People around the world are increasingly receiving malicious text messages designed to steal personal information or break into one of their accounts. This type of scam, called SMS phishing or smishing, has been around since cellphones became a thing, but the practice is becoming very popular among scammers at the moment.
In the last few months, my wife and I have received a handful of smishing texts: one purporting to be from Amazon, one pretending to be from Netflix, and one that tried to look like it was coming from the New York Department of Motor Vehicles.
You don't have to go too far to see we are not the only ones. A search on Twitter shows that many people are getting similar text messages. Some try to lure people by pretending to be about a package delivery, others try to exploit people who are eager to get a vaccine for COVID-19.
“I think people trust sms more than they trust emails—in particular, I believe this is more prevalent in older demographics. Now, in the age of covid, SMS has become more important than previously,” Keren Elazari, a cybersecurity expert and frequent conference speaker, told Motherboard in an online chat.
Elazari explained that in Israel, where she’s from, the government is using text messages to notify citizens about COVID-19 contact tracing, to tell them whether they need to isolate or whether they are allowed to end quarantine.
“So I strongly think mobile operators can and should do more to reduce the ability of fraudsters and criminals to use SMS,” Elazari concluded.
Apart from significant and widespread anecdotal evidence, there is some hard evidence that Smishing is on the rise. According to security firm Proofpoint, text message phishing went up 328 percent in the third quarter of the year, compared to the previous onesecond trimester.
"Smishing attacks are on the rise probably because they are so successful. This is because people have been trained to react to notifications and messages on their devices instantaneously," Apurva Kumar, a staff security intelligence engineer at mobile security firm Lookout told Motherboard in an email.
Have you received any Smishing texts? Or do you work for a telecom company who tracked these threats? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Simeon Coney, the chief strategy officer at AdaptiveMobile Security, agreed.
"These types of attacks work well," Coney said in an email, where he added that telcos have been doing better at stopping them. "Many Telcos have invested in protection solutions to reduce the number of phishing and spam messages being delivered to their customers. The volume of attacks daily is huge, and it is inevitable that sometimes attacks do get through, especially when attackers change techniques and sources to launch their attacks from."
An AT&T spokesperson pointed to a page on the company's site dedicated to this threat, where the company warns that "more criminals are using text messages to try to get you to give them information." The company suggests customers not to open texts from unknown sources, and to never send any information via text message but instead go to the official site of the purported sender to check what's going on. The company also asks customers to report any suspicious texts to 7726, a number provided by the FTC to report spam and phone scams.
The spokesperson did not respond when I asked him how many smishing attempts they see across their network.
Verizon, T-Mobile, Sprint, and Google, which runs the cellphone provider Google Fi, did not respond to a request for comment.
For years, people have been getting robocalls that are sometimes in Chinese, or contain vague references to car insurance, past-due taxes, or unspecified bank accounts. Unlike these recent smishing texts, which include names of well known and popular companies, it's often pretty easy to tell that the robocalls are not legit.
But with these texts, it's easy to get fooled. So until telcos get better at filtering these smishing messages out, be careful what you click on.