Security Blog

Beware of the unauthorized SMS forwarding

Release Date: 26 / 02 / 2019
Last Update: 26 / 02 / 2019

Recently, there was a report about SMS authentication code in some stored value facilities (SVF) can be forwarded to other phone number by fraudsters.


SMS was used to deliver One-time password (OTP) by many online services. Because of the security concern, SMS forwarding service for authentication code should be disabled.


HKCERT urges service providers should exercise both Due Care and Due Diligence to protect their customer and mitigate relevance security risks, they should do comprehensive risk assessment regularly.


Users are suggested to take the following precaution measures:

  • Do not disclose your personal information including the images of your identity documents such as HKID and passport and bank account numbers. Criminals may make use of your personal information to request SMS forwarding service on behalf of you.
  • Protect your mobile phone number and email address. If you have received any SMS or email about account registration, account update or transaction, you should check these notifications to identify any unauthorized changes or transactions.
  • Secure your PC and mobile device with security tools and device lock.
  • Review your account and bank statements regularly.
  • Report to the service provider / Police if required.