“You have an outstanding payment.” That is how a message begins, allegedly sent by the Ministry of Health. After stating the supposed amount due, it adds a peremptory line: “You have 24 hours to settle it.”
The examples are multiplying. In recent weeks, fraudulent messages sent in the name of the Ministry of Health, the National Health Service (SPMS) and SNS 24, improperly requesting payments, have led the Shared Services of the Ministry of Health (SPMS) to issue an alert and to reiterate that SNS and SNS 24 services are free of charge. Around the same time, other public bodies, such as Social Security and the Tax and Customs Authority, issued similar warnings.
We are facing smishing campaigns – a form of phishing carried out via SMS (Short Message Service) – in which perpetrators impersonate a credible entity trusted by the public to obtain financial gain and/or access to sensitive information. But how does this happen? How do we receive fake messages that appear to come from genuine senders? What should we do when we receive this type of SMS? What strategies can we adopt to avoid sending money or sharing personal and banking details? And what are the risks when the fraud involves public services? I spoke to our researchers António Pinto and João Marco Silva, who work in the fields of Communications and Computer Science and Engineering, to better understand this significant increase in fraudulent SMS and their main advice: be cautious, do not provide data, do not click on links – and do not make payments.
30 years of SMS in Portugal
If we look back at the events that marked 1995 in Portugal, we find it was a particularly eventful year. The country hosted legislative elections and António Guterres (now Secretary-General of the United Nations) became Prime Minister of Portugal. In Foz Côa, the population united to defend the prehistoric rock engravings in the Côa valley against the construction of a dam – chanting “the engravings cannot swim”. The project was halted, and the newsroom of the newspaper Expresso named the preservation campaign the national event of the year. In Aveiro, a group of six students created SAPO (Servidor de Apontadores Portugueses), at the time the largest Portuguese-language directory and information site on the Internet. In Lisbon, at the Jerónimos Monastery, Portugal signed the treaty to joing the European Economic Community and the European Atomic Energy Community. I was five years old and taking my first steps at primary school.
Much more could be said about 1995, but there is at least one more event I cannot fail to mention: the sending of the first SMS in Portugal, at a time when only two operators were active in the country: TMN and Telecel, now known as MEO and Vodafone, respectively.
More than 30 years later, SMS remains part of our daily lives, albeit declining, largely due to the rise and widespread use of instant messaging services provided by platforms like WhatsApp and Signal. According to data from ANACOM, around 7.4 billion text messages were sent in 2024, 14.5% fewer than in 2023 – a downward trend observed since 2012.
Even so, SMS remains widely used, particularly by public administration services in their dealings with citizens and businesses, notably in healthcare. For several years now, prescriptions for medicines and medical tests have been sent by text message; when we contact SNS 24, we receive instructions by SMS; and during the COVID-19 pandemic, vaccination guidelines was also delivered this way. Since the beginning of this year, how many messages have we received from Civil Protection about the storms affecting the country and the precautions to take? There is no denying the convenience that SMS brings to everyday life – enabling fast, direct communication with the public and facilitating interaction with public services.
However, alongside the provision of useful and reliable information, fraudulent contacts soon appeared. At first, it seemed easy to recognise a false message. More recently, however, determining a message’s authenticity has become increasingly complex, particularly when SMS appear to come from a sender whose name we know well. Let us look at some examples.
“Legitimate entities do not usually request sensitive data or send payment orders via SMS”
In early 2026, the Shared Services of the Ministry of Health, the Tax and Customs Authority and Social Security issued alerts about fraudulent messages and websites. In recent weeks, SMS indicating outstanding amounts and containing links to fake websites that improperly use the image of these organisations have been circulating, misleading users and encouraging them to share personal and banking information. Moreover, these fake messages appear to have been sent, for example, by the Ministry of Health, and are grouped alongside genuine messages, leading recipients to believe they have outstanding debts and prompting them to act accordingly.
As mentioned earlier, in 1995, I was far from knowing how to send an SMS, as I was only just beginning school. When, as a teenager, I had my first mobile phone and began sending messages, I remember having to use them sparingly, as each one was expensive. Over the years, access to this service became democratised, with operators offering commercial packages allowing virtually unlimited messaging. I do not recall whether fake messages were already circulating 20 years ago, but today it is almost safe to say that they are a daily – and increasingly sophisticated – occurrence.
In the cases described above, João Marco Silva explained that we are dealing with fraudulent campaigns in which attackers attempt to impersonate a trusted entity to obtain sensitive information or financial gain. “Typically, these attacks use social engineering techniques as mechanisms of persuasion. In this case, the attack vector consists of smishing campaigns that seek to impersonate public entities with which a significant ratio of the population interacts regularly. This aspect is fundamental to the success of the attacks, as the number of potential victims is high,” he mentioned.
According to the researcher, who also lectures at the University of Minho, the risk increases in such cases because citizens may lower their guard when messages appear to come from public bodies – “which tends to increase the success of fraud attempts”.
But how do perpetrators manage to use the same sender’s name? In other words, how are messages sent in the name of a particular entity?
António Pinto explained: “The problem lies in the way telecommunications operators provide their services, which rely on technologies that were not designed with security in mind. Essentially, telecommunications (phone calls and SMS) are supported by a signalling protocol known as SS7, which is not secure but is necessary to ensure operation. It allows, for example, someone roaming abroad to send an SMS displaying their own mobile number as the sender, even if that number is not part of the foreign network’s customer list.”
According to the researcher and lecturer at the School of Technology and Management of the Polytechnic of Porto, the ability to modify sender identification can be marketed as a commercial advantage. He provided the example of a bank wishing to carry out a communication campaign without displaying the real originating number, instead showing the entity’s name or contact. In addition, bulk SMS services may be subcontracted to third-party companies. “And this is where the problem occurs. To accommodate commercial interests, the network opens the door to abusive uses. The network lacks the capacity to distinguish, for example, an SMS from a bank with altered identification from one sent by a malicious agent”, he stressed.
These are SMS services or gateways that allow manual definition of the sender field. This is one of the most common techniques used in such fraud, resulting in spoofing – where the attacker successfully impersonates another person or entity by falsifying data to gain undue advantage.
“Concerning the users, mobile phones usually group messages by sender. Thus, if the attacker uses the same identifier – for example, Tax and Customs Authority – the fraudulent message will end up grouped with other legitimate messages sent by that entity,” said João Marco Silva.
In such cases, can the attack be identified? Care and awareness appear to be key, as we currently lack tools or configuration options that allow us to prevent receiving such messages and/or calls. António Pinto suggested adopting caution, bearing in mind that we may be dealing with a contact using forged identification. “I see many similarities with spam emails, both in how they are produced and in the precautions people must take. Applications are already emerging for smartphones that use Artificial Intelligence to analyse SMS and incoming calls to detect fraud. That may be one way forward.”
João Marco Silva also reminded us that “legitimate entities do not usually request sensitive data or send payment demands by SMS. Even if they do – which is bad practice – it should be possible to confirm the request through an official channel, such as the Portal das Finanças.” Even in such cases, he advised never following the link provided in the SMS. “The safest practice is to open your browser and access the official platform by typing the publicly known URL directly. The most important thing is not to provide data, click on links, or make payments using the bank reference included in the SMS.”
Is it possible to prevent these SMS from reaching us?
“Technically, operators can filter messages, but there are two main challenges. The first is scale, since inspecting all messages requires significant computational capacity. The second relates to privacy and legal constraints, which may prevent inspection of the full content,” stated João Marco Silva. António Pinto also believes that technical and technological measures could be adopted by operators and that legislation may be part of the solution.
“The same applies to other technologies, namely the IP protocol (Internet Protocol), which underpins the Internet and suffers from similar weaknesses. Another essential Internet protocol, BGP (Border Gateway Protocol), does as well. These were not designed to be secure, but to run, and they assume trust among participants. That approach was considered reasonable many years ago, when the number of operators was small. With the boom of the Internet and associated services, trust alone no longer guarantees security,” he added.
For now, if you receive a message from a familiar sender whose content seems unusual, do not provide data and do not click on links. If you do so inadvertently and share financial information, “the most urgent step is to contact your bank to request the blocking of further transactions. In all cases, it is important to inform the entity whose identity has been spoofed and to report any suspicious message, for example through the Electronic Complaint System (PSP/GNR)”, as mentioned by João Marco Silva.
By Sofia Maciel, Head of Communication Service of INESC TEC
News, current topics, curiosities and so much more about INESC TEC and its community!
