Would you trust it? Delete it? Click anyway?

And what happens if you’ve just spoken to that very organisation on the phone, and they told you to expect a text?

This is the situation now facing thousands of people across Ireland as ComReg and mobile operators roll out a new anti-fraud SMS system. Designed to crack down on scam texts, the system is accidentally mislabelling legitimate messages from trusted institutions—hospitals, universities, insurers, and even football clubs.

The result? Widespread confusion, eroded trust, and a golden opportunity for attackers.

The Trust Breakdown

Last week, Irish mobile networks began implementing a system that blocks or flags SMS messages claiming to be from organisations that haven’t registered with ComReg’s new Verified Sender ID list.

But here's the problem:

• Many legitimate organisations have registered—but their messages are still being flagged.

• This often happens when a third-party vendor (such as a ticketing or IT service) is sending the message on behalf of the company.

• Users are now seeing "likely scam" warnings on messages from known, trusted brands—including hospitals, the CAO, An Post, VHI, and Amazon.

This erosion of trust creates a dangerous environment. People no longer know whether to believe what they’re reading—or dismiss it entirely. For threat actors, that’s the perfect smokescreen.

A Proof-of-Concept Attack: How a Scammer Could Exploit This

An attacker could easily use this moment of uncertainty to craft a convincing and well-timed phishing attack.

Scenario: The Rescheduled Hospital Appointment

Target: Irish residents recently in touch with healthcare providers
Pretext: A hospital appointment has been moved; confirmation is needed
Sender ID: Spoofed as STJAMES_APPT, with the “likely scam” tag expected

[Likely Scam] STJAMES_APPT: Your outpatient appointment has been rescheduled. Confirm here: hse-check.ie/confirm

Link: Directs to a cloned HSE-style page prompting for name, DOB, and insurance details
Result: Victim hands over sensitive health and personal information, believing the warning is just another false positive

Why This Works So Well

• Conditioned tolerance – Users are now seeing legitimate services mislabelled, so they’re less alarmed by warnings.

• Recent interaction – If someone recently contacted their GP or insurer, they expect a follow-up SMS.

• Authority bias – Messages appear to come from familiar, trusted sources.

• Message timing – Well-timed texts feel genuine. An attacker who scrapes social media or forums for clues (e.g. hospital complaints, ticket sales) can build realistic campaigns.

OSINT Perspective

From an open-source intelligence (OSINT) point of view, this rollout is revealing new investigative opportunities:

• Infrastructure Mapping: Identifying which third-party SMS vendors are used by large Irish organisations and checking their registration status with ComReg.

• Sender ID Tracking: Compiling a list of mislabelled but legitimate Sender IDs can help identify phishing campaigns spoofing them.

• Pattern Analysis: Monitoring DNS registrations for spoofed HSE, insurer, or university domains that could be used in phishing campaigns.

• Disinformation Risk: Attackers could use these incidents to undermine trust in state or healthcare communications, further fragmenting public confidence.

Defensive Recommendations

For organisations:

• Audit your SMS ecosystem: Know who is sending texts on your behalf and whether they are ComReg-registered.

• Remove reliance on links: Encourage users to go to your official site or app rather than clicking in texts.

• Communicate proactively: Let users know that false scam warnings may occur temporarily, and how to verify your messages.

• Use secondary confirmation: Send a follow-up email or phone call to validate important SMS communications.

For security teams:

• Monitor for spoofed Sender IDs using threat intel feeds and public reports.

• Deploy SMS awareness campaigns warning users not to trust links in messages marked as “likely scam” without validation.

• Hunt for cloned websites using known-good domain typo variants and certificate transparency logs.

Final Thought

Security tools are only as effective as the trust they preserve. When users are trained to expect false positives, they begin ignoring real warnings too. That’s exactly the kind of behavioural gap attackers look for.

This isn't just a rollout issue—it’s a phishing opportunity hiding in plain sight.

🔥 Tooling Roundup

Some interesting Tools to clone websites:

• 1. HTTrack

  • What it does: Downloads a full static copy of a website (HTML, images, stylesheets, etc.) for offline browsing.

  • Why it’s useful: Great for quick mirroring or archiving; supports recursive downloads and link restructuring.

  • Use case: Creating a local replica of a site for analysis or safe examination.

  • Command: httrack https://example.com -O ./cloned_site

  • Website: https://www.httrack.com/

• 2. BlackEye (based on SocialFish)

  • What it does: A phishing toolkit that automates the process of cloning login pages for platforms like Facebook, Instagram, Microsoft, etc.

  • Why it’s useful: Built-in templates and credential capture mechanisms; often used in phishing simulations.

  • Use case: Simulating credential-harvesting attacks during awareness training or red team engagements.

  • GitHub: https://github.com/An0nUD4Y/blackeye

Did You Know? In the early 1970s, Steve Jobs and Steve Wozniak began their journey into technology by building and selling "blue boxes"—illegal devices used for phone phreaking that mimicked the 2600 Hz tones used by telephone systems, allowing users to make free long-distance calls. Inspired by an Esquire magazine article, Wozniak designed the device, and Jobs handled the sales, eventually selling around 200 units at $150 each. This underground venture not only sparked their fascination with electronics and systems manipulation but also laid the foundation for their future collaboration. Jobs later reflected, “If it hadn’t been for the Blue Boxes, there would have been no Apple.”

Till next time,

John