The Twelve Frauds of Christmas – SMS Fraud

Clarence Tillery & Gary Warner

The phone rings. You pick it up and see that it’s a number closely resembling yours. Maybe even so close that you mistake it for a family member. Good thing you answered it because they’ve been trying to reach you about your car’s extended warranty. Unwanted nuisance, sales and fraudulent telephone calls have plagued users for decades, but a relatively recent trend is the fraudulent SMS. “Short Message Service,” which most people know as texting, has evolved with the growth of the smartphone. With the rise in popularity of texting, it was only a matter of time before threat actors began to take advantage. Most recently, however, it is the increasing use by businesses that drive fraud to a new level. Restaurants, retailers, medical service providers and even amusement parks use SMS as a waiting queue service. Banks, communication service providers, and anyone who wishes to reach their customers use SMS. 

That increase in traffic has led to dramatic increases in unwanted or “spam” SMS messages.  The RoboKiller’s website has great statistics about how much SMS spam there is in the United States. In November 2022, SMS spam hit an all-time high level!

Americans received 47.2 billion spam texts in November 2022

Robokiller.com reports that November 2022 saw all-time high SMS spam!

Consumers often ask why the Federal Communications Commission hasn’t done more to stop these messages.  Until recently, it was illegal for a carrier to do so.  It was not within the legal rights of a cell phone carrier to decide what text messages their consumers should receive or not receive.   This may be changing soon.  In October, the FCC voted 4-0 to introduce a new round of rule-making that included this statement:

“The Commission proposes to require mobile wireless providers to block text messages at the network level (i.e., without consumer opt in or opt out) that purport to be from invalid, unallocated, or unused numbers, and numbers on the Do-Not-Originate (DNO) list. These texts are highly likely to be illegal.” 

Assuming this new rule-making is approved, we may see some great improvements soon.

SMiSHing – The most troubling type of SMS Spam is a “SMiSh” – a term that combines SMS with Phishing to harvest personal information.The SMS is usually from an obscured or disguised sender and often includes a malicious link or other contact method. Like a phishing email, this text based phishing can be with a wide net, designed to gather broad information from a large group, or very focused, like a spear. This means that with some social engineering and maybe a little online stalking, a text message may be intended for a specific person or organization.

As with any fraud, the two driving factors for a SMiSh to succeed are greed and fear. From a “greed” perspective, some fraudsters will tell victims that they are eligible for a new COVID relief or a government rebate.  The “fear” tactics will have victims believe that they are being audited by the IRS.  In either case, the fraudsters will send them to a link with a questionnaire where the victim will be required to input their personal information, often including bank account information. Of course the IRS isn’t the only often-spoofed entity.  

Some of the most common SMS attacks currently include: 

  • Lottery or prize notifications
  • Warnings claiming to be your bank
  • Warnings about a missing package or failed delivery

Take a look at this “failed delivery” example.  This SMS is supposedly from the US Postal Service claiming to be having trouble delivering a package. This type of fraud can happen at any time but is most prevalent during the holiday season.

“failed package delivery”

The website at that URL is intentionally using a very old TLS encryption which is not allowed by most desktop web browsers, but which works fine on mobile phones. An investigator at their computer will see a broken page, but the victim on their phone will be forwarded to this USPS-imitating page and prompted to enter personal information. 

After entering their personal details, the victim is prompted to enter their credit card details to cover a nominal $3.00 redelivery fee. Notice the status bar has moved, making the site appear legitimate.

We see that the progress bar is nearly complete, and we get a little clue that this might not be the USPS. The green Status: “We have update your shipping address” with a grammatical error someone at the real post office would certainly have caught. 

And finally the victim who has now provided the threat actor with name, address, phone number, email, date of birth and a pay card with CVV and expiration date is directed to the real US Postal Service website.

How much will the victim lose? At this point the criminal has their Name, Email, Telephone, and full credit card details.  That’s enough to use the card for any type of “Card Not Present” fraud, such as shopping on the Internet on nearly any website. 

BE VIGILANT

If something looks suspicious, suspect it! Where text messages are concerned, the best advice is to never answer unsolicited business texts. The IRS will not contact you via SMS to offer you money. The USPS will not send out an SMS to ask for your credit card to deliver a mysterious package. If your bank has an important message, you can confirm that in your banking app, on the bank’s website, or by calling the bank.

What can you do about unwanted SMS messages?  Every US Cell phone carrier allows you to report unwanted SMS messages by forwarding the message to 7726. (That spells SPAM on a telephone keypad!)

Additional resources about SMS Fraud & Spam:

The Federal Trade Commission offers “How to Recognize and Report Spam Text Messages

The FTC’s “Consumer Sentinel Yearbook” has many more statistics about online fraud collected from consumers.

The Federal Communication Commission also has resources to “Stop Unwanted Robocalls and Texts.”

DarkTower’s Blog will have more of the #12Frauds of Christmas each week day between now and Christmas!