You must never reply
NurPhoto via Getty Images
Republished on August 12 with new text message attack warnings.
American smartphones are under attack from malicious text messages. This industrial scale campaign is driven by organized criminal gangs in China, well beyond the reach of U.S. law enforcement. If you do succumb to an unpaid toll, DMV or Amazon refund text, your phone, your data and even your identity could be at risk.
But there’s a different wave of text attacks now targeting phones, and it’s harder to detect. These messages do not pretend to come from a DMV or bank or retailer, but from someone you know. There’s no link to click. The attacker just wants you to reply.
The FBI’s warning is clear. “Verify the identity of the person calling you or sending text or voice messages” before you reply.” If the text shows up on your phone with the usual contact details you’d expect, then it’s fine. The issue is where the sender is unknown.
If that’s the case, the FBI says, “before responding, research the originating number, organization, and/or person purporting to contact you. Then independently identify a phone number for the person and call to verify their authenticity.”
The team at MalwareBytes has just published a useful report on these “innocent” texts that are anything but. “All the messages are carefully crafted to seem plausible—so you don’t immediately feel suspicious — and short — to trigger your curiosity.”
The text may a single word, a “hey” or a “hello.” Or it might be a message that appears to either be a wrong number or a lost contact or a continuation of a thread you’ve started elsewhere. It doesn’t matter what lure is used. Once you reply, even if it’s just to inform the sender they have the wrong number then you fall into the trap.
The lure could be more specific, “a doctor’s appointment, a social event, a funeral, a hospital visit, a message after a long absence,” but the objective is the same. And because these messages lack links, some of the usual red flags will not be there.
The end result could be financial scam such as a crypto investment, or a romance scam where the by-chance encounter with a wrong number seems to lead to more, or that could escalate into a sextortion scam, if the exchange includes sharing images.
As the FBI explains, “the scammers behind the fake wrong-number text messages are counting on you to continue the conversation. They want to exploit your friendliness. Once they’ve made a connection, they’ll work to become friends or even cultivate a remote romantic relationship.” And while “they’re posing as regular people who entered the wrong numbers on their phones,” in reality these “fake wrong-number text scams use extremely sophisticated technology to commit their crimes.”
Dom not reply to any of these messages
MalwareBytes
The FTC reports that “losses to text scams hit $470 million” last year, including “wrong number scams that start as a seemingly misdirected message,” but which “evolve into a conversation with romantic undertones that can lead to investment and other scams.”
McAfee warns “these messages may seem harmless, but they’re often the first step in long-game scams designed to steal personal data—or even life savings.” And they’re surging, with “1 in 4 Americans having received one.”
At any point you “believe you are a victim of a scam,” the FBI tells phone users, “end all communication with the perpetrator” immediately and contact law enforcement.
Meanwhile, a new initiative seeks to finally resolve the text scam conundrum for users: “It can be difficult sometimes to work out whether a text message that’s landed in your phone is real or from a criminal trying to steal your information or money.”
Australia’s Commonwealth Bank has enhanced its Truyu identity assurance app, and will now enable users to “send a screenshot of the message to check what they should do.” Industrial-scale text message scams are as much an issue in Australia as they are in the U.S. and across most of Europe.
Rather than have users collect and send details of a potential scam or rely on generic AI-fueled smartphone defenses to catch a scam in the act, this new offering enables a user to send a specific message for a one-time check. The data that will be collated by the platform will be critical in building up data on new attacks and lures.
As Truyu’s boss Melanie Hayden explains, “when you upload a suspicious text to Scam Checker, you’re not just protecting yourself. You’re also helping keep others safe by sharing valuable information that can be used to help protect them too.”
MalwareBytes has its own scam defense offering. Scam Guard lets users “check scam texts, fake shipping alerts, dating and job scams, phishing links, robocalls, suspicious emails, and more — all with the simple upload of a screenshot, text, number or URL.”
Text scams targeting customers of specific financial institutions are surging just as fast as tolls, motoring offenses and fake tech support calls. This includes the Phantom Hacker attacks which the bureau warns are now soaring again.
This is when a fake bank support text and call warns that your phone or PC has been hacked to steal money from your account. In this instance the warning comes not from the bank but from the real hacker, and moving your money to safety is the actual theft.
Fidelity has now issued a warning: “Scams are on the rise. In particular, recent reports suggest an uptick in text-message scams. Never click on a link in a text that purports to come from a financial institution unless you are certain of its legitimacy. When in doubt, contact your financial institution using its official website or an official phone number.”
Any unsolicited text, Fidelity says, “should be considered potentially suspicious. Remember that scammers may use urgent-sounding language to try to get you to click on a link in a text right away—before you have time to think it through.”
Making it that easy for users to check if a text is real or malicious is clearly the way forwards, and makes adhering to advice from the FBI and others much easier.
New Amazon text scam now surging.
Guardio
Guardio, which was behind the Amazon refund warning last month, has just issued timely new data, and this shows exactly how quickly these attacks can scale and why so many citizens are put at risk in such a short period of time — thus the FBI warnings.
A new iteration of the scam, with “new, more specific phrasing in the text message” has seen a staggering “10.6-times increase in the past two days.” That’s almost 1000%.
Meanwhile, the bureau continues to issue fresh warnings over the latest attacks, where not engaging means do not click on a malicious QR code printed on an unsolicited package which is sent to your home address.
“Help the FBI Defend the Homeland and keep yourself safe,” the bureau says as it warns the public that “criminals are sending unsolicited packages containing a QR code, and once scanned, victims provide personal and financial information while unknowingly downloading malicious software that steals data from their phone.”
The key, though, is not to engage until you’re sure who the text is from. When it comes to a financial (or any other institution), Fidelity says, “if you believe the text message may be legitimate, contact the company through an official channel and explain the communication you just received. Do not respond to the suspicious text message, click on any of its links, or call the phone number in the text.”
If you want to call to check, “do not rely on a phone number provided by search-engines results. Instead, go to the institution’s official website to locate an official number.”
When it comes to these “innocent” wrong number texts, MalwareBytes says “don’t reply, not even to be helpful. Don’t engage in conversation, even if they seem friendly. Never click on links. Block the number. Report the message to your carrier.”
Even if you don’t fall for the scam itself, “responding confirms your number is active. It flags you as someone who reads texts and might engage. The scammer may sell or share your number.” There is simply no good reason to reply. Just hit delete.
Source link
