An SMS, a tap on the link – and Apple Pay bookings rush through as if you had a company party at the Apple Store. Welcome to Smishing, the perfidious mixture of “SMS” and “Phishing”, which in 2025 is orchestrated so professionally that even seasoned IT professionals skid.
1 | What’s New in 2025?
- SMS blasters instead of individual perpetrators – Criminals rent mobile radio devices that send thousands of messages in seconds; the British police have just confiscated such a “text cannon”.
- Mobile wallet in focus – Anyone who stores their cards in Apple Pay or Google Wallet is not a bit safer, as recent rulings by the Heilbronn Regional Court (13. 02. 2025) and the Karlsruhe Regional Court (24. 09. 2024) show: Both courts sentenced banks to full reimbursement after smishing attacks via Apple Pay.
2 | how the Attack Works – Short Version
- Trigger SMS: “Your package is waiting” / “Your card is blocked” / “Install security update now”.
- Fake link: Click opens a deceptively genuine login page or silently installs a malicious profile.
- Data theft: Access data, TANs or even the virtual card end up in the wrong hands.
- Cash register rings: Purchases via Apple Pay, Klarna One-Click or SEPA direct debit empty the account.
3 | Frequently Asked Questions – My Short Answers
| Question | Immediate answer |
|---|---|
| “I clicked – what now?” | Airplane mode, change passwords, call the bank, call the police IT forensics. |
| “Bank does not pay, refers to gross negligence – permissible?” | Not necessarily. § 675u BGB obliges the reimbursement of unauthorized payments. Whether gross negligence exists depends on the degree of deception and the bank’s security concept – courts are always examining in more detail. |
4 | Legal Situation 2025 – your Lever against the Bank
- Authorization (§ 675j BGB): If your effective consent was missing, the bank must pay.
- Gross negligence: The burden of proof lies with the institute. The more credible the fake sender and the more common the package or banking information, the more difficult this proof becomes.
- Trend in judgments: More and more regional courts see banks as obligated if their TAN procedures or wallet releases were easy to circumvent – including Apple Pay.
5 | My 5-Point Plan for those Affected
- Secure evidence – Screenshots of the SMS, URL, account statements.
- Put the bank in default in writing – Demand reimbursement according to § 675u, set a deadline.
- File a complaint – Name the cybercrime department; banks often require the file number.
- Delegate communication – Let me conduct the correspondence; every careless word can later be interpreted as an “admission of guilt”.
- Keep an eye on deadlines – Claims for reimbursement regularly expire after 13 months (§ 676b BGB); even earlier in the case of tacit approval.
6 | Conclusion
Smishing is not an “embarrassing click error”, but organized crime with industrial infrastructure. Anyone who reacts promptly and legally follows up has a good chance of getting their money back – even with Apple Pay bookings. Delaying costs twice: first to the perpetrators, then to the bank.
Are you affected? I take over the negotiations, enforce claims and keep the opposing side legally in check – nationwide, efficiently, with a clear edge. Get in touch.
Remember: An SMS link is not a harmless swipe – it can be a blank check.
