In the last few days, several people have reported getting scam text messages…from themselves.
“How did I just get a scam text from myself. Like it's literally from my number I don't even comprehend how this is possible,” wrote one person on Twitter.
There are countless people complaining about this scam on Twitter, and at least seven people at VICE got the messages last night.
The message typically mentions that the person’s bill was paid, and that there’s “a little gift for you” and a link with a suspicious looking URL.
According to The Verge, scammers are targeting especially Verizon customers.
“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers' own number,” a Verizon spokesperson said. “Our team is actively working to block these messages, and we have engaged with U.S. law enforcement to identify and stop the source of this fraudulent activity. Verizon continues to work on behalf of the customer to prevent spam texts and related activity.”
Most of the VICE employees who got the message are Verizon customers, but some of them were customers of Spectrum, an ISP that piggybacks on the Verizon network.
SMS phishing, or smishing, is a years-old scam. And there is some anecdotal data suggesting the problem is getting worse. Last month, the US Computer Emergency Readiness Team or CERT, a US government organization that analyzes cyber threats and publishes information and advisories to help users and companies to protect themselves, warned that there could be more phishing and smishing “In this time of heightened geopolitical tension,” referring to Russia’s invasion of Ukraine.
As Motherboard reported in 2020, there are special SIM cards that let hackers spoof any number they want. In the criminal underground they are known as Russian SIMs, Encrypted SIMs, and White SIMs.
"They are the most popular SIMs in crime," a source close to the criminal world told Motherboard at the time, referring to the anonymously sourced data SIMs.
I tried navigating to two of the URLs published by victims on Twitter, both of them redirected to the homepage of a Russian TV channel.
Darren Martyn, an independent security researcher who has done demos of SMS phishing, said that smishing is “cheap and super effective.” But spoofing the target’s own number, according to him, “does seem weird.”
“I guess the idea would be to work around the unknown number issue,” he told Motherboard in an online chat, referring to a filter that blocks calls or texts from unknown numbers. “If you get a SMS from an unknown contact, the SMS app on some phones flags it. Whereas if the senders in your contact list, it just doesn't have that warning. I'm gonna guess being a known sender (spoofed number in contacts) gets a higher click through rate.”
It’s unclear how widespread, or successful, this smishing campaign is. But as usual, do not click on suspicious links…even if they come from yourself.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.