You must never reply
NurPhoto via Getty Images
Republished on August 11 with a new defense against text message attacks.
American smartphones are under attack from malicious text messages. This industrial scale campaign is driven by organized criminal gangs in China, well beyond the reach of U.S. law enforcement. If you do succumb to an unpaid toll, DMV or Amazon refund text, your phone, your data and even your identity could be at risk.
But there’s a different wave of text attacks now targeting phones, and it’s harder to detect. These messages do not pretend to come from a DMV or bank or retailer, but from someone you know. There’s no link to click. The attacker just wants you to reply.
The FBI’s warning is clear. “Verify the identity of the person calling you or sending text or voice messages” before you reply.” If the text shows up on your phone with the usual contact details you’d expect, then it’s fine. The issue is where the sender is unknown.
If that’s the case, the FBI says, “before responding, research the originating number, organization, and/or person purporting to contact you. Then independently identify a phone number for the person and call to verify their authenticity.”
The team at MalwareBytes has just published a useful report on these “innocent” texts that are anything but. “All the messages are carefully crafted to seem plausible—so you don’t immediately feel suspicious — and short — to trigger your curiosity.”
The text may a single word, a “hey” or a “hello.” Or it might be a message that appears to either be a wrong number or a lost contact or a continuation of a thread you’ve started elsewhere. It doesn’t matter what lure is used. Once you reply, even if it’s just to inform the sender they have the wrong number then you fall into the trap.
The lure could be more specific, “a doctor’s appointment, a social event, a funeral, a hospital visit, a message after a long absence,” but the objective is the same. And because these messages lack links, some of the usual red flags will not be there.
The end result could be financial scam such as a crypto investment, or a romance scam where the by-chance encounter with a wrong number seems to lead to more, or that could escalate into a sextortion scam, if the exchange includes sharing images.
As the FBI explains, “the scammers behind the fake wrong-number text messages are counting on you to continue the conversation. They want to exploit your friendliness. Once they’ve made a connection, they’ll work to become friends or even cultivate a remote romantic relationship.” And while “they’re posing as regular people who entered the wrong numbers on their phones,” in reality these “fake wrong-number text scams use extremely sophisticated technology to commit their crimes.”
Dom not reply to any of these messages
MalwareBytes
The FTC reports that “losses to text scams hit $470 million” last year, including “wrong number scams that start as a seemingly misdirected message,” but which “evolve into a conversation with romantic undertones that can lead to investment and other scams.”
McAfee warns “these messages may seem harmless, but they’re often the first step in long-game scams designed to steal personal data—or even life savings.” And they’re surging, with “1 in 4 Americans having received one.”
At any point you “believe you are a victim of a scam,” the FBI tells phone users, “end all communication with the perpetrator” immediately and contact law enforcement.
Meanwhile, a new initiative seeks to finally resolve the text scam conundrum for users: “It can be difficult sometimes to work out whether a text message that’s landed in your phone is real or from a criminal trying to steal your information or money.”
Australia’s Commonwealth Bank has enhanced its Truyu identity assurance app, and will now enable users to “send a screenshot of the message to check what they should do.” Industrial-scale text message scams are as much an issue in Australia as they are in the U.S. and across most of Europe.
Rather than have users collect and send details of a potential scam or rely on generic AI-fueled smartphone defenses to catch a scam in the act, this new offering enables a user to send a specific message for a one-time check. The data that will be collated by the platform will be critical in building up data on new attacks and lures.
As Truyu’s boss Melanie Hayden explains, “when you upload a suspicious text to Scam Checker, you’re not just protecting yourself. You’re also helping keep others safe by sharing valuable information that can be used to help protect them too.”
MalwareBytes has its own scam defense offering. Scam Guard lets users “check scam texts, fake shipping alerts, dating and job scams, phishing links, robocalls, suspicious emails, and more — all with the simple upload of a screenshot, text, number or URL.”
Making it that easy for users to check if a text is real or malicious is clearly the way forwards, and makes adhering to advice from the FBI and others much easier.
Source link
