Scam Alert! The Rise in SMSishing Fraud Texts

October 13, 2021

Have you been receiving suspicious text messages lately? If so, you aren’t alone.

In late 2020, the FCC strengthened the Telephone Consumer Protection Act of 1991 (TCPA) by adding more regulations as part of the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence) which basically adds a ton more restrictions on robocalls.

In the wake of restricting robocalls, there has been a huge rise in robotexts, and more and more reports of people being taken advantage of by means of SMS phishing, aka SMSishing, or smishing.

We have talked previously about—and you have probably encountered firsthand—traditional phishing via email. Texting phishes include a lure in a text message, and criminals hope that you take the bait, click, and provide them valuable information.

Want to dig into phishing and other variations on the email scam? Take our phishing quiz, or get ready to learn with our in-depth explainer.

How Do You Spot a Scam Text Message?

Many smishing attempts are direct messages to your phone number with a threat or call to action, such as, “Your bank account requires your information. Failure to respond will incur a fee.” Others could be a mass group text where the attacker sends the phishing message to people in a giant number block, say 314-394-3001 all the way to 314-394-3050.

Some of the telltale signs of a smish are the same as a phish:

Borrows signs of well-known brands to earn trust
Uses threats to inspire fear and urgency or the promise of a reward to draw clicks
Comes from an unrecognized number, different from the number a brand normally uses
Links point to a site that isn’t owned by the brand

AT&T and Other Cell Service Carriers Related

This one is really common right now. I’ve had friends get notifications that their latest bill was paid six times! None of these links go to official AT&T websites, and they contain far fewer specifics than a real AT&T text message. AT&T official texts also don’t use customer’s first names.

Libby Powers received a T-Mobile message recently and filmed a Byte-Size Tech video about some of the clues that tipped her off.

Unexpected Reward

Weren’t expecting a credit? It’s probably too good to be true. Why would an official Amazon text contain the same link twice or not go through their app? Reviewing texts with a careful eye could save you. And if you suspect a credit could be legit, log in to your Amazon account on the web. It’ll be there if it is real.

Group Text

This is some serious low-effort smishing. The purpose of a smish like this isn’t immediately clear, but very likely it is used as the first phase of a scam. Recipients who reply or click may be moved to a second, higher-effort smishing attack list as they’ve just given the criminals a signal that the number is active and its owner is willing to fall for a lure.

USPS/UPS Shipping Notification

Smishing tends to roll in trends. While cell carrier smishing is hot right now, last year and through the 2020 holiday season, shipping delays, cancellations, and fees were the popular lures. These may be cropping back up as users start shopping for the holidays.

What’s the Point of Scam Texts?

Scammers can receive all sorts of information from a text message. If a user replies, that confirms the number is active. If a user clicks, that suggests they may be a good target for additional scam attempts. Once a user clicks, they may be prompted to log in to a site that looks like a service they use but is a finely-crafted mimic. On mobile devices, these mimic sites can be even harder to detect than on a desktop. If they log in—or even if they type in their username and password and then decide against clicking Submit—the criminals intercept that information. At that point, they have access to one account to make purchases, change login details, and access payment information and personal identifiers. Do you use the same password for multiple sites and services? Those will be compromised as well, and all information and access from those accounts mined. For a personal account, this can result in identity theft and fraudulent spending. For a business-connected account without other protections in place it could be devastating.

What Can You Do About Scam Texts?

Don’t reply or click. If you think that a message could be real, my go-to suggestion is to find a separate means of contacting that service, like a bank’s official phone number, to ask if they sent the text or if any of the message actually needs your attention. As with email phishes, never return correspondence via the contact information that was provided in a suspicious message!
Report spam to your carrier. This can feel a little like fighting a horde of digital zombies: even if you take one down, 1,000 are ready to rise in its place. That said, every little bit helps. Search “report scam text to [carrier]” to find step-by-step instructions.
Educate your family and friends. If someone you love doesn’t know about the rise in scam texts, they’re all the more likely to fall for one. Sharing examples and stories can keep everyone safer.
Delete and move on. It doesn’t get easier than not clicking.

Hopefully further FCC regulation will curb many of these annoying text scams in the future, but for the time being, smishing is here to stay. Bad actors know that in our connected society virtually everyone has a smartphone in their pocket. The best weapon you have in this fight against invasive SMSishing/smishing is educating yourself and your community about what common scams look like and how to avoid them. For more information on how to protect your business operations from smishing, phishing, and other scams give us a call, or check out some of our training materials.