On February 18, 2026, just after 4 p.m., Peter Wendel was looking forward to the end of his workday. Then his smartphone vibrated. An SMS, in the very chat thread where Trade Republic usually talks to him — login codes, security notices, the usual. This time it said a withdrawal from his account had been queued, one he hadn’t authorized. Right below it: an emergency hotline number. He called. Two hours later he had transferred 100,000 euros to a so-called “trust collection account” in Austria. It was the retirement savings he and his wife Nicole had built over more than 45 years.
Wendel, 63, reasonably tech-literate, briefly felt uneasy when an Austrian destination account was named — and let the voice on the hotline talk him into it anyway. Anyone accusing him of carelessness hasn’t yet understood how the attack was structured. The SMS wasn’t a suspicious fragment in clunky English. It was displayed in the same thread as the real codes from Trade Republic. That is exactly the problem I want to write about. And it’s one the German government has been ignoring for years.
A sender ID anyone can write anything into
If you receive an SMS today and your display reads “Trade Republic,” “DHL,” or “Sparkasse” at the top, that’s nothing more than a text field in a data packet. A field in a protocol designed in the eighties, when SMS still meant “Hi mom, almost there.” This text field is called the alphanumeric sender ID, and its central technical property is: it isn’t checked anywhere along the way.
Anyone who sends SMS professionally — banks, parcel services, government agencies, but also marketing spammers and criminals — buys access to an SMS gateway. Such gateways are available across half of Europe for a few euros per thousand messages. On the order form you specify what should appear in the sender field. Up to eleven characters, anything you want. Nobody verifies whether “TradeRepubl” actually comes from Trade Republic Bank GmbH. The chain between client, gateway, and mobile carrier simply passes the ID through.
This isn’t a bug, it’s the specification. The SMS protocol was never designed for security-critical communication. Yet some banks have been using the channel for exactly that for decades — for TANs, verification codes, and status messages. Most German banks have moved on by now and rely on secure methods like app notifications. Trade Republic is one of the few remaining institutions that still uses SMS in a security context — and that is exactly what cultivates customer trust in a channel nobody authenticates.
In the same chat thread — and therefore granted the same trust
The real lever of the attack on Wendel isn’t the SMS itself. It’s the display on the smartphone. Both iOS and Android group incoming messages by sender name into threads. If the real Trade Republic has been talking to you as “TradeRepubl” for months, and a phishing SMS suddenly arrives with the same sender ID, that phishing SMS lands in the same chat as all the real ones. Right below the last login code you received two weeks ago.
Imagine receiving an email from your bank — from the address the real confirmations come from — in the same mail thread, right below the last real replies. You wouldn’t doubt the content. That is exactly the configuration the alphanumeric sender ID creates for SMS, only without the protective layers email servers have built up against sender spoofing.
This exact scheme has been running against Trade Republic customers for months. BaFin (Germany’s Federal Financial Supervisory Authority) has been publicly warning since March 10, 2026; for one district alone, the Middle Franconia Police Headquarters reports financial losses in the multiple hundreds of thousands over recent weeks. When the SMS arrives in the real Trade Republic chat, victims call the number listed. The hit rate is high enough that it pays for the perpetrators to send another batch every hour.
UK, Ireland, Singapore. And Germany.
The technical problem has been known for years — and has been solved in several countries. The UK set up the SMS SenderID Protection Registry in 2018: banks, government agencies, and companies register their legitimate sender IDs there. Anyone trying to send an SMS under the name “Barclays” through a UK network without being authorized by Barclays gets blocked at the carrier level. More than 700 genuine sender IDs are currently protected, with over 3,750 spoofing variants on a shared blocklist — supported by BT/EE, O2, Three, and Vodafone together with the National Cyber Security Centre and UK Finance.
Ireland and Spain adopted the UK solution in 2021. Singapore went one step further: even under the voluntary registration introduced in 2022, SMS smishing cases dropped 64% between Q4 2021 and Q2 2022. Since January 31, 2023, the state regulator IMDA has been blocking every unregistered alphanumeric sender ID by default, replacing them with the label “Likely-SCAM.” France has required its mobile carriers since October 2024 to block unauthenticated foreign calls — regulation extending the same to SMS sender IDs is in preparation.
In Germany: nothing of the sort. The Bundesnetzagentur (Federal Network Agency) runs an SMS spam reporting service, but no authentication of sender IDs. The three major carriers — Deutsche Telekom, Vodafone, Telefónica/O2 — could start implementing a UK-style whitelist tomorrow. They don’t, because they don’t have to. As long as the risk sits with end customers, investing in sender ID filtering is, from a corporate perspective, a cost item with no return. That’s exactly the mechanism Singapore breaks by mandating filtering rather than recommending it.
What needs to happen now
German inaction isn’t an oversight, it’s a decision. The blueprints have been on the table for years — the UK does it voluntarily, Singapore by mandate. What’s missing is the political will to make them binding here too.
Trade Republic needs to finally drop the SMS channel as a security channel. The web login does run primarily through app push — but after 30 seconds of waiting, the code can alternatively be sent via SMS. That leaves a direct SMS path into the account. Device pairing, PIN reset, and phone number verification all rely on the SMS channel anyway. As long as real Trade Republic SMS messages land in customers’ inboxes, every phishing SMS has a ready-made foothold. That this trust anchor could also leave Trade Republic open to civil claims is now argued by an IT law specialist — alongside the absence of an emergency phone line. In-app verification is feasible and has long been in use at other banks. Trade Republic is a tech company with a full banking license; there are no technical reasons to stick with this.
The Bundesnetzagentur needs to mandate for German carriers what the UK has voluntarily upheld since 2018 and Singapore has enforced since 2023: a whitelist of approved sender IDs, with a blocklist for everything else. Until that happens, every new BaFin awareness campaign about helpfulness and trust is the tacit claim that smishing is a behavioral problem of the victims.
For Peter Wendel and his wife, tomorrow’s regulation changes nothing. The criminal investigation department had already told them on the day of the crime that the chances of getting the money back were slim. Anyone who wants to help them directly can do so through a donation. Anyone who has fallen for such an SMS themselves can find free template letters at JUN Legal for SEPA recall and GDPR data access requests — the first steps work without a lawyer.
The SMS Wendel received in February would never have reached his display in the UK. In Singapore it would have arrived with “Likely-SCAM” as the sender. In Germany it landed in the real chat thread. That isn’t a gap in the protection scheme — that is the protection scheme. As long as we stick with it, the next 100,000 euros are only a matter of time.
