SMS phishing attacks—annoyingly called “smishing”—are becoming more common.
I know that I have been receiving a lot of phishing SMS messages over the past few months. I am not getting the “Fedex package delivered” messages the article talks about. Mine are usually of the form: “Thank you for paying your bill, here’s a free gift for you.”
Ted • April 25, 2022 8:49 AM
When the political text messages were going bonkers, I was reporting a bunch of them to 7726 (SPAM). I know these more recent SMS messages are potentially more deceptive and exploitative.
I’m so sorry you have to deal with this. Being a renowned security expert, you must also find yourself in a pretty unique position at times.
The FTC has put out some suggestions for filtering and blocking spam text messages, including how someone could do it on their phone, thru their wireless provider, or with a call-blocking app.
https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages
I don’t know if mobile endpoint security products are a viable solution outside of enterprise environments. I thought I remember hearing these could potentially be pretty invasive too. I hope the carriers, or whoever, come out with some improved solutions.
Winter • April 25, 2022 9:12 AM
In the Netherlands, bank fraud by way of WhatsApp seems to be most popular. But the operation is similar. Next to banks, stories are mostly about “family/friend in need” fraud. I had relatives who were approached this way. Luckily, they did not fall for it.
John • April 25, 2022 9:38 AM
Hmm….
Phone rings… Spam likely
Message from bank received … Spam likely
Message from government received …. Spam likely
Visit bank …. Action unlikely
John
Clive Robinson • April 25, 2022 10:14 AM
@ Bruce,
I know that I have been receiving a lot of phishing SMS messages over the past few months.
Well somebody loves you… or atleast hopes to love your money 😉
I know I’m probably tempting fate, but I just don’t get those sorts of messages… Should I feel unloved 0:)
According to part of the Medical Profession however, I should answer their “Unknown Number” calls.
They did not appear to be capable of understanding the concept of not answering calls from people who deliberately hide their number in some way, or that they should leave a voice mail…
They were apparently unimpressed when I told them that it was they in this modern age of “technology aware criminals” that needed to change their behaviours…
So no friends won that day 😉
Mexaly • April 25, 2022 10:30 AM
Before digital spam, I used to enjoy refusing handbills.
The distributor shoves one in my direction, expecting a grab reflex.
They’re unused to people who just pass them by.
Now, as with everything, digital makes it planet-sized.
Ted • April 25, 2022 10:34 AM
@Clive
or that they should leave a voice mail…
They would not leave a voice mail? Ghastly.
I’ve observed hospital security staff walking the parking garage at night. Many cameras as well. Even a security vehicle placed street-facing at the garage entrance/exit.
These weren’t young professionals, were they?
EvilKiru • April 25, 2022 12:16 PM
@Ted: I don’t know how things are over in the UK, but in the US, if a doctor’s office leaves a voice mail, it might potentially be considered a prosecutable HIPPA violation, so they just don’t. And yes, when you show up for the appointment they were trying to reschedule on you, they get all huffy about how dare you not answer an unknown phone number. It turned out they were having problems with their phone system, so they had the office staff make appointment rescheduling calls using their personal cell phones. WTF? Seriously???
Clive Robinson • April 25, 2022 12:36 PM
@ Ted,
These weren’t young professionals, were they?
Even though I look out with the eyes of a 20year old they see in the mirror the face of a certified old curmudgeon…
Like the old truism about pilots of there old pilots and there are bold pilots,but you seldom see old and bold pilots…
You seldom see “young professionals”…
Yes I can hear the his of indrawn breaths as loud as a steam boiler / old geezer about to pop but…
I was once young, fearless, bold, and knew everything I had to know, then I got hit by a bullet, because I was standing in the wrong place (behind the shooter[1]).
As I some how survived a whole slew of lifes little chalenges, I started to realise there was actually a lot I did not know, and being bold was a symptom of not having the experience to know when to be scared. I guess you could say with age comes a certain perspective and being afraid is lifes little way of letting you know you are not as smart as you think you are.
Yes I’ve got to be old, but bold I’ll leave to youngsters who lack the experience of knowing when to be somewhere else…
As my father told me, the way to stay out of trouble is to be somewhere else when it happens. I now listen a lot more to my sixth sense of “fealing hinky” than I used to…
[1] Yup it was a ricochet on a firing range, but it still both hurt and was a wake up call. A few years earlier I’d missed being hit by half a ton of disintegrating fly wheel flying through the bed I’d been lying on half an hour earlier. I’d only moved because the helicopter I was waiting for had made good time to the platform due to fair weather… Then not so lucky getting stabbed in the skull from behind with a screwdriver after catching a criminal in my house and not realising he had a psyco partner. Having your head super-glued back together is not fun… Then there was the idiot teenager who karate kicked my head into the pole of a street sign one Thursday morning when I was trying to get to work that gave me a full fracture of the point of the lower jaw. Something the maxiofacial surgeon pointed out was the toughest point of the body so was very very rarely seen on live people… I started dimmely getting a message…
Ted • April 25, 2022 1:08 PM
@EvilKiru
so they had the office staff make appointment rescheduling calls using their personal cell phones. WTF? Seriously???
Lol. You’ve got a point about the HIPAA violation. I had wondered about that too.
I don’t know about you, but my docs appear to have automated services to remind me of upcoming appts. I honestly don’t remember if I had to opt-in to being contacted by phone or text, or give permission for them to leave certain info in the message.
I just had one office call me, and the caller ID only said “New York, NY.” I though for sure it was spam. But I was wrong.
I think some offices may also have secure messaging portals that will send you texts or emails if you have a new message.
It’s gotta be a real tough day when the phones don’t work😭
Clive Robinson • April 25, 2022 1:48 PM
@ EvilKiru, Ted,
In the UK,
We actually get two different messages that can be displayed on the phone. This is due to the fact a phone has two numbers, it’s actual network number and the fake “caller ID number” or what you think is the phone number, that is in reality just a database entry, which makes moving service provider and keeping your number easy[1]…
If it’s a phone “set up by the service provider” to not have a number displayed then it’s “Number Unavailable” due to the network number being tagged.
If it’s someone who has turned their number off in their mobile phone settings or dialed 141 before the number they are calling it’s “number withheld” as it’s the caller ID number being tagged.
So the “well the phones went wrong” argument can be seen to be made up.
Several years ago I had to give evidence against a UK Gov agency in court over their deliberate lying and falsification of evidence. When it was pointed out to the person sitting in judgment they found against the agency. The agency is as far as I am aware still using the same old lie in other court cases and getting away with it…
[1] From memory under ISDN rules a network number could have ten valid caller “phone” numbers associated with it, that your phone could back then use to give different ring tones etc. So the idea is not exactly new.
EvilKiru • April 25, 2022 3:03 PM
@Clive: Their phone system has always shown their main number on my cell, which my phone then converts to their contact display name, and the phone call I received that morning and ignored did not show a contact match and the displayed number had a common cell phone system prefix.
lurker • April 25, 2022 3:12 PM
How long have we been saying “Don’t blindly click on links in emails, don’t blindly click on links in TXTs”? The brain-computer implant is obsolete. Apparently the crooks have found enough people for whom their phone is an extension of their intelligence, and any link presented must be OK, right?
Along the same lines of the comments on NFTs in the Squid thread (I thought it meant Not For Trade), A fool and his money are soon parted…
John • April 25, 2022 4:21 PM
@humdre,
I used to tell that to potential employees,
to see which were self starters and would
call anyways! 🙂 :).
Worked pretty well.
John
David Leppik • April 25, 2022 4:27 PM
I’ve been getting the “free gift” SMSes Bruce mentioned. The funny thing is that they send it to 19 people at a time, thereby setting up a 20-person group chat between random strangers. This also gives you a chance to warn the others not to click on it.
Robin • April 26, 2022 2:19 AM
A few years back we got a load of spam phone calls – and at the time we naively answered the first of them. After the second we stopped answering but they kept using the same number (a fixed line in Paris, as I found out in a few seconds) until we blocked it.
The caller claimed to be the “secretary to the clairvoyant”.
Sometimes the jokes just write themselves.
Technotron • April 26, 2022 2:12 PM
Neither the phone carriers not the phone makers offer any easy options to report spam or phishing. With phone numbers, you have to forward the message to the telco and then separately text the offending number. But if the culprit sent the text from an email address (how’s it even allowed??) then all one can do is delete it.
It’s frustrating to see such pathetic lack of action. Maybe a class action lawsuit can move things forward, as with many other changes in this country.
JonKnowsNothing • April 26, 2022 2:59 PM
@Technotron
re: sending text msg from an email address
fwiw I use this regularly to send information to-from the phone-desktop. I have no way to “save messages” or “important information” that comes in a text message outside of using some “cloud” option, which is no option at all.
It works well enough but is cumbersome, so I expect the spammers are using an automated program with better interface.
There used to be chat-aggregators where you could load up a program on a desktop and connect to a variety of chat systems and send-receive messages in near-time. These had a history log option so you could save something important like: Time of Flight Arrival or Flight Delays.
iirc(badly) Most of those aggregators were pushed out of business and people moved on to other platforms so they didn’t need them. A one way downgrade.
John • April 26, 2022 6:56 PM
@JonKnowsNothing,
I have a Samsung.
After a great effort compiling a useless application….
I found that “SMS Backup and Restore” would create a huge backup file on the phone’s internal flash….
Then, using ‘Smart Switch’ I could save that file to an internal micro SD in the phone which I could them remove, mount on a Linux system and extract the call logs, SMS messages and MMC pictures.
Kinda amazing how hard it has been made to be!!
Crappy proprietary software and vendors!!
John
ResearcherZero • April 27, 2022 8:01 AM
@Technotron
The carriers and manufactures provide little responsibility, and a lack of support.
Many people meanwhile will continue to use a compromised phone they know is hacked, if they have few other options, while the device is still actively targeting other devices.
Most customers likely don’t posses the skills to dump logs or analyse a device, and take action themselves.
Phone carriers and manufacturers should be held accountable and should provide options to easily report spam or phishing.
Balatus • April 28, 2022 10:47 PM
I used to work in SMS. We put a lot of effort into detecting and stopping spammers, they often came from customers who were also aggregators but had fewer ethics.
The whole ecosystem is riddled with holes and there’s enough aggregators who don’t care enough to fix anything. As usual, fines are less than they make, and they’ll just switch routes if one is blocked, often using grey routes utilizing the mess that is SMS routing.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
JonKnowsNothing • April 25, 2022 8:02 AM
@All
Lots of “You paid your bill thanks” or “Your payment didn’t go thru click to verify” plus the standard lot of P+S- offers.
The primary way I know is that I don’t use any of the services listed. So if it says PPally I don’t use that, nor AP-Pe-aL store stuff (they get creative with the spelling).
There doesn’t seem to be any way to block it, the block list is already large-huge, and setting options to “known contacts” doesn’t have any effect on the delivery either.