisk). And in Switzerland, the government’s National Cyber Security Centre flagged the growing prevalence of smishing attacks as part of its official weekly review of digital threats.

Still think this is just abstract cyber-geek stuff? Look at New Zealand. Earlier this year, the country saw its first-ever SMS blaster attack, a collaboration between a China-based operator and a teenager in Auckland as reported in NZ Herald. Their mobile setup (literally running out of a car battery) spewed hundreds of fake bank texts in one night, targeting customers of ASB and ANZ banks. Luckily, strong two-factor authentication meant most people didn’t lose money, but the case proved just how real and mobile this tech can be.

Read: The breakneck pace of AI, a breakthrough with micro gears, and breaking tech with solar flares

Cases like these underline the “arms-race” nature of digital crime: as banks tighten fraud controls and telcos filter spam, criminals escalate with new hardware-based tricks, and because the devices can be mobile, hidden in cars, apartments, or even suitcases authorities face an uphill battle detecting and shutting them down.

That’s what sets SMS blasters apart from the run-of-the-mill spam we usually just roll our eyes at: they’re industrial-scale, fast, and flexible. Put simply, no country is immune. If anything, the spread of cheap, easily concealed SMS blaster kits means that cybercriminals in emerging markets may be among the first to adopt them aggressively.

Why this matters for Pakistan

Pakistan’s telecom sector is no stranger to SMS fraud. The Pakistan Telecommunication Authority (PTA) has repeatedly warned consumers against scam texts promising prize money, fake SIM verifications, or blocked bank accounts. In 2023 alone, PTA said it received over 150,000 complaints of spam and fraudulent SMS. The regulator has also set up a shortcode service (9000) where users can forward spam to block the sender. (PTA advisory).

While effective in tackling basic scams, experts worry these measures may not be enough if SMS blasters take root, since the technology sidesteps operator networks entirely. With SMS blasters, the scammer doesn’t need a legitimate SIM card at all, the fake tower simply pushes messages directly. That means existing filters and blacklists won’t help. While there’s no confirmed report yet of SMS blasters being used inside Pakistan, the global spread suggests it’s only a matter of time. And with the devices being relatively cheap and compact, the barrier to entry is low.

Meanwhile, global security firm Kaspersky found that phishing attempts in Pakistan jumped 18% year-on-year in 2024, part of a broader worldwide surge. With more financial services, from JazzCash to Easypaisa, relying on mobile authentication, the stakes are rising fast 

Carriers powerless, users exposed

What makes SMS blasters so troubling is that telecom carriers are effectively powerless to intercept them. Traditional SMS spam usually passes through a carrier’s infrastructure, where some level of filtering is possible. But SMS blasters impersonate towers directly, bypassing those filters. “Your phone has no idea it’s talking to a fake base station,” one security researcher explained. “It just trusts whatever the strongest signal is.”

This creates a scenario where even vigilant users are at risk. Messages may appear to come from trusted institutions, complete with cloned sender IDs. Coupled with local familiarity, like the use of Urdu or references to real government programs making it difficult to spot the fraud without technical training.

Globally, regulators are only beginning to grasp the scale of the threat. While Malaysia has acted with enforcement raids, and European agencies are flagging the trend, there’s little evidence of comprehensive frameworks to curb the spread of SMS blasters. In Pakistan, PTA has focused heavily on blocking fraudulent SIMs and issuing advisories.

The missing counterpoints

Telecom experts argue that carriers shouldn’t be let off the hook so easily. Operators could do more by monitoring unusual traffic patterns at the network edge or investing in detection gear that spots rogue towers. Privacy advocates also worry that in racing to stop the scammers, governments could end up normalizing invasive surveillance technology that tracks ordinary users.

There’s also a policy vacuum: while Europe and parts of Asia are beginning to discuss regulations to ban or register blaster equipment, countries like Pakistan, haven’t yet created a legal framework that specifically addresses the devices. That leaves enforcement agencies stuck treating each case under broad cybercrime statutes, which may be inadequate.

The trend line

SMS blasters fit into a larger pattern of cybercrime “industrialization.” We’ve already witnessed spam evolve into spear-phishing, robocalls morph into AI-voiced scams, and now smishing scale up with broadcast-grade hardware. The trend is unmistakable, criminals are borrowing tactics once reserved for militaries or state-level actors, like spoofing radio towers, and repurposing them for profit.

For Pakistan, the lesson is clear. Local carriers, regulators, and banks will need to prepare for this next generation of fraud. The fact that the PTA already fields massive volumes of complaints suggests demand for stronger consumer protection is high. Cross-border cooperation and sharing intelligence with partners in the UK, Malaysia, or New Zealand may prove essential in getting ahead of the threat.

What to do as a user

For everyday phone users, the advice remains straightforward, if not foolproof. Don’t click links in unsolicited texts, no matter how official they look. Use phone settings to block unknown senders if possible. If you get scammy texts on your devices, immediately contact PTA through their wesbite or complaint helpline (0800-55055) to report them.

If the overseas cases prove anything, it’s that SMS blasters turn what used to be a minor annoyance into something more industrial, faster, and harder to stop. In the digital cat-and-mouse game, users are often the first and last line of defense.

Read more: Seas of weeds, AI predicted earthquakes, and Big Tech's endless appetite

The emergence of SMS blasters signals a new chapter in cybercrime: the industrialization of fraud. What once took small groups of scammers hours to orchestrate can now be automated at a scale that overwhelms users and regulators alike. For Pakistan, where digital financial services are booming and regulatory enforcement is still catching up, the stakes are especially high.

For now, the message is clear: the scams are getting faster, louder, and harder to filter. But as always, the weakest link is still human trust. A healthy dose of skepticism and a finger poised to delete still remains the best first line of defense.