Older man sending a text message on his smartphone

(© Prostock-studio - stock.adobe.com)

Researchers Found That Email-to-Text Gateways Could Let Attackers Spoof Trusted Text Messages

In A Nutshell

  • Researchers found that email-to-text gateway services run by major U.S. carriers had security gaps that could let attackers send text messages appearing to come from any phone number, short code, or trusted name.
  • Bugs in both Apple’s iOS and Google’s Android made the attacks more convincing, causing phones to display fake sender identities as real phone numbers or recognizable names like “Chase.”
  • Spoofed messages could be injected directly into existing text conversations, making them nearly impossible to distinguish from real messages.
  • All four major U.S. carriers have since deployed fixes or shut down their email-to-text gateways, and both Google and Apple released or planned patches addressing the vulnerabilities.

At this point, getting a sketchy text is practically a daily occurrence. Fake package alerts, bogus bank warnings, or scam links just to name a few. Most people have learned to treat unexpected texts with suspicion. Even with all that skepticism abound, researchers at UC San Diego and Carnegie Mellon University found a way to make fake texts look completely convincing anyway, slipping them directly into existing conversations with real contacts.

Working on real phones across real carrier networks, the team demonstrated that systems bridging email and text messaging had serious security gaps that could let attackers fake nearly any sender identity. In their tests, phone numbers, short codes used by banks and delivery services, and text-like names such as “Chase” could all be spoofed across a range of carrier and device combinations, though the exact attack varied by carrier, gateway, and device type. Spoofed messages could also be inserted directly into existing text conversations, sitting alongside real messages as though they belonged there. Presented at the 2026 IEEE Symposium on Security and Privacy, the study received a Distinguished Paper Award.

Email-to-Text Gateways Had a Spoofing Problem

Major U.S. carriers have offered email-to-text gateway services for decades. Verizon’s launched in 2001. Email and text messaging operate under completely different rules for identifying senders, and the bridge between the two is where things went wrong.

To run their tests, the researchers bought active service and SIM cards from each major carrier, then sent carefully crafted emails to each gateway and watched what arrived on the receiving phone. Each carrier handled the translation differently, and each had its own weak point. Some gateways checked one part of an email for authentication but displayed a completely different part as the sender, meaning an attacker could pass the security check while slipping a fake identity through the front door.

Others simply failed when a key piece of sender information was missing, filling in the blank with whatever unverified text the attacker supplied. One gateway accepted anything the attacker typed as the sender identity, with no checks at all. All told, the team developed nearly 125 different spoofing techniques to probe each gateway and published the full code alongside their paper.

text spoofing
Researchers were able to impersonate people in a phone’s address book (right) and insert spoofed texts into existing text threads. (Credit: University of California San Diego)

Phone Software Made Spoofed Texts Even Harder to Spot

Getting past a carrier gateway was only half the problem. Both Apple’s iOS and Google’s Android also contained bugs in the software responsible for reading and displaying incoming messages, and those bugs made the attacks significantly more convincing.

On iPhones, a quirk in Apple’s core messaging software caused it to misread specially formatted email addresses as real phone numbers or trusted names. A related issue caused iOS to treat certain invalid email addresses as plain text, so a fake sender could display simply as “Chase” or a string of digits that looked exactly like a legitimate phone number. Researchers traced this behavior in Apple’s software to at least 2012.

On Android, the Google Messages app had its own flaw. Its built-in rule for recognizing email addresses required the domain portion to end in letters. A numeric-only email address, which is technically allowed under standard email rules, tripped that check and got reclassified as a phone number, with the characters that would have revealed it as an email quietly stripped away. A version of that same bug appeared in Google’s messaging app as far back as 2016.

Spoofed Messages Could Slip Into Existing Text Conversations

Perhaps the most alarming capability the researchers demonstrated was inserting a spoofed message directly into an existing conversation. Messaging apps automatically group all messages from the same contact into one thread, regardless of how those messages arrived. A fake message with the right sender identity would simply appear inside an ongoing conversation, indistinguishable from the real ones around it.

On iPhones, this was especially easy to exploit. Apple Messages folded messages from all of a contact’s phone numbers and email addresses into a single thread without indicating to the user which channel a given message came from. An attacker needed only to spoof a contact’s email address, and the fake message would land right inside the real conversation. Android handled this more carefully, keeping separate threads for different contact methods even when they belonged to the same person.

Carriers and App Makers Addressed the Vulnerabilities After Disclosure

All four major U.S. carriers had either deployed fixes or shut down their email-to-text gateways before the paper was presented, according to the researchers. Google released a patch for the Messages app, and Apple addressed one of the iOS vulnerabilities, assigning it a CVE. Additional Apple fixes for related issues were expected in future releases. Researchers also notified the GSM Association, which planned to update security guidelines for network operators worldwide. Limited follow-up testing in Canada found similar vulnerabilities in at least one carrier’s gateway, leaving open questions about how broadly the problem extended beyond U.S. borders.

Trust in text messages has always rested on an assumption that turned out to be shakier than anyone realized. What this research exposed is that for well over a decade, the gap between email and texting was wide open.

Disclaimer: This article is based on peer-reviewed research and is intended for informational purposes only. The vulnerabilities described were responsibly disclosed to affected carriers and app makers, and fixes were deployed prior to publication of the research. Readers should ensure their devices and apps are running current software updates.

Paper Notes

Limitations

The researchers acknowledge that their test suite of nearly 125 spoofing techniques, while broad, may not be complete given that carrier gateways operate as closed systems that cannot be directly inspected. Analysis of Apple’s software was conducted without the ability to run the firmware in a debugging environment, meaning some conclusions about root causes rely on reverse engineering and black-box testing rather than direct code execution. Distinguishing between iPhone and Android targets is a practical step some attacks require, though the researchers note this distinction is often observable through common messaging app behavior. The study focused primarily on major U.S. carriers. The program committee’s meta-review for the 2026 IEEE Symposium on Security and Privacy explicitly noted concerns about completeness and the generalizability of the identified attack vectors beyond the carriers tested. Limited follow-up testing in Canada found similar gateway vulnerabilities, but exhaustive global testing was outside the scope of the study.

Funding and Disclosures

Funding was provided in part by the Irwin Mark and Joan Klein Jacobs Chair in Information and Computer Science, the CSE Professorship in Internet Privacy and/or Internet Data Security, and the Paul Jacobs Chancellor’s Endowed Faculty Fellowship for Next Generation Wireless. Enze Liu was supported by a Google Academic Research Award. Google Fi classified the vulnerability at its high severity rating and awarded the researchers a bug bounty.

Publication Details

Authors: Sumanth Rao, Ye Shu, Stefan Savage, Aaron Schulman, and Geoffrey M. Voelker (UC San Diego); Enze Liu (Carnegie Mellon University) | Paper Title:Lost in Translation: Text Message Spoofing via Email” | Journal/Conference: 2026 IEEE Symposium on Security and Privacy (IEEE S&P), with acceptance confirmed by a meta-review included in the paper’s appendix. A DOI was not available in the source document reviewed. | Associated Code Repository: https://github.com/ucsdsysnet/email2sms

About StudyFinds Analysis

Called "brilliant," "fantastic," and "spot on" by scientists and researchers, our acclaimed StudyFinds Analysis articles are created using an exclusive AI-based model with complete human oversight by the StudyFinds Editorial Team. For these articles, we use an unparalleled LLM process across multiple systems to analyze entire journal papers, extract data, and create accurate, accessible content. Our writing and editing team proofreads and polishes each and every article before publishing. With recent studies showing that artificial intelligence can interpret scientific research as well as (or even better) than field experts and specialists, StudyFinds was among the earliest to adopt and test this technology before approving its widespread use on our site. We stand by our practice and continuously update our processes to ensure the very highest level of accuracy. Read our AI Policy (link below) for more information.

Read More About StudyFinds

Our Editorial Process

StudyFinds publishes digestible, agenda-free, transparent research summaries that are intended to inform the reader as well as stir civil, educated debate. We do not agree nor disagree with any of the studies we post, rather, we encourage our readers to debate the veracity of the findings themselves. All articles published on StudyFinds are vetted by our editors prior to publication and include links back to the source or corresponding journal article, if possible.

Read More →

Our Editorial Team

Steve Fink

Editor-in-Chief

John Anderer

Associate Editor

Leave a Comment