Phishing can masquerade as emergency alerts for disasters, researchers warn

Emergency alerts for disasters like earthquakes and tsunamis are messages we hope we never see, and we trust them when they arrive. Researchers have shown that this trust can be exploited, enabling attackers to send fake emergency alerts that phones display as normal system alerts.

Alerts reach phones without verification

Public warning systems broadcast alerts to all phones in a geographic area. In 5G networks, these messages are sent as signals from nearby infrastructure and are received even when a device is not actively connected to a network, including when it is in idle or inactive states.

Emergency warnings can be delivered without relying on prior authentication or valid subscription. This broadcast model does not include a mechanism for verifying the origin of the message. A signal that mimics a legitimate network can deliver a warning that the device accepts and displays.

Rogue signals deliver alerts

The experiments were conducted in a controlled environment using commercial smartphones, including several Android devices and an iPhone. A laptop and radio hardware generated the signal. Researchers noted that the attack could be carried out using relatively inexpensive equipment, including a standard laptop and a software-defined radio.

Experimental testbed (Source: Research paper)

Devices latched onto the rogue signal and began reading its broadcast messages, which included the warning. If a device was already connected to a legitimate network, the attacker first had to disrupt that connection so the phone would search for a new cell.

The alert appeared as soon as the device started listening to the rogue signal, before any authentication or secure network connection took place.

Message content and phishing risk

Web links were recognized as clickable across all tested devices when they included a protocol such as http or https, or when they ended with a valid domain like .com. Shortened URLs were also detected as clickable on all devices, while hiding their final destination and removing visual cues that could help users assess legitimacy.

Some devices showed additional risks. “Samsung devices and the Nothing Phone detected URLs containing Cyrillic letters as valid and clickable, allowing attackers to craft deceptive links that visually mimic legitimate domains,” researchers added.

They found that, beyond web URLs, additional content was recognized. Email addresses triggered the default email application, and phone numbers launched the device dialer.

A further observation revealed that when a forged alert contained a clickable link and it was selected, the device prompted for an unlock. Once unlocked, the link opened immediately without requiring additional confirmation.

This behavior increases the effectiveness of phishing attacks, researchers warn, as users may unintentionally click the link while attempting to unlock their phone.

Researchers also tested how devices handle repeated alerts. By sending multiple warnings in quick succession, they found that each message triggered sound and vibration, resulting in continuous notifications. This could be used to overwhelm users or create a sense of urgency.

With natural disasters on the rise and emergency alerts becoming part of everyday life, the possibility that such systems could be exploited for criminal purposes is a cause for concern.

Webinar: The True State of Security 2026