A text message that looks “official” is today one of the most dangerous – and most ordinary – traps there is

You see the sender name at the top:

“Your Bank”, “Postal Service”, “Health Fund”, “BIT”, “Tax Authority” – and your brain immediately relaxes:

it’s in the same conversation thread, same name, same style – so it must be real… right?

That’s exactly where the scam begins.

The illusion of a “trusted sender”

Israeli security researcher Ran Bar-Zik explains that one of the biggest illusions of safety is our trust in the sender name.

The sender name in an SMS is very easy to fake – and you don’t need to be a “super hacker” to do it.

All it takes is access to an SMS gateway that lets you choose any sender name, and your phone will happily display that name in the same thread as legitimate messages.

Behind the scenes, there is a mechanism called Sender ID:

instead of a regular phone number, a big company sends messages with a text label – for example “Clalit” or “BankXYZ”.

Your phone does not really verify who is behind that label.

It simply shows whatever name it was told to show, and groups all messages with that name into one conversation.

The critical problem:

the SMS infrastructure normally does not check whether the person who typed “BankXYZ” is actually the bank – or a random scammer paying for an SMS service.

What this means in practice

• A message that looks identical to your previous bank message can be completely fake.

• It will appear in the same thread as your real bank messages, so it feels continuous and trustworthy.

• The link inside may look “almost” like the official site – but it leads to a phishing page designed to steal passwords, one-time codes, and credit card details.

A simple real-world scenario

1. A scammer gets hold of many phone numbers (often from a data leak).

2. They sign up to an SMS service, choose a sender name like “DoarIsrael” or “BIT” and send thousands of messages:

   
   

   “There is a problem with your account”, “Your package is waiting”, “A legal case has been opened – click here to view”.

3. The link leads to a website that closely imitates the official one: same logo, same colors, same layout.

   
   

   To a non-expert – and often even to experienced users – it looks authentic.

4. The moment you type in your username, password, one-time code or card details – everything goes straight to the scammer.

Even people who “understand computers” can fall for this, because we all rely on the frame:

same thread, same sender name, official logo, correct spelling.

Attackers play the numbers game – they send to thousands of people, and only need a small percentage to click.

What should you actually do?

Practical rules, even for complete beginners

1. Golden rule: do not click links that arrive by SMS.

   
   

   Even if the sender name looks familiar, even if the message is in an old conversation thread, even if the language looks professional.

2. Always go in manually:

   
   

   • If it’s “from the bank” – open your regular bank app, or search for the bank’s name yourself in your browser and enter from there.

   • If it’s “from the post office / courier / tax authority” – use the official app or type their official address yourself.

   
   

3. Do not call the phone number in the SMS.

   
   

   If a phone number appears in the text, ignore it.

   
   

   Look up the customer service number on the official website or via a trusted search.

4. Any message that uses pressure and urgency is a red flag.

   
   

   “Your account will be blocked immediately”, “A criminal file will be opened”, “Immediate seizure of funds” –

   
   

   urgency is a classic scam tool. When we feel rushed, we stop thinking clearly.

   
   

   When the pressure goes up – you should slow down.

5. If you already clicked and entered details – act fast, not ashamed.

   
   

   • Call your bank or card company and request a block or cancellation.

   • Change passwords for the relevant accounts.

   • Watch for unusual activity on your accounts.

     
     

How to explain this to parents, grandparents, or non-technical friends

You can use one very simple sentence:

“The name at the top of an SMS is just a drawing on the screen.

It is not proof of who sent it.”

Make sure they understand:

• Their phone does not truly know who sent the message. It only displays the label it was told to show.

• Even if a new message appears inside the same thread as old messages from the bank or clinic – it can still be a scammer who “dressed up” as that sender.

The bottom line

• SMS is a convenient channel – but it is not a trustworthy one.

• A nice name, official logo and formal language are not enough to earn your trust.

• Your finger on the link must always stay suspicious – especially when money, passwords and security codes are involved.

Further reading (Ran Bar-Zik, in Hebrew):

• Spoofing the SMS sender name – full explanation and examples:

  
  

  https://internet-israel.com/%D7%97%D7%93%D7%A9%D7%95%D7%AA-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%96%D7%99%D7%95%D7%A3-%D7%A9%D7%9D-%D7%94%D7%A9%D7%95%D7%9C%D7%97-%D7%91%D7%A1%D7%9E%D7%A1/

• A particularly effective phishing attempt – real-world breakdown:

  
  

  https://internet-israel.com/%D7%97%D7%93%D7%A9%D7%95%D7%AA-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%A0%D7%99%D7%A1%D7%99%D7%95%D7%9F-%D7%A4%D7%99%D7%A9%D7%99%D7%A0%D7%92-%D7%97%D7%93%D7%A9-%D7%95%D7%90%D7%A4%D7%A7%D7%98%D7%99%D7%91%D7%99-%D7%91%D7%9E%D7%99%D7%95%D7%97%D7%93-%D7%9E%D7%A8%D7%90/

• Example: city website hacked and turned into a fake BIT payment site:

  
  

  https://ashdodnet.com/%D7%97%D7%93%D7%A9%D7%95%D7%AA-%D7%90%D7%A9%D7%93%D7%95%D7%93/%D7%94%D7%90%D7%A7%D7%A8%D7%99%D7%9D-%D7%A4%D7%A8%D7%A6%D7%95-%D7%9C%D7%90%D7%AA%D7%A8-%D7%A9%D7%9C-%D7%A2%D7%99%D7%A8%D7%99%D7%99%D7%AA-%D7%90%D7%A9%D7%93%D7%95%D7%93-%D7%95%D7%94%D7%A4%D7%9B%D7%95-%D7%90%D7%95%D7%AA%D7%95-%D7%9C%D7%9E%D7%AA%D7%97%D7%96%D7%94-%D7%A9%D7%9C-%D7%A4%D7%9C%D7%98%D7%A4%D7%95%D7%A8%D7%9E%D7%AA-bit-524595