New Yorkers Targeted with Scam SMS from Official Numbers

Hackers have gained access to Mobile Commons, which is a US text messaging service used regularly by the State of New York, Catholic Relief Services and the Fight for a Union organization, then sent malicious SMS to all subscribers.

The hackers likely compromised the company’s infrastructure through a spear-phishing or social engineering attack. They stayed inside the systems for about four hours before Mobile Commons removed the threat.

While four hours might not seem long, it was enough for them to send out fake banking messages that referred to declined transactions and urged recipients to call or reply to an 888 number, which has since been disconnected.

According to NBC News, around 160,000 users received the fraudulent texts before the incident was contained.

How the Attack Worked

Most of the scam texts we receive are from unknown numbers, which makes them easier to spot. But the messages in these scam campaigns came from legitimate short codes that trusted organizations use to send official communications.

Because these numbers are pre-approved by mobile carriers, messages are less likely to be flagged as spam or suspicious.

The US Short Code Registry, in an email viewed by NBC News, warned that threat actors are starting to go after verified messaging systems.

“Our monitoring teams have detected a notable increase in attempts by unauthorized actors to initiate account takeovers (ATOs) and originate unwanted or illegal text messages using Short Codes,” notes the email.

Official Response from Mobile Commons

Following the security incident, Mobile Commons confirmed the problems and temporarily paused all outgoing messaging as a precaution.

In a public advisory on its service status page, the company said just a couple of days ago:

“Access to Commons is currently unavailable for all users while we implement enhanced security upgrades. No customer or subscriber data has been compromised. Inbound messages will continue to be received and queued.”

But, yesterday the problems have been repaired, for the most part.

“Platform access resolved, outgoing messaging still unavailable for US communications. We will notify customers when full service is restored and our next scheduled update will be posted here by 12PM EST tomorrow.”

How Users Can Protect Themselves

To reduce the risk of falling victim to similar scams, users can take a few simple measures:

· Do not reply to unsolicited messages asking to confirm transactions or personal details.

· Verify directly with your bank or organization through official websites or customer service lines.

· Use security software that detects and blocks phishing or smishing attempts ,uch as Bitdefender Mobile Security.

· Keep your mobile OS updated and enable multi-factor authentication (MFA) for sensitive accounts.

Bitdefender’s Mobile Security provides real-time protection against smishing, phishing and link distribution of dangerous emails.

New York SMS Scam FAQ

1. What is Mobile Commons?
It’s a mass-messaging platform used by governments and nonprofits to distribute alerts, announcements and updates to subscribers via SMS.

2. What happened?
Hackers gained temporary access to Mobile Commons’ system and used it to send scam texts.

3. Was personal data leaked?
No. Mobile Commons said no customer or subscriber data was accessed or compromised.

4. What did the company do after detecting the breach?
It paused all outgoing messages, initiated a detailed security review with external partners and implemented enhanced safeguards.

5. What should users do if they receive similar texts?
Ignore or report suspicious messages, verify information through trusted channels, and avoid clicking on links or sharing personal data.