New Pango SMS Scam: How Payment Accounts Are Stolen in One Message
Fake SMS steals Pango accounts in seconds - 5 warning signs and immediate steps if you fell for it
How the Scam Actually Works (Step by Step)
This scam combines two well-known techniques: SMS (text message) and Phishing (information fishing). The result is called Smishing—and here's how it works:
Step 1: The Fake Text
You receive a message that looks like it's from Pango: "Your Pango account has been blocked due to suspicious activity. Verify identity now: [link]". The logo is perfect, the tone is urgent, and the sender's name appears as "Pango" or a regular Israeli number. Most people don't check the link details—they see the logo and the word "blocked" and panic.
Step 2: The Disguised Link
You click on the link. It leads to a page that perfectly mimics Pango's login screen—same colors, same logo, same layout. The page is at a fake address like pango-verify.site or pango-app.info, but because you're on your phone and stressed, you don't check the address bar.
Step 3: Password Theft
You enter your email and password. At that moment, the data goes to the attackers—not to Pango. The page may display a message like "Verifying identity..." to buy time, but behind the scenes the attackers are already logging into your real account.
Step 4: The Swift Action
Within 5–10 minutes the attackers add a new credit card (theirs) to the account, make transactions, or transfer balance. In some cases they also change the password to lock you out. By the time you realize what happened—the account is no longer yours.
Why does this work so well? Because Pango is a service everyone uses multiple times a week. A message from them doesn't raise suspicion like a message from a bank or a shopping site you're less familiar with.
5 Signs to Identify a Fake Pango SMS
1. Urgent and Threatening Tone
Fake messages always try to pressure you: "Account blocked", "Action within 24 hours", "Immediate verification". Real Pango won't send such alerts via SMS. If there's a real problem—you'll see an alert in the app itself, or receive a formal email from support@pango.co.il.
2. Minor Spelling Errors
Attackers often copy text from real messages, but leave tiny mistakes: double spaces, incorrect punctuation, use of informal words. If something feels "off"—it's probably not real.
3. Link Address Is Not pango.co.il
This is the clearest sign. Any domain that isn't pango.co.il is suspicious. Common examples: pango-verify.site, pango-secure.info, pango-app.com. Attackers buy cheap domains that look similar, but they're not Pango's. To check: hold your finger on the link (don't click)—a pop-up will appear with the full address.
4. Request to Enter Password from SMS Link
Pango will never ask you to enter a password through a link in a text message. That's not standard security protocol. If you need to log in—go to the app directly or to the website through your browser.
5. Unfamiliar Sender Number
Real Pango sends messages from Pango (text name) or an official short code like 4545. If you receive a message from a regular 10-digit number (050-1234567 for example)—it's not Pango.
Additional Tip:
If you received a suspicious message—don't delete it. Forward it to forward@cert.gov.il (National Cyber Directorate). They collect reports and neutralize dangerous links.
Visual Comparison Table—Real vs. Fake SMS
| Criterion | Real Pango SMS | Fake SMS (Scam) |
|---|---|---|
| Sender | Pango / 4545 | Regular number (050-1234567) |
| Subject | Update on completed payment / parking reminder | "Account blocked", "Suspicious activity", "Urgent verification" |
| Link | pango.co.il only |
pango-verify.site, pango-app.info, similar variations |
| Required Action | "See details in app", "Thank you for using Pango" | "Verify identity now", "Enter password", "Click here within 24 hours" |
| Language | Correct Hebrew, no errors | Spelling mistakes, extra spaces, informal phrasing |
| Logo | Doesn't always appear in SMS (depends on phone) | Perfect logo—copied from real website |
| Additional Details | Link to parking history or invoice | Link to login page with password fields |
What to do if you're unsure?
Don't rely on the SMS. Open the Pango app directly. If there's a real alert—you'll see it there. If the app is quiet—the SMS is fake.
What to Do Immediately If You Already Clicked the Link
If you entered your password on the fake page—you have a 5–15 minute window to act before the attackers can cause significant damage. Here's exactly what to do:
1. Don't Panic
Stress causes mistakes. Take a breath and go through the following steps one by one. Most cases end without damage if you act quickly.
2. Change Password Immediately
Open the real Pango app (or go to pango.co.il in a browser). Log into your account and change the password to a completely new password—not a variation of the old one. If you use the same password for other services (bank, email, social media)—change it there too.
3. Remove Payment Methods
Go to account settings in the app and delete all saved credit cards. You can add them back later—but right now you're cutting off the attackers' access to your money.
4. Check Recent Activity
Review the last 24 hours of transactions in Pango. If there are charges you didn't make—document them (screenshot) and contact Pango support: support@pango.co.il.
5. Enable Two-Factor Authentication (If Available)
Check if Pango offers 2FA. If so—enable it. This adds a layer of protection: even if someone knows the password, they can't log in without a code sent to your phone.
6. Save a Screenshot of the SMS
Document the fake message and link. This can serve as evidence if you need to file a police report or talk to your credit card company.
7. Report to Pango and Authorities
Send the fraud details to support@pango.co.il. Also forward the message to forward@cert.gov.il. If there's significant financial damage—file a police report with the cyber unit: 110.
If the attackers already changed the password:
Use the "forgot password" option in the app. You'll receive a reset link to your registered email. If the email was also compromised—contact Pango technical support by phone immediately.
How to Protect Your Pango Account From Now On
After you've gone through the steps above (or if you just want to prevent fraud from the start), here's how to protect your account long-term:
Never Click Links in SMS
This is the most important rule. Every time you receive a message with a link—even if it looks legitimate—open the app or website directly. Don't go through the link. This saves money and nerves.
Check the Domain Before Entering Password
If you did open a link, look at the address bar in the browser. Does it say exactly pango.co.il? If there's even one different letter—close the page immediately. Any variation (pango-app.com, pango.site, pang0.co.il) is a scam.
Use a Unique Password
Don't reuse passwords from other accounts. If attackers steal your Pango password and it's the same as your bank's—you're in big trouble. Using a password manager (like 1Password or Bitwarden) helps create and store strong, unique passwords.
Monitor Account Activity
Log into the app twice a week and check recent transactions. If there's a charge you don't remember—investigate it immediately. The sooner you detect fraud, the easier it is to cancel the damage.
Report Suspicious SMS
If you received a suspicious message—forward it to forward@cert.gov.il and to Pango. This doesn't just protect you—it helps prevent others from falling for the trap.
Update the App
Make sure you have the latest version of the Pango app. Updates include security fixes that close vulnerabilities attackers try to exploit.
Advanced Tip:
If you're using iPhone, enable Apple's "Hide My Email". This allows you to create temporary email addresses for each service—so even if there's a data breach, your real email won't be exposed.
FAQ—Pango SMS Scam
Can Pango prevent fake messages in its name?
Not entirely. Attackers use external SMS services that allow sender name spoofing—this is called "SMS Spoofing". Pango can report fake addresses to the communications regulator and SMS providers, but there's no technical solution that completely blocks this. The responsibility is yours—don't click links in SMS.
If I changed the password immediately, is the account protected?
Yes—if you changed it within 10–15 minutes of entering the password on the fake page, it's very likely the attackers didn't have time to perform actions. Still, check account activity for the next 24 hours to be sure.
How do I know if real Pango sent me a message?
Simple: open the Pango app. If there's an alert there (for example, about a failed charge or expiring parking)—the SMS is real. If the app is quiet—the SMS is fake. This is the quickest check.
Can the attackers access my bank account too?
Not directly through Pango. They only see cards already saved in your account and can make transactions through Pango. But—if you used the same password for your bank or other services, they can try to log in there. That's why it's important to change the password everywhere you used the same one.
What to do about unauthorized charges?
First, contact Pango: support@pango.co.il. Document the suspicious transaction (screenshot from the app) and explain it's fraud. If Pango doesn't refund the money within a few days, contact your credit card company (Visa, Mastercard, etc.) and request a chargeback. This is standard procedure in fraud cases. If the amount is significant—also file a police report with the cyber unit: 110.
Do I need to replace my credit card?
Not necessarily. If you changed the password quickly and removed the card from the Pango account, the risk is low. Attackers don't see the full card number—only the last 4 digits. But if there are suspicious charges not from Pango (on other sites)—that's a sign the card was leaked, and then it's worth replacing.
How can I tell if a link is fake without clicking?
Hold your finger on the link in the SMS (don't click—just hold). After a second a pop-up will appear with the full URL address. Check if it's pango.co.il. Anything else—fake. If you're on a computer, hover your mouse over the link (don't click) and you'll see the address in the bottom left corner of the browser.
What are the chances this will happen to me?
Hard to know exact numbers, but in recent months hundreds of cases have been reported in Israel. This scam is spreading rapidly because Pango is a popular service—almost every driver in Israel uses it. Attackers know this and exploit the trust.
Summary: Don't Let Panic Make Decisions
The Pango SMS scam works because it combines psychological pressure (message about "account blocked") with perfect visual spoofing. Attackers bet that you'll see Pango's logo, panic, and click the link without thinking.
The most important principle: No legitimate service will ask you to enter a password through a link in an SMS. Not Pango, not the bank, not anyone. If in doubt—don't click. Open the app directly.
And if you encounter suspicious behavior in digital communications—not just in SMS—Traceback helps you identify who's really behind no-caller-ID numbers. In our app you can unmask no-caller-ID numbers in Israel within 1.3 seconds, with reports accepted in court.
Traceback works with Partner, Cellcom, Pelephone, Hot Mobile, Golan, Rami Levy, 019 and 012.
📱 Pricing: Weekly subscription 14.90 NIS / Monthly subscription 29.90 NIS / Annual subscription 249.90 NIS (30% savings compared to monthly). All subscriptions include unlimited identifications—no additional charge per reveal. Cancel anytime, no commitment.
3-Day Free Trial and Start Protection →
⚠️ Disclaimer: This article is general information only and does not constitute legal advice. For any specific legal situation, consult a qualified attorney. Traceback is not responsible for legal outcomes.