The Growing Fraud Risk Around Virtual Phones and SMS Verification

As fraud tactics continue to evolve, organisations are being forced to rethink security measures that were once seen as standard. This article explores how criminals are using virtual smartphone services to bypass SMS-based verification and what this means for banks, payment platforms and digital identity controls.

A new wave of financial fraud is exploiting virtual smartphone services, allowing criminals to bypass bank security checks and scale attacks with unusual ease. Security researchers have warned that fraud groups are now renting cloud-based mobile devices to receive one-time passcodes, open bank accounts and automate large-scale scam operations while hiding their real identities and locations.

Incident Overview

The technique relies on so-called virtual phones, which are cloud-hosted smartphone environments that behave like real devices. These services are often marketed for app testing or privacy use, but have increasingly been abused by fraud networks. Criminals rent access to these virtual devices in bulk, then use them to create or take over accounts at banks and payment platforms.

Because each virtual phone comes with a fresh number, a clean device fingerprint and remote access capabilities, it becomes significantly harder for banks to distinguish between legitimate customers and coordinated fraud activity. Attackers can rotate through thousands of virtual identities without needing physical hardware.

How the Fraud Works

According to recent reporting, fraud groups combine virtual phones with automated scripts and stolen personal data. When a bank sends a one-time passcode via SMS or call, the code is received directly on the rented virtual device controlled by the attacker. This allows them to complete account sign-up or password resets in real time.

In some cases, these services are integrated into larger fraud pipelines, where multiple virtual phones are operated at once. This enables industrial-scale account creation, mule account set-up and payment fraud without relying on physical SIM cards or traditional burner phones.

Security experts note that this method also helps criminals evade detection systems that rely on device reputation scoring. Since virtual phones appear as new, clean devices each time, they can slip past filters designed to flag reused or compromised hardware.

Impact on Banks and Financial Platforms

Financial institutions are increasingly facing challenges in verifying whether a device is genuine or artificially generated. Traditional security models often assume that mobile devices are physical and persistent, but virtual phone infrastructure breaks that assumption.

Banks are reporting higher volumes of suspicious account creation, credential stuffing attempts and social engineering campaigns that exploit weaknesses in SMS-based verification. Fraud losses are expected to increase as attackers refine their use of automation and rented device networks.

Some institutions are now moving away from SMS-based authentication in favour of app-based authentication, biometric checks and behavioural analytics that track how a user interacts with a device over time.

Response from Security Researchers and Industry

Cyber security firms have highlighted the growing abuse of virtual mobile infrastructure as part of a broader shift towards fraud-as-a-service ecosystems. These ecosystems provide criminals with ready-made tools, including rented devices, proxy networks and identity data.

Investigators have urged banks and fintech companies to reassess their reliance on one-time passcodes delivered by text message, warning that this method is increasingly vulnerable when attackers control the receiving device itself.

Broader Cyber Security Implications

The rise of rented virtual phones shows how quickly legitimate technology can be repurposed for criminal use. Services designed to reduce hardware costs or improve software testing are now being integrated into fraud operations at scale.

It also highlights a deeper structural issue in digital identity systems, where possession of a phone number or device is still often treated as proof of identity. As virtualised infrastructure becomes more common, this assumption is becoming easier to exploit.

Security experts warn that this trend may accelerate a shift towards multi-layer authentication systems that do not rely on SMS delivery or single-device trust. Instead, future models are likely to depend more heavily on continuous risk scoring, device behaviour history and cryptographic authentication methods that are harder to replicate in virtual environments.

How AJC Can Help

AJC helps organisations assess evolving fraud and cyber security risks, including weaknesses in authentication, identity assurance and digital onboarding controls. We support clients in reviewing control frameworks, strengthening resilience against emerging fraud tactics and improving governance around customer verification, access management and wider security processes.

If your organisation is reviewing how it protects accounts, customers and systems against increasingly sophisticated attacks, AJC can provide practical support tailored to your risk environment.

Learn more about AJC’s Fraud Risk Management and Cyber Security services and how we help organisations build stronger resilience against evolving digital risks.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

Criminals are renting virtual phones to bypass bank security | Malwarebytes

Scammers have virtual smartphones on speed dial for fraud • The Register

Image accreditation: Mohamed Nohassi (February 2025) from Unsplash.com+. Last accessed on 10th April 2026. Available at: https://unsplash.com/photos/two-tags-with-a-qr-code-attached-to-them-tsoh03g96TE