Chinese "Smishing" Operations: A Growing Threat to Your Digital Wallet

This month, I want to bring your attention to a sophisticated and remarkably successful scam that has expanded globally and is now targeting financial institutions worldwide. What makes this particularly concerning is its effectiveness and its apparent connection to Chinese actors.

The "Smishing" Threat

You’ve likely encountered messages about unpaid tolls or pending package deliveries. These are not random but rather part of what security researchers have termed the "Smishing Triad" – organized phishing operations originating from China that have become highly adept at digital wallet theft.

• These attacks target iMessage (for Apple users) and RCS (for Android users).
• They are highly convincing and mimic professionally designed websites impersonating trusted brands like postal services or toll authorities, PayPal, Chase, Wells Fargo, and many others.
• The scale is massive – Security researchers estimate these phishing pages receive over a million visits monthly, with operations spanning 121 countries.
  

✔︎ These fraudulent messages are highly likely to reach you because the attacks target Apple and Android users, bypassing cellular networks for near 100% delivery rates.

Coincidentally, or perhaps synchronistically, I received the following example of Triad Smishing on my iPhone just as I typed the paragraph above. 

Who is "the Smishing Triad"?

Security researchers have traced these operations to China-based groups with names like Darcula, Lighthouse, and the Xinxin Group. What's particularly interesting is their global reach while seemingly avoiding targeting Russia, Iran, and North Korea. 

The operations show a significant investment in infrastructure:

• Approximately 25,000 phishing domains active during any 8-day period
• Majority hosted on Chinese platforms Tencent and Alibaba
• Sophisticated technical capabilities allowing a single device to send approximately 100 messages per second
• Operations include walls of phones with human operators ready to handle time-sensitive verification codes

✔︎ There have been arrests of Chinese nationals in Singapore, California, and Tennessee for using these technologies to make fraudulent purchases, suggesting an organized effort with international reach.

The Chinese Connection

One aspect of this threat that’s particularly interesting—and a bit unsettling—is the role of the Chinese government and Chinese hackers in this operation. While there’s no definitive proof that the Chinese government is directly involved, the affiliation of these cybercriminals with China-based servers and their operations through large Chinese companies like Tencent and Alibaba raises concerns. This is especially relevant considering the current tense political relationship between the U.S. and China, particularly regarding cybersecurity and state-sponsored hacking activities.

The fact that these hackers are based in China and operate at such a scale points to the sophistication of the threat. These aren’t just casual hackers—they’re part of a larger organized crime syndicate, with a business model designed to maximize efficiency and profitability. Their innovative approach is likely inspired by the growing demand for cybercrime as a service and the ability to target global financial markets.

How Do You Protect Yourself?

Now that you understand what smishing is, who the sophisticated perpetrators are, and why it’s so dangerous, let’s talk about what you can do to protect yourself:

1. Be suspicious of urgent messages. Especially those concerning unpaid tolls, package deliveries, or financial matters requiring immediate action.
2. Never click links in unexpected messages. Instead, go directly to the official website by typing the URL yourself or using your existing bookmarks.
3. Don't provide card details on sites reached via messages. Legitimate organizations typically don't request full payment details via text message links.
4. Be wary of verification code requests. If you receive an unexpected verification code by text message, it likely means someone is trying to access your accounts.
5. Consider using your bank's app for verification. Many financial institutions are moving away from SMS verification, instead requiring approval through their official mobile app.
6. Use an MFA "authenticator" app instead  of text for verification codes. Google Authenticator and Microsoft Authenticator are best.
7. Use mobile security software (like what we provide at TDS) to detect and block suspicious apps and websites.

The Bigger Picture

The rise of these sophisticated operations highlights the evolving cybersecurity landscape and the increasing professionalization of cybercrime. What's particularly noteworthy is how these Chinese-based groups are innovating in ways that make their attacks more efficient and cost-effective.

This development comes at a time when US-China relations remain tense, raising questions about the Chinese government's role in addressing cybercrime originating within its borders. While there's no direct evidence linking these operations to the Chinese government, the scale and sophistication suggest at minimum a permissive environment for these activities when targeting non-Chinese victims.

As we've long said, cybersecurity isn’t just about protecting your devices—it’s about protecting your life. By staying aware of the threats around us and being proactive in our defenses, we can enjoy the benefits of the digital age without falling prey to scams like smishing. At Total Digital Security, we remain vigilant against emerging threats like these so we can keep you informed and protected as threats emerge and evolve, especially with the new AI-generated threats we will increasingly see in 2025 and the years ahead.

✔︎ As always, your security remains our top priority at Total Digital Security. Our team stays vigilant against emerging threats like these so we can keep you informed and protected.

Remember, Cybersecurity for Life is a mindset. Stay vigilant, stay secure, and contact us if you have questions or need assistance.

Brad Deflin

President and Founder - Total Digital Security