An inconspicuous sedan drives through the city center – a device the size of a shoebox whirs in the trunk. As the car circles the area, passersby's smartphones vibrate in droves, alerted by a supposed payment reminder or parking ticket. Those who click on the link often lose money from their bank accounts within minutes. These so-called SMS blasters operate from moving cars and have caused millions of euros in damages in some major cities. Anyone affected should act quickly to secure their right to compensation and legal action.

What is an SMS blaster and how does this new scam work?

An SMS blaster is a mobile device about the size of a shoebox that mimics a legitimate cell phone antenna. It's connected to a car battery, stored in the trunk, and remotely controlled via an app. The perpetrators drive it through densely populated areas – city centers, train stations, or stadiums. Within a radius of up to 1,000 meters, all the smartphones of passersby automatically connect to the moving device. A single drive can reach tens of thousands of recipients without the perpetrators knowing a single phone number – and the device can be deployed in another city a short time later.

Once the connection is established, the blaster forces the phones onto the outdated 2G network. Security standards are significantly lower there, allowing messages to be delivered without verification. Victims then receive a text message that appears to be from their bank, a government agency, the postal service, or a well-known company. These messages often threaten recipients with a supposed payment reminder, a parking ticket, or an unusual login attempt, all designed to pressure them into taking immediate action.

Anyone who follows the link is taken to a fake website that visually mimics the original platform. There, users are asked for online banking login details, credit card information, or confirmation codes for TAN procedures. Once the data has been entered, the perpetrators can initiate transfers or empty the account. In Geneva, the public prosecutor's office has now registered 154 victims with total losses of nearly two million Swiss francs.

This method is particularly dangerous because the SMS blaster bypasses the official spam filters of mobile network operators. The fake messages come directly from the perpetrators' devices, not via the regular network. Filtering technologies are ineffective. Furthermore, regular radio connections are disrupted during the attack – in Toronto, a single blaster even temporarily blocked emergency calls.

Before complying with an SMS request for immediate payment or data disclosure, check the sender directly with the official authority and do not use the provided link.

Claims for reimbursement against the bank: Section 675u of the German Civil Code (BGB) in the case of phishing.

Anyone who has lost money due to a phishing SMS often has a claim for reimbursement against their bank. According to Section 675u of the German Civil Code (BGB), in the case of an unauthorized payment transaction, the bank must immediately refund the amount and restore the account to the balance it would have had without the transaction. This applies provided that the payment transaction was not authorized by the account holder.

The decisive factor is whether the bank can prove gross negligence on the part of the customer under Section 675v Paragraph 3 of the German Civil Code (BGB). If gross negligence is proven, the bank can refuse or reduce the reimbursement claim. However, the burden of proof lies with the bank, not the customer. The mere fact that someone responded to a phishing SMS does not, in itself, constitute gross negligence. The specific circumstances are crucial – for example, how convincing the fake message appeared, whether warning signs were apparent, and what information was actually disclosed.

In practice, banks often reject reimbursement claims outright. They cite alleged gross negligence without providing specific justification. Such rejections often do not withstand legal scrutiny. Those who take early action and document the events significantly improve their position. In cases of particularly sophisticated attacks, such as SMS blasters, whose messages are virtually indistinguishable from genuine ones for consumers, the accusation of gross negligence can often be refuted.

Do not let a bank's rejection go unanswered, but have it reviewed legally at an early stage – the chances of success depend significantly on the substance of the bank's argument.

Criminal charges and evidence gathering after SMS blaster attack

In addition to pursuing civil action against the bank, filing a criminal complaint is an important step. SMS blaster fraud regularly constitutes several criminal offenses, including computer fraud under Section 263a of the German Criminal Code (StGB), unauthorized access to data under Section 202a StGB, and falsification of evidence under Section 269 StGB. Furthermore, it violates the Telecommunications Act, as operating a pseudo-antenna without a frequency allocation is illegal.

Filing a report opens the door to investigative measures by the authorities and can strengthen the claim for reimbursement against the bank. For effective evidence preservation, those affected should take the following steps:

• Keep the original SMS: Do not delete the fake message. Take screenshots showing the sender, date, and time, and save them separately.
• Save bank statements: Print out all unauthorized bookings or save them as PDFs, including the value date and recipient details.
• Document contact attempts: Document all phone calls, emails and chats with the bank in writing – including date, time and content of the conversation.
• Note the device context: Location, time of day and exact sequence of events after receiving the SMS – this information helps investigators locate the blaster.
• Have your account blocked immediately: If you suspect data misuse, immediately call the blocking hotline 116 116 and block all affected cards and access.

A criminal complaint can be filed at any police station or online via the state criminal investigation offices' internet portals. Additionally, reporting the incident to the Federal Network Agency is advisable, as operating an SMS blaster constitutes a serious violation of telecommunications law.

Secure evidence immediately after discovering the damage, before data is overwritten or connections are interrupted.

Who is liable for the damage? A comparison of the bank, the perpetrator, and third-party providers.

Several actors must be distinguished when considering liability. Primarily responsible are the perpetrators who operate the SMS blaster and misuse the data. In practice, however, they are rarely apprehended, as they often operate within international networks and conceal their identities. In the Geneva wave and similar cases, police and public prosecutors assume that organized cybercrime networks are behind them. Civil enforcement against unknown perpetrators or those located abroad is generally futile.

The second and, in practice, most important point of contact is the bank holding the account. Here, the reimbursement regime according to Sections 675u and 675v of the German Civil Code (BGB) applies. Whether the bank must reimburse the full amount, a partial amount, or nothing at all depends on the degree of the customer's fault. The security standards of online banking also play a role – institutions must provide up-to-date authentication procedures and be able to recognize suspicious payment patterns.

Payment service providers and third-party providers, such as instant bank transfer providers, are only liable in rare situations – for example, in cases of breached security obligations or overlooked suspicious payment patterns. Mobile network operators are usually not liable because their filtering structures are technically unable to detect SMS blasters.

Have all potential defendants examined before focusing on a single point of contact.

How to protect your smartphone from SMS blasters and smishing

Technical safeguards are the most effective form of protection. On many Android devices, the connection to the 2G network can be completely disabled in the network settings. Since the SMS Blaster operates exclusively via this outdated network, the attack is ineffective if 2G is disabled. You can usually find this setting under "Mobile" or "Network settings" and "Allowed network types".

It's not possible to directly disable the 2G network on an iPhone. However, Apple offers a "Lockdown Mode" in the privacy settings. This mode also blocks the 2G connection, but restricts other functions and should therefore be activated only when there is an increased threat level.

Those who travel abroad regularly should be aware that the 2G network is still operational in many countries. In such cases, the 2G setting must be temporarily disabled to ensure connectivity. Even in Germany, some 2G networks remain active, so disabling it may, in some instances, lead to reception problems.

Regardless of technical measures, it is advisable to be generally suspicious of any text message requesting immediate payment or data disclosure. Authorities and reputable companies do not send payment reminders or demands via text message containing clickable links. If in doubt, you should verify the claim directly with the official agency without clicking the link in the message.

Never disclose bank access data, TANs or credit card information in a text message upon request.

When is legal advice worthwhile in cases of SMS Blaster fraud?

Legal advice is always advisable if the bank rejects, reduces, or processes a reimbursement claim hesitantly. Particularly in disputes concerning allegations of gross negligence under Section 675v Paragraph 3 of the German Civil Code (BGB), many affected individuals underestimate their legal position. Banks exploit the complexity of the legal situation to enforce blanket rejections that do not withstand legal scrutiny.

Even in cases involving larger sums of damages or multiple bookings, early legal advice is advisable. Lawyers examine the opposing parties, secure evidence, and ensure deadlines are met – the statute of limitations for claims arising from unauthorized transactions follows its own rules, requiring a swift response. In criminal proceedings, the lawyer can also represent the injured party, review the case file, and prepare subsequent civil action.

Conclusion: SMS Blaster fraud requires swift and structured action.

The SMS blaster scam will continue to spread because it is technically easy to implement and highly profitable for the perpetrators. Cases from Geneva, Basel, Toronto, and now also from major German cities show that no network operator and no spam filter can reliably detect these fake antennas. Those who have fallen victim should not give up.

Claims for reimbursement against the bank are enforceable in many cases, especially if the allegation of gross negligence can be substantively refuted. Crucial to success are the swift and thorough securing of evidence, a timely response to the bank's rejections, and the involvement of legal counsel in complex cases. Those who proceed systematically have a realistic chance of recovering a large portion of the damages and supporting the criminal prosecution of the perpetrators.

FAQs – Frequently Asked Questions about SMS Blaster Fraud

Der Beitrag SMS-Blaster aus dem Auto: Wie Betrüger Ihre Bankdaten stehlen erschien zuerst auf R&U.