The threat of scam text messages may now seem distant, even quaint. With all the new, exotic and sophisticated attacks that have arisen in the past decade, surely text message attacks are low on the list. But, they can still be a big problem. 

Short message service (SMS) scams are social engineering attacks that work like email phishing attacks. Called ‘smishing’ (a portmanteau of SMS and phishing), the attacks aim to trick the victim into providing information or access that benefits the attacker.

Current SMS Scam Tactics

One of the more effective and modern variants of scam text messages alert users of a new, incoming package delivery. Upon replying, the scammer harvests personal information for identity theft, monetary theft or the theft of company information. In one specific variant, the text directs victims to a website and offered a small gift (like a wristwatch) in exchange for participating in a survey. They’re asked for credit card information to cover shipping, and, of course, the credit card information is stolen. 

Another scam text message campaign pretends to come from banks. It tricks victims into divulging their banking credentials. Once they’ve done so, the Emotet malware infects their machines. 

Yet, another scam threatens the victim with violence if they don’t pay. These are different approaches to the same aim: all are designed to extract information from the target for nefarious purposes. What they all have in common is that they all want you to do something, like visit a website, click on a link or take some other action.

Other scam text messages reference food aid, jury duty, a mobile carrier, a bank, COVID-19 or human trafficking. It doesn’t always help to understand the specific content of text attacks that have already happened, though. Future attacks will be designed to surprise you with brand-new content. 

Why People Fall for Scam Text Messages

Scammers are engaged in a back-and-forth fight with smartphone users as part of a larger arsenal of mobile scam techniques. And, they have two advantages. First, they leverage techniques that are the result of an evolutionary process of learning how to scam people. Next, victims aren’t aware that the conflict is even taking place. 

The first step in social engineering is a misdirection: to excite the mind of the user and get them thinking about something emotional to disarm whatever skepticism they may have. 

For example, “You’ve got a package!” “There’s a problem with your bank account!”  

Another variation on this theme is to tap into a concern you already know people are thinking about. That’s why the people who send scam text messages love upsetting current events. Wildfires! Pandemics! Politics! Crime! Missing persons! By referencing current events, scammers are hoping to route around your defenses and get you to click or act.  

What To Do About Scam Text Messages

Protecting against scam text messages is an important component of application security, mobile phone security and mobile data protection. Use training and awareness to inform people to: 

  1. Never respond to any messages in the way they invite you to. If a message says it’s from your bank and asks you to click on a link, call the bank. If a delivery service asks you to confirm delivery, go to the website you ordered from and do it from there.
  2. Don’t be fooled by personalization, branding or messaging that looks legitimate. Fake branding is one of the main ways scammers trick people.
  3. Here’s how to report a scam text: check out the options on the FTC website

Don’t be lulled into thinking that scam text messages are yesterday’s threat. In fact, text scammers are evolving, learning and changing. Train your staff to recognize, handle and report scam text messages and expect the unexpected. 

more from Endpoint

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]

TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]