Text messaging is one of the fastest and most convenient ways to communicate. In the United States, more than 20 billion texts are sent every day.[1] They have proven to be a more effective way of reaching consumers, who read 82% of text messages within 5 minutes, yet only open 1 in 4 emails they receive.[2] Thus, it is not surprising that 39% of businesses use some kind of texting to communicate with customers and clients.[3]
Armed with this data, scammers and con artists have increasingly utilized text messages in their efforts to trick consumers into providing their personally identifiable information. Just recently, scammers posed as the United States Postal Service (USPS) sent text messages falsely informing consumers they had packages awaiting them. Unsuspecting consumers clicked on the link in the text, which then took the users to a spoof verification page where the users were asked to provide their banking information to verify their identity, which was then used by the scammers.
This is not the first time criminals have run this type of scam. Early in February, criminals ran a similar fraudulent delivery notification scheme involving FedEx, causing the U.S. Federal Trade Commission to alert consumers about these fake SMS text messages.[4]
These types of cons are known as “smishing” – a type of phishing scam using SMS text messaging to target smartphone users. Like phishing, the goal of smishing is to obtain personal information or financial information from victims. Scammers do this by posing as corporations (e.g., FedEx, Costco, Amazon) or government entities (e.g., USPS, IRS) or even close friends and family members. They include a text message, such as “A package is waiting for you!” or “You need to update your IRS files to receive your stimulus checks.” And they include links to a spoof or imposter website that look sophisticated, and through that medium, obtain financial and personal information such as passwords, bank account numbers, social security numbers, and other sensitive information. According to Proofpoint’s 2020 State of the Phish report, 84% of surveyed organizations faced smishing attacks in 2019 alone.
FORMS OF SMISHING
Smishing can occur in a number of ways:
(1) Texts to Download an App (Malware)
When downloading an application onto a phone via a smishing attack, users are subject to many vulnerabilities, including theft of private photos, text messages, installing a keystroke logger in the background, and infiltrating other apps containing financial and health information. Smishing occurs here in various forms, such as a message telling a user to download the latest version of an app (e.g., banking app, social media app).
For example, this past summer, unsuspecting users received fake links via text message and WhatsApp to download the “professional version” of the popular video-sharing app TikTok, especially in regions and countries where the official app was blocked. Upon download of the fake “TikTok” app, the app obtained access to the user’s camera, image gallery, microphone, among other features.[5]
(2) Texts to Send Money
Another smishing scam occurs when a victim receives a text message from a purported friend or family member who is in an emergency situation. The imposter will send a text from a random phone number noting, for example, “Hey John, it is Jane. I am using a nurse’s phone at the hospital (car accident) and your number is the only one I can remember. My purse is gone, I think it is in my towed damaged car.” Once the victim-recipient responds with something, the scam will continue: “I am sorry to ask you for a favor, but I’m in a jam. Can you send the nurse here via Venmo $200 so she can give me the money and I can get my car out of the tow lot? I will pay you back as soon as this is over. Promise.”
Similarly, texts can be sent by scammers posing as non-profit organizations or local churches asking for donations. This type of smishing has seen “a spike in attacks since Covid-19, with fraudsters clearly recognizing an opportunity to target consumers as we spent more time using phones and computers,” notes CEO Gavin Kelly of Bank of Ireland.[6] See also FBI officials warning the public about the rise in scams and frauds related to the coronavirus.[7]
(3) Texts to Reveal Personal Information (e.g., Financial Information, Password, Social Security Number)
This is the broadest of the three categories because it can take many forms:
Government Entities: Scammers claiming to be government entities, such as from the IRS, can send texts asking for information in order for the recipient to get benefits, such as getting an economic relief check or tax refund.[8] Victims will click a link through the text and fill out personal and sensitive information (e.g., login details, passwords, password security responses, and banking information) on a website purporting to be from the IRS.
Refund Owed: Smishers also can send texts claiming the recipient was overcharged for a service, such as a cellular phone bill or gas bill. The victim is then asked to provide his banking information to receive a direct deposit refund.
Rewards: AT&T has warned its customers about a text scam where perpetrators attempt to steal login information from users and purchase equipment, accessories, and obtain other sensitive information about the customers. “Here’s an example of a fraudulent message that claim [sic] to offer an AT&T reward: www.att620.com- Simply sign in to your account to redeem your $620. AT&T we care about you. Thank you and have a nice day.”[9]
Similarly, Walmart has had to deal with smishing texts using their brand name and logo to dupe consumers. “The fraudster may text you saying you’ve won a free gift card. Remember, you can’t win a contest you didn’t enter. Walmart doesn’t notify winners of any contest via text message.”[10]
Charity: Western Union has noted that its service has been used in these smishing schemes to get people to donate money via Western Union to victims of an emergency, such as a hurricane or earthquake.[11] “Beware of texts that spark urgency, asking you to click on a link, taking you to a compromise site, or get you to unwittingly divulge some personal information that could be used against use.”[12]
Identity Verification: Wells Fargo has put out a warning to its customers to be on the lookout for text messages from unknown numbers with an unexpected request to verify your identity along with a suspicious link that looks like the bank’s URL: “(ALERT ID: 8094025 – (@WELLS-FARGO-BANK) – We need to verify your identity! http://wells-fargo-verifyidentity.site/”[13]
I’VE BEEN DUPED – NOW WHAT?
It today’s world of cyber attacks, ransomware, and privacy theft, there is no question that being a victim of such smishing schemes can be jarring. However, there are some immediate steps you can take to mitigate harm:
· Change your passwords: Immediately change/update all of your passwords to the accounts that were compromised. For example, if you provided bank account information, change your passwords to that account. Also, be sure to change the passwords to any other accounts where you use the same user ID and password combination. (While we do not advise users to ever re-use the same login and password for different online services and websites, we recognize that this happen all too often).
· Cancel your cards: Contact the financial institutions who issued you the debit cards, credit cards, or bank accounts, and have those card and accounts canceled and also flagged for fraudulent activity. In some instances, if money was stolen, you may be able to use insurance or other means to recover amounts subject to theft.
· Report the fraud to those implicated: It takes a village. Be sure to report the fraud to any party potentially implicated in the scheme. Not only does this include the bank involved, but also inform: (i) your telephone/cellular phone service provider that a scheme has occurred so they can prevent similar messages from going forward to other consumers (you can text “7226” which spells SPAM and forward the smishing text to your cell phone carrier), and (ii) the corporation or third party used to perpetrate the scheme (e.g., FedEx, Walmart, or IRS). In doing so, these institutions can devote resources to warning other customers of a scheme and potentially working with law enforcement to find the perpetrators.
· Report the fraud to authorities: There are several avenues to report the crimes.
o (1) Federal Trade Commission: The FTC handles virtually all complaints in connection with consumer fraud, such as smishing, spam, robocalls, imposter scams, etc. The FTC already is aware of smishing schemes and has addressed them on its site.[14] Contact information: Hotline (877) 382-4357 or Make an Online Complaint- http://ftc.gov/complaint.
o (2) Federal Communications Commission: You can also report the fraud to the FCC who handles fraudulent communications sent to your cellular device. Contact information: Hotline (888-CALL-FCC)
o (3) State Attorney General’s Office: a number of state attorneys general have addressed smishing schemes, and are taking precautionary measures to protect the public. For example, the attorney generals for Minnesota, Texas, Michigan, and Missouri have published consumer alerts on smishing schemes and welcome its state consumers to file complaints if they are victims of such scams or if they come across such texts.
As smishing schemes continue to take form, federal law enforcement is taking strides to address the crimes. For example, in 2019, the U.S. Attorney’s Office for the Northern District of Georgia announced the sentencing of three Romanians who were extradited to the United States to face charges of their smishing scheme (among other phishing- like crimes).[15] From October 2011 through February 2014, the defendants compromised computers servers in the Northern District of Georgia and elsewhere to send mass text messages to consumers in the United States posing as banks.[16] They duped consumers into providing their personally identifiable information, wherein the defendants stole more than 40,000 bank account numbers and with an estimated loss of more than $21 million. The defendants were federally charged with wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft.
BEST PRACTICES – AVOID BECOMING A VICTIM
While no one is completely immune from text message scams, there are some steps to take to avoid becoming a victim:
1. Do not click on links embedded in a text message, especially from an unknown sender.
2. If you click on the questionable link, do not fill out any details on the spoof webpage. Do not provide any personally identifiable information about yourself. This is especially important if the URL of the link is not the same as the intended website (even if the spoof website has the same “look and feel” of the intended website).
3. If a bank or other institution appears to send an “urgent” text message or a “delivery details” message, do not click links from the text message. Do not be rushed and panic (which is what the perpetrator is trying to do). Instead, go to the institution’s website and login from there to determine if there is any follow-up activity or urgent situation.
4. If you’re ever asked to provide personally sensitive information (password, pin, account numbers, driver’s license number) via a request from a text, then be suspicious. Do your diligence before entering the information. As a general matter, banks, corporations, or government agencies never ask for personal information like passwords, pins, usernames etc. via text message.
5. Do not download an app from a text message. Always goes to the official Apple or Android app store and look-up the purported app to see if it is legitimate and download it from there.
6. Even if the message you are receiving is spam or you sense it is a smishing scheme, do not reply to it. Otherwise the perpetrator(s) will know this is an active user and will attempt to spam you further. (Instead report it to SPAM (text 7226), and this will help cut down the number of unwanted texts you are receiving).
7. Federal agencies (IRS, Social Security Administration) do not communicate via text
8. Be suspicious of “special offers” being awarded to you via text message (e.g., $620 gift card from AT&T) telling you to act quickly by filling out a form asking for personally identifiable information.
9. Do not fall for friendly language. If you see a text addressed in your name from an unknown number (e.g. claiming to be a friend or local church member) and asking for help or for money, be wary.
10. Register with the National Do Not Call Registry to minimize your exposure to telemarketing calls, which will help you better manage the messages you receive from unknown third parties. You can register by phone (888-381-1222) or via web: donotcall.gov.
CONCLUSION
Given the sheer volume of billions of text messages sent and received on a daily basis in the U.S., there is no question that we are all ripe for smishing tactics. And while federal authorities are aware of this criminal behavior – that can stem from anywhere in the world – it is incumbent upon us to keep our personal information safe and secure from cyber criminals.
©2020 Russell Law, PC | email: David@RussellLawPC.com
---
[1] https://www.michigan.gov/ag/0,4534,7-359-82917_94178_94192_94195-472313--,00.html [2] Flowroute Survey Finds Consumers Overwhelmingly Prefer SMS to Email and Voice for Business Interactions, Dec. 12, 2016, available at https://www.flowroute.com/press-type/flowroute-survey-finds-consumers-overwhelmingly-prefer-sms-to-email-and-voice-for-business-interactions/ (last accessed Aug. 23, 2019). [3] State of Texting 2019 available at https://www.zipwhip.com/lp/state-of-texting-2019/ (last accessed Aug. 23, 2019). [4] https://www.consumer.ftc.gov/blog/2020/02/text-message-about-your-fedex-package-really-scam?_ga=2.230171868.1166097783.1600090605-1623916963.1600090604 [5] https://www.hackread.com/smishing-scam-spreads-fake-tiktok-app-malware/ [6] https://www.thinkbusiness.ie/articles/smishing-sms-fraud-awareness-boi-covid19/ [7] https://www.sandiegouniontribune.com/news/public-safety/story/2020-03-31/fbi-continues-to-warn-about-covid-19-scams-offers-phone-lines-to-report-abuse [8] https://www.wsj.com/articles/dont-click-coronavirus-text-and-phone-scams-are-designed-to-trick-you-11586424600 [9] https://www.att.com/support/article/my-account/KM1051831/ [10] https://corporate.walmart.com/privacy-security/fraud-alerts/ [11] https://www.westernunion.com/us/en/fraudawareness/fraud-types.html [12] Id. [13] https://www.wellsfargo.com/privacy-security/fraud/report/phish/ [14] https://www.consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages [15] https://www.justice.gov/usao-ndga/pr/two-romanian-citizens-extradited-atlanta-face-cyber-and-fraud-charges-connection [16] https://www.justice.gov/usao-ndga/pr/three-romanian-citizens-plead-guilty-participating-multi-million-dollar-vishing-and