The threat of scam text messages may now seem distant, even quaint. With all the new, exotic and sophisticated attacks that have arisen in the past decade, surely text message attacks are low on the list. But, they can still be a big problem. 

Short message service (SMS) scams are social engineering attacks that work like email phishing attacks. Called ‘smishing’ (a portmanteau of SMS and phishing), the attacks aim to trick the victim into providing information or access that benefits the attacker.

Current SMS Scam Tactics

One of the more effective and modern variants of scam text messages alert users of a new, incoming package delivery. Upon replying, the scammer harvests personal information for identity theft, monetary theft or the theft of company information. In one specific variant, the text directs victims to a website and offered a small gift (like a wristwatch) in exchange for participating in a survey. They’re asked for credit card information to cover shipping, and, of course, the credit card information is stolen. 

Another scam text message campaign pretends to come from banks. It tricks victims into divulging their banking credentials. Once they’ve done so, the Emotet malware infects their machines. 

Yet, another scam threatens the victim with violence if they don’t pay. These are different approaches to the same aim: all are designed to extract information from the target for nefarious purposes. What they all have in common is that they all want you to do something, like visit a website, click on a link or take some other action.

Other scam text messages reference food aid, jury duty, a mobile carrier, a bank, COVID-19 or human trafficking. It doesn’t always help to understand the specific content of text attacks that have already happened, though. Future attacks will be designed to surprise you with brand-new content. 

Why People Fall for Scam Text Messages

Scammers are engaged in a back-and-forth fight with smartphone users as part of a larger arsenal of mobile scam techniques. And, they have two advantages. First, they leverage techniques that are the result of an evolutionary process of learning how to scam people. Next, victims aren’t aware that the conflict is even taking place. 

The first step in social engineering is a misdirection: to excite the mind of the user and get them thinking about something emotional to disarm whatever skepticism they may have. 

For example, “You’ve got a package!” “There’s a problem with your bank account!”  

Another variation on this theme is to tap into a concern you already know people are thinking about. That’s why the people who send scam text messages love upsetting current events. Wildfires! Pandemics! Politics! Crime! Missing persons! By referencing current events, scammers are hoping to route around your defenses and get you to click or act.  

What To Do About Scam Text Messages

Protecting against scam text messages is an important component of application security, mobile phone security and mobile data protection. Use training and awareness to inform people to: 

  1. Never respond to any messages in the way they invite you to. If a message says it’s from your bank and asks you to click on a link, call the bank. If a delivery service asks you to confirm delivery, go to the website you ordered from and do it from there.
  2. Don’t be fooled by personalization, branding or messaging that looks legitimate. Fake branding is one of the main ways scammers trick people.
  3. Here’s how to report a scam text: check out the options on the FTC website

Don’t be lulled into thinking that scam text messages are yesterday’s threat. In fact, text scammers are evolving, learning and changing. Train your staff to recognize, handle and report scam text messages and expect the unexpected. 

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today