SMS scams have been around for as long as SMS itself has been around. However, in recent times they have been increasing, causing even the most cautious to find a serious problem. And they can endanger our mobile, our data and/or our money.
Coming across elaborate scams does nothing but set off our alarms. And that is why, in this post, we will try to offer you a guide to detection, prevention and action against these scamsso that you can stay safe and know what to do if you have already fallen into the trap.
Table of Contents
Smishing, the most common practice to scam
To understand what is smishing we must first say that it is a variant of the phishing. This last term is the one used to refer to scams related to identity fraud, either from a person or company. It is said that a scam is of the type smishing when phishing is carried out by SMS.
There is another term that is added to this and that is SMS spoofing. This is an addition that is on the rise in this type of scam and is called that when cybercriminals manage to circumvent the mobile message detection system and make it recognize them with the real name of the entity they are usurping .
Example of a smishing SMS scam
To see a clear example of a scam smishing that you have used spoofing The above image works perfectly. In it we see that the fraudsters are trying to usurp the identity of Banco Santander and for this they have even managed to get the mobile to recognize them as “Santander” and may even store them in the same thread as other messages that do really come from this bank. .
Entities trying to hijack fraudsters
The usurpation of identity of people is more common in WhatsApp scams and the like. However, via SMS it is common for scammers to impersonate courier services and banking entities. Correos, DHL, FedEx, Banco Santander, CaixaBank and even the Tax Agency. And these are just a few of many examples.
Example of a scam usurping the identity of Correos
And, as we said before, these usually use mechanisms that allow the operating systems (iOS and Android) to detect them as authentic and not even suspected of SPAM. For this reason, it is normal for these to be threaded in the same conversation of messages that are received from that entity or that they appear alone, but with the real name. We insist that having the name of the company as sender is not synonymous with reliability.
Content of the received message
One more example of a scam pretending to be CaixaBank
The exact content of the message varies each time, but the context is often the same in each scam. They are messages that require action on the part of the victim. For example, we find those who pretend to be a bank reporting that there has been an unauthorized charge with the card, that the account is in danger due to unauthorized access or similar.
In the variants of courier services we find calls to action before the payment of a supposed shipment or a customs charge. What these and the other messages have in common is that include an external link which is the hook of everything. This link should lead to the official website of the company that sends the SMS, but it does not.
The key to the scams lies in the attached URL, in which an official company website is falsified or access is given to download an app that contains malware.
When that URL is accessed there is usually a real page clone of the entity, in which personal or payment data are requested. In the case of banking entities, it is common to find a supposed account access interface, which has been created by fraudsters and is completely unrelated to the bank.
A priori, and despite the fact that it is not recommended to open links received in an SMS, opening that link should not pose any type of danger if later no type of form is filled out, permissions are not given or nothing is downloaded. And it is that this last one is another common hook, that of ask you to download a supposedly trustworthy application and that inside it includes a malware.
What is the goal of scammers
In short, the main objective of scammers is to steal your money, either directly or indirectly. To do this, they use mechanisms such as those mentioned above. In the case of scams related to banks, in most cases they try to get hold of your bank access credentials through the web that link in the message.
The victim enters his access data on that website thinking that it is a trusted access, but when he enters it, he will not access anything and you will probably get an error message. However, scammers will already have your username and password safe.
Asking for bank account access credentials, credit/debit card details or making a transfer are the most common methods to get hold of the victim’s money.
In other cases, such as courier services, direct request to make a payment, either by bizum, transfer or through a credit or debit card. In the latter case, it may be for a small amount and can be used by scammers to increase their loot, but in others it is the access key for future charges of much higher amounts.
The most sophisticated technique is use an application that includes a Trojan, which is common in Android mobiles. This malware, whether it is more or less easy to detect, can gain access to high-ranking permissions on the device and thus be able to access full control of the device, including received messages, and thereby circumvent the SMS verification system of many banks.
There can also be scams in which only personal data of the victim is wanted. Although these types of scams are not massive, but are directed at certain people with enough relevance so that their data has a high value. See, for example, the Pegasus spyware, although in this case it is not so clear that it always entered via SMS.
How to avoid falling into the trap of these SMS
In addition to being recommendable to already have an anti-SPAM filter for SMS, there are a series of recommendations to take into account when dealing with this type of message:
- Never trust messages from strangers however much he may appear to be trustworthy.
- Do not open links to web pages that are attached to a message.
- Remember that the bank will never ask you for data in an SMS or a call, either in response to that message or call or by accessing your website. Similarly, courier companies and the like do not usually use these methods to request any data.
- Don’t try to reply to that SMS or callsince the trap could also be there and have some kind of special rate that considerably raises the cost of your message or call.
- Always contact the entity that has sent you the message in case of doubt, but not through the channels that it puts in that SMS, but through a trusted contact that the company itself has.
- Report the message as SPAM and communicate it to the entity that they have tried to usurp, as well as to the Civil Guard or Police.
What to do if you have fallen for an SMS scam
As a main rule in any situation in which you are the victim of a scam, the first thing you should do is report to the police what happened. Similarly, it is recommended that Report this event to the usurped entity so that they can also join the investigation.
Evidently, reporting it to the bank is key, whether it was the scam with them or not. And it is that, if the scammers have accessed your bank account or have your card data, you must cancel any possible unauthorized movement and cancel the debit and/or credit cards so that they cannot make more payments.
In the event that the scam had to do with an application that you downloaded, it is advisable that completely restore the mobile and leave it in factory state. This is the most efficient way to ensure that you remove all infected files. Of course, before doing so, try to take screenshots and collect all the key information that the police may request to undertake the investigation.
Source
