She responded to a smishing scam. Then the spam texts got worse. Experts explain why

It took just a momentary lapse in judgment for Alyssa Beckwith to fall for the scam.

The text message she received looked legitimate — even expected. After some of her personal information had already been stolen a few years ago, she signed up for text alerts from her bank, Wells Fargo, to confirm each time she made a new purchase. And that step to protect herself, ironically, is what made her such an easy target.

So when a scammer texted Beckwith in April, telling her that her Wells Fargo card had been charged with a $240 withdrawal and to "Contact Us if Suspicious," she didn't think twice and called. A robotic voice welcomed her to Wells Fargo and asked her to verify herself, so she entered in her credit card number, Social Security number and birthday.

"This information is valid. Thank you," the voice said, and hung up. Only then did she realize her mistake.

"I was like, wait a minute," Beckwith said in a phone interview. "I'm surprised it didn't connect me with somebody to talk to. Usually that's what happens. That's when I thought, 'Oh my God, oh my God, I think this is a scam.'"

In the space of a few minutes, Beckwith became the latest victim of "Smishing," or SMS phishing, where a scammer sends a text message to trick a person into turning over some sensitive personal information, which can be used for all sorts of fraud, like siphoning money from their bank account or opening up credit cards in their name.

Unwanted texts have existed for practically as long as the text message itself. But with more people using their smartphone to make payments, and many sites for banks and utilities verifying users' accounts through text messages, the fraud floodgates have opened.

The numbers are staggering. The Federal Trade Commission received 334,833 complaints about scam texts in 2020, more than double the year before. People around the world were exposed to about 125 percent more smishing attempts every three months, a new study from the cybersecurity company Lookout found. 

Jacinta Tobin, a vice president at Proofpoint, a cybersecurity company that specializes in threats to mobile phones, said that scammers and criminal hackers noticed that more marketers and businesses interact with people through text messages, and simply followed that trend.

"Before, text was a very clean, relatively speaking, peer-to-peer channel. You don't communicate with strangers via text. It's just friends," Tobin said in a phone interview. "But now texting has opened as a more general communication channel for business, like transaction confirmations, fraud alerts." 

Scam and phishing messages sent via text are particularly tenacious because there's little ability to block them. Good email providers now block most junk and phishing emails, making email spam a shadow of the problem it once was. While unwanted phone calls are annoying, you can at least look at the caller's number and decide to not to take a call.

But though smartphones are nearly ubiquitous — 97 percent of Americans own one — there's very little people can do to stop unwanted texts. Apple and Google, the respective manufacturers of the iOS and Android smartphone operating systems, advise users to block unwanted numbers, but it's so easy for scammers to pretend to send a message from a different number that such strategies are effectively meaningless. Apple at least allows users to filter all messages from people who aren't already in their contacts, but that doesn't flag which texts are likely to be a scam, and puts them in the same folder as authentic messages from unsaved numbers.

Data breaches of users' personal information — including their phone numbers — are a frequent occurrence, and hackers regularly trade Americans' data with eager scammers. It's so common that in April, after researchers realized that hackers were able to pull more than half a billion Facebook users' names and phone numbers from the site, Facebook accidentally sent a Dutch reporter an internal memo that "we expect more scraping incidents and think it's important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly."

There's also little indication that authorities are doing much about it or have advice for the general public. Once Beckwith realized she'd fallen for a scam, she contacted the Federal Trade Commission, which didn't respond to her, and the Social Security Administration, which told her to monitor her credit. But that was all the help they gave, and while she hasn't noticed anyone taking out a loan in her name, the spam texts have only gotten worse.

"I get texts about 'your package from UPS is waiting, please click this link to confirm,'" she said. "Texts from 'Amazon,' I get one of those almost every day."

While U.S. phone carriers do have some anti-spam measures in place, their process for guarding against scammers is largely opaque, and they offer little specific help to customers. Sprint and Verizon didn't respond to a request for comment. AT&T declined to comment, but pointed to the official guidance from the Cellular Telecommunications and Internet Association, an industry trade group, which has a few recommendations for users who get spam texts, including, "If you receive texts you don't want, respond 'STOP.'"

Replying "STOP" to a marketing company or signing up for the FTC's Do Not Call list can reduce spam from companies that seek to abide by U.S. law. But security experts warn that since many scammers have no interest in following the law, that's likely to do more harm than good.

Donna Gregory, unit chief for the FBI's Internet Crime Complaint Center, warned against responding to apparent smishing attempts.

"If you respond, it shows there is somebody at the other end. They may just be fishing for live numbers," Gregory said in a phone interview.

Tobin, of the cybersecurity company Proofpoint, said that replying to smishing attacks most likely makes you more of a target.

"The intelligence about you doesn't dissipate. It builds," she said. "Each attack that happens, each text you respond to, or each call you respond to. Even if the attacker doesn't get that money from you, they can get money by selling your information."

For most people, falling for a smishing attack either leads to losing money or ending up at higher risk of identity theft. But text messaging is also the preferred delivery method for the most extreme form of phone hacking, when criminals or countries gain complete control over a phone, turning it into a secret microphone or stealing all its emails and texts.

John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab, said he often sees hackers working for authoritarian countries sending texts to dissidents that try to trick them into downloading a program that will hand over access to their phone. Many pretend to be part of the two-factor authentication process, where a user verifies their identity through an additional avenue besides their username and password.

While cybersecurity experts recommend using a dedicated, trusted smartphone app to set up two-factor, many companies still do it through texts.

"Text messages are still a loophole," Scott-Railton said in a phone call. "Cybercriminals know it and they use them. Governments that want to do shenanigans also use them because text messages is uniquely well set up to be exploiting a whole category of account password reset attacks and takeovers."

"The real issue is that text message as a second-factor is still extremely common," he said. "And as long as it remains extremely common, phishing through text messages will also be really common, because people are conditioned to expect that important things may come through text messages."

With no easy fix on the horizon, most people have little choice but to simply be extremely cautious to not click links texted to them from people they don't know.

"SMS numbers are easily spoofed," Tobin said. "Don't click on a URL in a text message. Don't trust URLs in text messages unless you have more assurance. If you get a text message from a bank or a retailer, type in the URL into your browser separately."

Source: Read Full Article