Why cybercriminals looking to steal personal info are using text messages as bait
May 6, 2021 • NBC News
With more people using their smartphones to make payments and many banks and utilities verifying users’ accounts through text messages, the fraud floodgates have opened.
It took just a momentary lapse in judgment for Alyssa Beckwith to fall for the scam.
The text message she received looked legitimate — even expected. After some of her personal information had already been stolen a few years ago, she signed up for text alerts from her bank, Wells Fargo, to confirm each time she made a new purchase. And that step to protect herself, ironically, is what made her such an easy target.
So when a scammer texted Beckwith in April, telling her that her Wells Fargo card had been charged with a $240 withdrawal and to “Contact Us if Suspicious,” she didn’t think twice and called. A robotic voice welcomed her to Wells Fargo and asked her to verify herself, so she entered in her credit card number, Social Security number and birthday.
“This information is valid. Thank you,” the voice said, and hung up. Only then did she realize her mistake.
“I was like, wait a minute,” Beckwith said in a phone interview. “I’m surprised it didn’t connect me with somebody to talk to. Usually that’s what happens. That’s when I thought, ‘Oh my God, oh my God, I think this is a scam.'”
In the space of a few minutes, Beckwith became the latest victim of “smishing,” or SMS phishing, in which a scammer sends a text message to trick a person into turning over some sensitive personal information, which can be used for all sorts of fraud, like siphoning money from their bank account or opening up credit cards in their name.
Unwanted texts have existed for practically as long as the text message itself. But with more people using their smartphones to make payments and as many sites for banks and utilities verify users’ accounts through text messages, the fraud floodgates have opened.
The numbers are staggering. The Federal Trade Commission got 334,833 complaints about scam texts last year, more than double the year before. People around the world were exposed to about 125 percent more smishing attempts every three months, a new study from the cybersecurity company Lookout found.
Jacinta Tobin, a vice president at Proofpoint, a cybersecurity company that specializes in threats to mobile phones, said scammers and criminal hackers noticed that more marketers and businesses interact with people through text messages and simply followed that trend.
“Before, text was a very clean, relatively speaking, peer-to-peer channel. You don’t communicate with strangers via text. It’s just friends,” Tobin said in a phone interview. “But now texting has opened as a more general communication channel for business, like transaction confirmations, fraud alerts.”
Scam and phishing messages sent via text are particularly tenacious because there’s little ability to block them. Good email providers now block most junk and phishing emails, making email spam a shadow of the problem it once was. While unwanted phone calls are annoying, you can at least look at the caller’s number and decide to not to take a call.
But though smartphones are nearly ubiquitous — 97 percent of Americans own one — there’s very little people can do to stop unwanted texts. Apple and Google, the respective manufacturers of the iOS and Android smartphone operating systems, advise users to block unwanted numbers, but it’s so easy for scammers to pretend to send messages from different numbers that such strategies are effectively meaningless. Apple at least allows users to filter all messages from people who aren’t already in their contacts, but that doesn’t flag which texts are likely to be scams, and it puts them in the same folder as authentic messages from unsaved numbers.
Data breaches of users’ personal information — including their phone numbers — are a frequent occurrence, and hackers regularly trade people’s data with eager scammers. It’s so common that in April, after researchers realized that hackers were able to pull more than half a billion Facebook users’ names and phone numbers from the site, Facebook accidentally sent a Dutch reporter an internal memo that “we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.”
There’s also little indication that authorities are doing much about it or have advice for the public. Once Beckwith realized she’d fallen for a scam, she contacted the FTC, which didn’t respond, and the Social Security Administration, which told her to monitor her credit. But that was all the help they gave, and while she hasn’t noticed anyone taking out a loan in her name, the spam texts have only gotten worse.
“I get texts about ‘your package from UPS is waiting, please click this link to confirm,'” she said. “Texts from ‘Amazon,’ I get one of those almost every day.”
While U.S. phone carriers do have some anti-spam measures in place, their process for guarding against scammers is largely opaque, and they offer little specific help to customers. Sprint and Verizon didn’t respond to requests for comment. AT&T declined to comment but pointed to the official guidance from the Cellular Telecommunications and Internet Association, an industry trade group, which has a few recommendations for users who get spam texts, including, “If you receive texts you don’t want, respond ‘STOP.'”