Smishing – the (Relatively) New Phishing

Have you experienced an increase in simple text messages that appear to be intended for someone else? I have; in fact, I’m receiving, on average, three of them per day, and it’s getting rather annoying. The picture at the top of this post is a recent sample.

You probably have some familiarity with SMS scams, i.e., scams perpetrated by text messages, but this doesn’t look like any of the ones I knew about previously. There’s no link to tap on, no well-known company name, no imperative and no real sense of urgency. And you probably already know to just delete all texts like that without a second thought. (Well, hopefully you already know that. If you didn’t, then consider yourself informed.) But this is just a casual, “how ya doin’?” type of text message from someone I don’t know, and apparently intended for someone else I don’t know. So, what harm could there be in texting back a “Sorry, wrong number” message? Which is exactly what I might have done if I hadn’t been busy when the first one arrived and if a second, third and fourth such message hadn’t arrived so soon after the first.

Plenty, it turns out. I had to do some online digging in order to find out what these harmless-looking messages from strangers are all about. Most of the search hits were predictable: warning after warning to delete, without any kind of response, any text message that exhorts you to tap on a link or call a phone number. But messages like those are direct attempts at phishing – called “smishing” when perpetrated by text message – and I already knew about them. I finally happened upon a video clip of a TV news report about the kinds of text messages I’ve been receiving lately. It turns out that they are a relatively new form of social engineering, and an indirect attempt at smishing.

According to the news report, if you respond to one of these texts, the very least that will happen is your cell phone number will end up on a “suckers list”, a list of people likely to fall for texting scams. But the scammer will also try to strike up a conversation with you. They may include a photo of a pretty woman, if they think you’re male, or a hunky man, if they think you’re female. Depending on the sort of information the scammer wants to get from you, the photo may be more than just a head shot, and the person pictured may be dressed in a sexy manner or not at all. That may be an attempt to get you to share a compromising photo of yourself. (That’s not the scam an old guy like me would fall for, but I’m told that many people in their teens, twenties and maybe even thirties are quick to share semi-nude or even nude photos of themselves.) Or the scammer may try to convince you to share financial information, account credentials or personal information. Ultimately, that information will be used to blackmail you, raid your bank account, charge things to your credit cards or steal your identity.

It’s easy to sit there reading this and say to yourself, “Oh, I would never fall for that!”, but social engineering is the art of gaining your trust in order to convince you to willingly give over whatever it is that the scammer wants. There is no doubt in my mind that the perpetrators of this scam are very good at this. The best way to avoid falling for the scam is not to engage them. Just delete the text without responding.

As far as steps you can take to avoid this scam, there currently aren’t many. You could block the phone number, but the scammers use throwaway phones and phone numbers to perpetrate these scams, so the chances are your next scam message will come from a different number. You could forward the text message to “7726” (spells SPAM on a phone keypad), which all the major US cell phone carriers are supposedly using to collect spam reports. Personally, I couldn’t figure out how to do that from my smartphone without it looking like the spam came from my own number, but maybe it’s easier to do this on your phone. You could call your cellular provider, which might be an attractive option if your cellular account doesn’t include unlimited texting, but if you get as many of these irritating texts as I do, it seems to me that you’ll spend a lot of time on the phone with your cellular provider if you do that. Your best option may be to set your phone to block text messages from all numbers not in your contact list. That wouldn’t work for me, because my cell phone number is my business phone number, but I would seriously consider doing that for a personal cell phone number.

My quest for information also turned up some gleeful reports from people who claimed to have counter-scammed the scammers, by texting back things like “Congratulations, you have successfully subscribed to ‘Prayer of the day’! Your account will be debited $0.50 for each new daily message.”, followed by what appeared to be increasingly desperate attempts by the scammer to cancel the “service”. Take these with multiple, large grains of salt. First of all, all those counter-scam reports I saw were 3+ years old. Second, cell phone scammers are probably savvy enough to know that even if they did opt into such a service and couldn’t cancel it, they could solve that problem with a call to their own cellular provider. That’s assuming they’re using their own cellular account in the first place. If they’re using a throwaway phone or account, they won’t care, because they probably provided stolen payment information to the provider in the first place, and their intention is to just ditch it at the end of the month or whenever the provider gets wise to them and shuts the account down, whichever comes first. So, your best bet is to follow my first piece of advice: do not engage.

Leave a Reply

Your email address will not be published. Required fields are marked *