Major Security Flaw in Email-to-SMS Translation Resolved, Affecting Millions of U.S. Users

On June 8, 2026, a critical security vulnerability in the email-to-SMS translation process was addressed, impacting millions of users across the United States. The flaw, discovered by researchers at the University of California San Diego, allowed attackers to impersonate individuals in text messages, compromising both Android and Apple devices. The issue was linked to the transition between email services and traditional SMS networks, prompting swift action from major telecom providers and tech companies.

How the Security Flaw Worked

The vulnerability exploited a gap in the email-to-SMS translation process, enabling cybercriminals to forge text messages that appeared to originate from legitimate contacts. This flaw affected users of Android and Apple devices, with the risk of identity fraud and unauthorized communication. The researchers who identified the issue were recognized at the IEEE Symposium on Security and Privacy in San Francisco, underscoring the significance of their findings.

Company Responses and Patches

Following the discovery, Google Messages and Apple Messages rolled out security updates to prevent identity spoofing. Telecommunications providers such as T-Mobile and Google Fi adjusted their translation protocols to mitigate the risk. Verizon took a more drastic step, announcing plans to discontinue its entire email-to-SMS service by March 2027, effectively eliminating the attack vector entirely.

New Vulnerability Exposes VoLTE Infrastructure

While the email-to-SMS flaw was resolved, a new critical vulnerability was disclosed in Verizon’s VoLTE infrastructure. Designated CVE-2026-10629, the flaw involved unencrypted signaling data in the Session Initiation Protocol (SIP), potentially allowing attackers to manipulate voice and video calls. Although Apple introduced IMS-IPsec settings in iOS 26.5 on May 11, 2026, experts remain skeptical about their effectiveness in preventing exploitation.

Supreme Court Reinforces FCC Authority

The technical responses followed a landmark ruling by the U.S. Supreme Court on June 4, 2026, which upheld the Federal Communications Commission’s (FCC) authority to penalize telecom providers for selling customer location data without judicial oversight. The decision allowed the FCC to impose fines on companies found in violation, including $57 million against AT&T, $47 million against Verizon, and $92 million collectively against T-Mobile and Sprint.

Emerging Protections Against Fraud

To combat rising identity theft risks, Google launched a new “Fake Call Detection” tool for Android 12 and later, initially available on Pixel devices. The feature uses end-to-end encrypted RCS messages to verify caller identities. Apple also expanded its security measures, releasing iOS 18.7.7 updates to protect older iPhone models from the DarkSword malware, which has been linked to state-sponsored actors targeting iOS 18 devices.

Global Impact of Identity Fraud

Interpol reported in March 2026 that identity fraud caused over $370 billion in global losses, highlighting the urgency of addressing such vulnerabilities. As cyber threats evolve, collaboration between tech companies, regulators, and security researchers remains critical to safeguarding user data and communication integrity.