Hiding the Sender ID?
Unmasking the Technology and Legal Consequences of SMS Sender ID Spoofing

🔔 The message looks official. It appears in the same thread as all your previous bank notifications. The sender ID reads "95555" — your bank's genuine service number. The text warns of a suspicious login attempt and urges you to click a link to verify your identity. You tap it. The page looks exactly like your banking portal. But here's what actually happened: your bank never sent that message. It was crafted by a fraudster sitting in a different country, using a compromised SMS gateway, and the sender ID was a complete fabrication. How is this possible? Let's dissect the technology — and the law — behind sender ID spoofing.

The three forms of a sender ID — know what you're looking at

Before explaining how spoofing works, you must understand the three types of identifiers that can appear in the "From" field of an SMS.

MSISDN (Mobile Station International Subscriber Directory Number): A standard phone number like +8613800138000. This is the most common form. Since it's a real number, you can call it back — but call-back verification is not foolproof.
Alphanumeric Sender ID: A text string up to 11 characters, such as ICBC, Apple, or Binance. These are commonly used by enterprises for brand recognition. They cannot be called back. And critically, there is no technical mechanism to verify whether the entity using this ID is genuinely the brand it claims to be.
Short Code: A 5- to 6-digit number like 10690 or 95555, widely used in China for commercial SMS. Short codes are regulated by national authorities, but they can still be imitated through international routing loopholes.

Three technical paths to sender ID spoofing

Path 1: Abusing the SMPP gateway — the most common attack vector

The Short Message Peer-to-Peer (SMPP) protocol is how enterprises submit bulk SMS to carriers. In an SMPP submit_sm PDU, the source_addr field specifies the sender ID that appears on the recipient's phone. This field is set by the client — the entity submitting the message. If an SMS service provider does not rigorously validate its customers, anyone can set source_addr to "95555", "Apple", or any other identifier. The carrier delivers it, and the phone displays it as a legitimate message from that brand.

This is not a protocol vulnerability. It's a business process failure — an SMS aggregator that prioritizes revenue over sender verification. And there are thousands of such aggregators globally, many operating with minimal oversight.

Path 2: Exploiting international SS7/SIGTRAN signaling — the trust gap

When an SMS crosses international borders, it traverses inter-carrier signaling networks — Syniverse, BICS, Tata Communications, and others — using SS7 or SIGTRAN over SCCP/GT routing. The originating network includes the sender ID in the MAP-MO-ForwardSM message. The receiving network's SMSC (Short Message Service Center) is supposed to validate that the originating network has authority over that sender ID. In practice, this validation is often absent or trivially bypassed.

Small carriers in jurisdictions with weak regulation can inject messages with arbitrary sender IDs into the global SMS fabric. The receiving carrier sees a message from a roaming partner and delivers it without scrutiny. This is how vast volumes of spam and phishing SMS with spoofed Chinese bank IDs arrive into domestic networks — they are routed through foreign carriers that do not enforce sender verification.

Path 3: Fake base stations — the air interface attack

Using software-defined radio hardware (USRP, HackRF, BladeRF) and open-source GSM stacks (OpenBTS, YateBTS), an attacker can deploy a rogue base transceiver station (BTS). This device broadcasts a stronger signal than legitimate cell towers, forcing nearby phones to camp on it. The attacker then downgrades the connection to 2G GSM — a protocol with no mutual authentication. The phone authenticates to the network, but the network never authenticates back to the phone.

Once the phone is attached, the attacker can inject SMS messages with absolutely any sender ID — no carrier involvement, no SMPP gateway, no signaling network. The message appears directly on the target's screen, bypassing every network-level defense. This technique is used in targeted attacks: corporate espionage, activist surveillance, and high-value financial fraud. The equipment needed costs under $1,000.

Spoofing paths — comparison at a glance

Spoofing Path	Sender ID Form	Passes Through Carrier?	Interceptability	Typical Fraud Scenario
SMPP gateway abuse	Any text / number	Yes	Medium	Fake bank, courier, tax authority alerts
International SS7 signaling	Any number	Yes	Low	Mass spam, bulk phishing campaigns
False base station (IMSI catcher)	Any number / text	No — air interface only	Extremely low	Targeted phishing, surveillance, executive fraud

How to spot a spoofed message — the "Three Don'ts" principle

🛡️ For every user: three rules that never fail

Don't tap links inside SMS messages. Even if the message sits inside the same thread as your real bank notifications. Open your banking app independently or type the URL manually. Spoofed messages can be threaded into legitimate conversations because they share the same sender ID.
Don't comply with abnormal requests. No bank, courier, or government agency will ever ask you to transfer money, disclose your full password, or install remote-control software via SMS. If the request feels unusual, it is a scam.
Do call back if the sender appears as a phone number. If the sender ID is a standard mobile number, call it back. The genuine owner of that number will have no knowledge of the message you received. But remember: alphanumeric IDs and short codes cannot be called back, so this test is limited.

For developers and enterprises: hardening your messaging

Migrate critical verifications away from SMS. Use app-based push notifications, TOTP authenticator codes, or encrypted in-app messages for sensitive operations. These channels are significantly harder to spoof than raw SMS.
Deploy SMS firewall rules. If your business uses SMS, instruct your SMS service provider to enforce strict source address validation. Disable alphanumeric sender IDs if your use case doesn't require them — this alone blocks the majority of impersonation attacks.
Report impersonation immediately. In China, report spoofed messages misusing your brand to the 12321 Reporting Center for Bad and Spam Information. In the US, file with the FCC. In the EU, contact your national data protection authority. Every report builds pressure on carriers to tighten validation.

The legal consequences — an absolute red line

⚖️ China — Criminal Law provisions

Article 288 of the Criminal Law — Disrupting the Order of Radio Communications Management: Unauthorized use of radio frequencies or setting up radio stations (including fake base stations) carries a prison sentence of up to 3 years for ordinary circumstances, and 3 to 7 years for especially serious cases.

Article 266 — Fraud: Using spoofed SMS to defraud victims of property is prosecuted as fraud. Amounts exceeding 3,000 RMB constitute criminal fraud. Amounts exceeding 500,000 RMB can result in a sentence of 10 years to life imprisonment.

Article 287-2 — Aiding Information Network Criminal Activities: Providing technical support such as SMS gateways knowing they will be used for fraud is an independent criminal offense, punishable by up to 3 years of imprisonment, increased to 3–7 years for serious cases.

🌎 International legal landscape

United States: The Truth in Caller ID Act (47 U.S.C. § 227(e)) prohibits transmitting misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully obtain anything of value. The FCC can impose forfeiture penalties of up to $10,000 per violation, and repeat offenders face escalating fines. Malicious spoofing with intent to defraud is a federal crime.

European Union: Under the European Electronic Communications Code (EECC), member states must ensure that networks take appropriate measures to block spoofed calls and messages. Additionally, GDPR Article 5(1)(d) requires accuracy of personal data — intentionally falsifying sender identification in communications may constitute a violation, with fines of up to €20 million or 4% of annual global turnover.

This must be stated unequivocally: Unauthorized hiding or falsification of a sender ID for the purpose of sending messages — whether through SMPP gateway manipulation, international signaling exploitation, or radio equipment — is a serious criminal offense in virtually every jurisdiction. Technical research on these mechanisms must be conducted exclusively within isolated, authorized laboratory environments. There is no legal gray area. There is no "educational exception" that permits transmitting spoofed messages onto live networks. The penalties are severe, and enforcement is increasingly coordinated across borders.

SMS was built on trust between network operators — an assumption that every participant in the signaling chain was honest. That trust is now fully weaponized.
Understanding how sender ID spoofing works is not about replicating it. It's about recognizing that the next "official" message you receive may be nothing of the kind — and acting accordingly.

Hiding the Sender ID?Unmasking the Technology and Legal Consequences of SMS Sender ID Spoofing