Here’s how to spot scams where criminals use deceptive text messages to hook and reel in their marks.
Have you ever received a text message from a delivery company that you are familiar with and never for a moment questioned it? Why would you? We now order so much online and all those delivery notifications can often merge into one. Even if you weren’t expecting anything, they can often be so believable that when a link is included you may even feel compelled to click on it and find out more.
I recently noticed there may be a rise in SMS phishing (also known as smishing) from supposed delivery companies. The other day, my mother-in-law sent me a panic message:
I asked for a screenshot of the message to see what she was dealing with.
Clearly this was a smishing text designed to entice victims into clicking on the link and then lure them into parting with their cash somewhere along the line. But why am I starting to see so many now? Just before Christmas I noticed my social media timelines were becoming filled with angry people who were receiving increasing amounts of these messages and some were falling for them far too easily.
There’s one thing in particular that fraudsters are good at – manipulation. Also, they constantly reform their craft, adopting new techniques in order to tempt people to do what they would otherwise “hopefully” think twice about. Many of us have become accustomed to classic phishing emails, and more and more people share best practices and awareness advice.
However, smishing messages don’t always get the same amount of publicity, which may play into the hands of the criminals behind them. SMS messages don’t have a sender address that you can visually verify quickly (though this alone is no guarantee of any message being authentic) and some can even cleverly attach themselves to previous chat threads within legitimate correspondence on your phone and so may, at first glance, look genuine even to security professionals.
Before I cover the advice on what you should do if you receive one of these messages, I wanted to share with you some research of my own into a few such messages to see what I could discover. I think it’s important to know how the messages are constructed and understand the psychology behind them. After all, these campaigns must be working, otherwise they wouldn’t continue to flood our inboxes.
I decided to see what was behind the links, so I used a separate machine on a separate network designed to withstand any potential malicious sites I might have to enter. The link was a shortened URL that took me here:
There is no attempt for the URL to be similar to any well-known delivery company, but it contains words that are similar to what you may expect. I first thought that the subdirectory of the link sent might have been unique to my mother-in-law, but I generated multiple other subdirectories and couldn’t find any other that worked. This helped me learn that in this instance, the criminals weren’t keeping a track on which numbers had clicked and which hadn’t. This can happen in some cases where victims get placed on “suckers’ lists”.
The first page asked me to schedule a delivery with the fee shown. I tried to visit this page using my virtual private network (VPN), as if from different countries, but found it to only work from the UK – a sign this phish was not that sophisticated. However, my favourite part is if you look closely, the fraudsters used the company name “IPS” rather than UPS but had taken the time to copy the logo. Why not just use the correct logo? It’s not like copyright is likely to be a worry on their agenda.
After clicking through the prompts, I arrived at a page suggesting that the “package” would arrive in 24-48 hours’ time. I gave it half a point for being clever enough that whenever I clicked on the “schedule delivery now” link, the dates that followed were accurate.
However, when I clicked on “Enter Shipping Information” I was directed to another site altogether and it took me to an iPhone special offer, which seemed strange – for only £1, I could purchase a phone! It went on to request personal details, including credit card details and CVV numbers. What seems odd to me is that if the con artists are able to entice people to this stage, why change tack and offer a heavily discounted mobile phone instead of focusing on the more plausible “delivery”?
I was also recently forwarded another smishing message that I was more “impressed” with. This time it was a link to a fake Royal Mail site. Although the URL is not even attempting to look similar, the website did have a more genuine, authentic feel than the previous “IPS” company site.
As you can see, the fake Royal Mail front page link I was taken to is what you would expect it to look like:
After clicking on the “schedule new delivery” link, I was asked to input my personal information, such as my name, address, DOB, bank details and, of course, my mother’s maiden name. (Why would Royal Mail ever require this?)
I was then able to continue to payment details. After all these details had been filled out, there was a small fee (£2.95) shown to have the parcel “delivered”, at which point I was required to fill in some credit card details. I attempted to fill this out with multiple lines of phoney data but there were checks in place; for example, the credit card number had to be a 16-digit number. However, I noticed that I had been taken to another website, which was, in fact, a genuine website that had been hacked and used for this scam. I made the site admins aware and now the site is down.
After some research, I found a victim who had recently told the BBC about how he had received an email like this purporting to be from the delivery firm DPD. He was asked to pay £2 for a re-delivery and, unfortunately, he entered his bank details like on the requests seen in the screenshots above. When he checked his account balance two days later, he discovered a new purchase from Apple UK for £409 that he had not authorized. Although the man’s bank refunded the full amount lost to this scam, not everyone is so lucky.
Don’t be too quick to click
As these messages increase in frequency and creativity, just remember to think twice about any message that comes in asking you to act quickly – whether it be to scare you or because it is a great deal. Messages that affect your emotions are manipulating you without your subconscious knowing it. This is the clever psychology being used to make you use your quick brain before your slow, reasoning brain sets in and takes over, questioning such communications.
Furthermore, we need to get the advice and awareness out to those who may be more susceptible to such cons. Those, like my mother-in-law, who are far too often highly trusting and prone to fall for fraudulent schemes. As a WLS reader, you are probably a seasoned pro at spotting a fake message, but those who are less fortunate to possess this skill are the ones we need to help and support.
REMEMBER: Don’t be too quick to click!
written by Jake Moore, ESET We Live Security