SMS Scams: Don’t be Tricked by a Bogus Text

SMS Scams: Don’t be Tricked by a Bogus Text

“Don’t Click!”  That’s the advice TECHPol has given in many blog posts as a way to avoid being the victim of phishing. Phishing is an attempt to access personal or confidential information by sending an email that appears to be from a legitimate source, and asking the recipient to surrender information, often via a bogus website.  Victims may trust the website and provide information or click on the site’s link and their device is infected with malware.  When phishing is done via short message service (SMS) or text message, it is known as SMiShing. This method of attack is effective because the quick and immediate nature of texting makes the recipient less likely to think and more likely to click.

In the United States, 92% of adults own at least one cell phone and 81% of Americans text, according to Pew Research Center.  CTIA estimates that over 6 billion texts are sent every day in the U.S., and SMS open rates are around 99% (90% within 3 minutes of being received) according to a study sponsored by SinglePoint. So, it’s not surprising that cybercriminals have decided SMiShing is the way to go.  We know most people are becoming more savvy about technology scams, but clearly some people are taking the bait, because SMiShing is on the rise.  The perpetrators are casting wide nets and honing their skills to make their lures more attractive.

What Does SMiShing Look Like?

You’ve probably received a bogus text and recognized it — you don’t know the sender’s number, you didn’t enter a sweepstakes contest, you don’t use that bank — and you promptly deleted it. Great. But what if the text uses your name and it’s from a familiar retailer or financial institution? If you’re on the go, is it possible you’d click now and think later?  That’s what the cybercriminals are counting on, and their tricks are getting better.

A recent SMS scam involves sending texts to iPhone users indicating that the recipient’s Apple ID expired — yikes! Panic mode sets in, and the recipient clicks on the link that takes him to an Apple website that looks awfully official, where he verifies his log-in credentials. But of course it’s not really an Apple website at all. Double yikes.

Then there’s the bogus text confirming that you sent a payment via PayPal.  You are told to click on the link if you want to cancel the payment. Some newer SMiShing texts appear to come from a bank’s legitimate phone number, making them more believable. Pokémon GO users are being targeted by texts that offer points and coins if the recipient clicks on the link.  The list goes on.

So, we return to our sound but simple advice:  “Don’t Click!”   We also have additional advice to help you protect yourself.

7 Tips to Avoid a SMiShing Trap

  1. Be suspicious of any text that doesn’t have a cell phone number associated with it. Scammers trying to hide their identity may use methods like email-to-text that won’t reveal a phone number.
  2. Be wary if it’s an urgent message or one that preys on fear — fear of losing money, of denied account access, of embarrassment, or worse.
  3. Question texts that you did not sign up to receive.
  4. Pay attention to the wording — bad grammar and spelling is a sign of SMiShing.
  5. Do not respond to a suspicious text. This only confirms to the sender that they have successfully targeted a “live” number.
  6. Don’t use phone numbers or website addresses provided by texts.  If you want to reach the organization, look up the phone number or website to ensure you use the legitimate version.
  7. Inquire with your cell service provider about blocking texts from the internet as a way to reduce SMiShing.