SMS has been a mainstay of mobile communications since the early 90’s but scammers are getting clever with their methods to avoid detection. It’s no longer the case that you can smugly look down at those that get conned, as some SMS scams are so deceptive that it can be tough to tell the difference between real and scam.
SMS phishing (or SMiShing) is the act of phishing using SMS messages. We have become accustomed to some of the more prevalent email phishing attempts, but scammers are taking advantage of the smartphones we carry with us every day in smishing and vishing attacks.
So how can you spot an SMS scam? Let’s take a look at some recent examples.
A Very Modern Begging Letter
Twitter user @matthewdshaw shared this message he was sent which read:
Hi its sarah. I need you to do me a favor if possible. I had a small accident & broke my fibula & left elbow. Can you text me back once you get this message x
— Teignmouth Police (@TeignmouthNHT) August 14, 2016
Do you know a Sarah? Would they message you in this way if something urgent or severe had happened? Your natural reaction may be to panic, but try to stay calm and think logically: if someone you knew was in hospital would a text from an unknown number really be how they would get in touch with you?
You may wonder what the point of a scam like this is. As usual it comes down to money. The unrecognized number is a premium rate number. If you reply you are signing up to premium rate messages which are charged to your phone bill. They can also be tricky to stop because you don’t know who is sending them or how to make them stop, meaning you could accumulate large charges in a short space of time.
Verify Your Account
One of the most common smishing attacks is where the scammer masquerades as your bank or payment provider like PayPal.
— James Frew (@dr_motley) June 30, 2016
I was sent this SMS from “Apple” and as I do use two factor authentication (2FA), it seemed legitimate. The address in the link should trigger warning bells as it isn’t the genuine iCloud website. If there had actually been multiple attempts to login to the account then there would have been multiple 2FA messages, but there weren’t.
If you are unsure then use Google (or any other search engine) to search for the message or number. You are likely not the first to have been contacted if it is a scam.
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC
— Alex MacCaw (@maccaw) June 4, 2016
In this scenario the scammer wants you to send them your two factor authentication number so that they can bypass the protection that 2FA offers you. If you are sent a message like this, then it is likely the attacker already has your username and password but needs the final piece of the puzzle to let themselves in. It would definitely be wise to change your passwords, and maybe use a password manager to make them secure.
You Won… A Virus!
The buzz. The excitement. The elation. We all love winning a prize. But what about when we haven’t entered a competition, and we receive an SMS asking us to visit a website for our prize?
— Tony Burke (@tonyburke62) August 18, 2016
The best advice is to stay away from hyperlinks or website addresses in SMS messages. At best they will link to another phishing website, at worst they are portals for malware.
To log in to your account open your web browser and navigate to the site rather than clicking the link. Some phishing websites are very effective, and can be extremely difficult to spot. So stay safe, and go to the site yourself.
What Can You Do?
Be Aware of Company Policy
All companies will have a policy of how they contact their customers, especially bigger ones. This will be information like putting your full name in the correspondence rather than generic terms like “customer”.
Be Careful With Messages From Unknown Numbers
SMS scammers rely on custom names for their messages so a message from “Apple” may not actually be from Apple. Unlike with email scams, it’s often difficult (or even impossible) to check or verify the number that the messages have come from.
If they are asking you for something like a call, a reply, or personal information then it’s best to ignore them. If the message was legitimate it’s likely the sender will follow up with you anyway.
Ignore Requests for Personal Information
Personal data is one of our most important assets in the digital age. If someone is able to get hold of a password, address, or even where you work, then they could cause havoc with your life.
If you are at all suspicious of the message then don’t send any personal information until you can verify the sender. In the case of “Sarah” above, you could phone her instead to see how she is doing rather than reply to the message.
Don’t Reply to Suspicious Messages
We are starting to get trained into the right mindset of noticing when something feels amiss with an email, social media post, or even an SMS. If you don’t get the right feeling from the message — maybe an odd wording or request — then just don’t reply. If you do, you could end up with a much larger phone bill at the end of the month, or risk exposing information you don’t want to give away.
Even if the attacker isn’t able to get the information they want from you, simply replying to a message may mark your phone number as active, leading to a flurry of spam messages.
Beware “Urgent” Requests
Scammers want to make you feel panic as people tend to react quickly in fear. A lot of scam messages will contain phrases like “URGENT ACTION REQUIRED”, or “Please contact us immediately”.
If these messages are purporting to come from a payment provider like PayPal or your bank then they are likely to be scams trying to pressure you into giving them information. This may not be the case and it might be a legitimate request so make sure you are familiar with your bank’s policies.
Smishing attacks are great for getting you to reply or perform an action. A malicious website, on the other hand, could present more phishing attempts like a fake bank website. Or it could download malware onto your phone or computer.
A blanket ban on clicking websites and hyperlinks in SMS is a great way to avoid these smishing attempts. If you need visit a website, then open your web browser and navigate to the site yourself.
This also goes for phone numbers provided in SMS messages. If you need to call your bank then find the number on their website — don’t use the one in the message.
What do you do once you’ve identified a scam? You can use blacklists or whitelists to banish those numbers so that they can’t contact you again. A blacklist is a numbers that you want to block. A whitelist is the reverse, and is the numbers you want to allow.
If you use an Android device you can use some great blocking apps to rid yourself of these nuisance numbers. As part of the iOS 10 updates, Apple added some operating system level number blocking too.
Be on the Lookout
As with all digital security, it pays to cast a suspicious eye over your messages. If you don’t recognize the number, or are suspicious of the content then use other methods to check or verify the information. Where possible, go direct to the official source of a suspect message by using their website or phone number. If you still aren’t convinced, then ignore the message. Don’t put yourself at risk of high charges or more spam.
Which SMS scams have you received? Do you know anyone that was scammed? Do you think you could recognize a smishing attempt? Let us know in the comments below!