Technology-based fraud is nothing new. Before internet-related and mobile phone frauds, it may have been easier to spot such misdemeanors as landline, postal and in-person scams were nowhere near as sophisticated, nor was our access to large amounts of money. According to the Police Crime Annual Assessment statistics, there were over £2.3b reported financial losses from 2020 to 2021. It’s estimated that in 2022 80% of all fraudulent activity in the UK will be cyber-enabled; with social media and encrypted messaging services as an enabler. The term is commonly known as SMS spoofing. It is important that as an SMS marketing business that TextAnywhere keep up-to-date with all developments in fraud affecting the SMS marketing industry. Our knowledge will help to protect your business and your customers by keeping you informed and ensuring that you are alert to all dangers and understand how to prevent the events from occurring.
When looking to protect your sms subscribers from sms fraud, there are three major areas of concern that businesses need to be aware of and tackle, SMS spoofing, as mentioned above, SMS Phishing & Smishing.
The average person may have heard of spoofing, the simple definition is to trick or hoax someone. Another definition is to imitate, whilst exaggerating. 99% of us would hear the word spoof and instantly be wary. Phishing is also a word that tech-savvy people have become more aware of over the last decade, but we will talk about that in a minute. Smishing, however, is a very new concept and something very few people have heard about, let alone understand the term. Let’s take a deeper dive into the meanings and uses of sms spoofing.
1. What is sms spoofing?
Sms Spoofing happens when a sender impersonates a company or another person to make contact with recipients via text message. The intended target may view the sms spoofing text message as a legitimate message and respond to any instructions that the message may contain. The sender’s identity is essentially hidden behind the name of someone, a familiar shortcode, or a business the recipient is familiar with and may trust. Once the instruction in the text message is adhered to, the damage is already done. Often spoof sms messages contain links that take the target to a website where their personal details will be extracted or further instructions will be given.
Spoof text messages cannot be blocked, you can’t opt out (you never opted in), so they can continue to come and you cannot call them back to request that they stop contacting you. So, it is vitally important that mobile phone users are educated on how to avoid being caught out by them.
How does sms spoofing work to deceive mobile users?
In many cases, the original numbers are changed and we call this “sms originator spoofing”. For example, you receive a text message from a friend in your contacts – nothing unusual there, but the content of the message is unusual. Maybe they are asking you to click a link to transfer them some money as they have found themselves in urgent financial trouble. The way they are communicating with you might sound different too.
Sms spoofing attacks are fairly sophisticated and can fool even the most security-conscious mobile phone users. It’s probably because being scammed by someone you trust or a company you trust is the last thing you would be expecting and would certainly not be on high alert for. It can come out of the blue.
Many large and trusted organisations can fall victim to sms originator spoofing, finding that customers and non-customers are receiving fake sms messages claiming to be the real deal. The message may look as though it has originated from a secure brand such as Lloyds Bank or the NHS, when in fact, the sender’s name has just been altered to impersonate them and spoof the receiver. Sms spoofing can look entirely innocent but will usually serve the purpose of extracting personal data from the end-users. The end goal is always to profit from fraudulent and criminal behaviour.
Sms spoofing made easy
The most alarming fact about sms spoofing is that there are now a number of easy to access online services offering software and tools that anyone can download onto their own PCs that can change the originating phone number or the name of the sender. What’s even scarier is that they only require basic computer knowledge to use. Once you have downloaded the tool, also known as an sms spoofing attack vector, there are no external checks carried out by the service provider. Although this sounds illegal, the laws surrounding the engineering and selling of such software are pretty vague and there are not enough checks in place to prevent it. Even with more robust rules surrounding fraudulent sms, such attacks will perhaps continue to work around loopholes.
Phishing is all about personal information. As with sms spoofing, phishing is also concerned with the theft of personal data and ultimately money by imitating a trusted person or business to deceive a recipient. There are phishing tools whereby, once they have access to your PC or laptop, can extract financial information, addresses, passwords, and so on. Not only can the person behind the attack use this information to defraud you financially, but they can also use it to impersonate you to get away with another crime undetected as themselves, or to defraud one of your personal contacts.
Impact on businesses
Savvy businesses regularly try to educate their staff about phishing as the consequences of being subject to a cyber-attack can be catastrophic and it happens often as the criminal activity can be difficult to detect. Emails are a hotbed for such attacks. An innocent-looking email arrives in your inbox from your accounts department at work telling you that your details are not up-to-date and to click on the link to update them. Without even thinking, you clicked on the link and allowed access to cybercriminals to your company’s entire database. Whilst this activity is highly illegal and companies are usually insured against it, the criminals are very hard to catch and will even target the same business more than once if they can find a way in. For those businesses who were smart enough to get insured, the cost of the disruption to their business whilst the issue is resolved and stabilised can also be catastrophic.
Spoofing and smishing (or SMiShing) are both activities that support phishing and are used as a way to grab that sensitive data or deprive people of their finances via their personal phone devices. Smishing is essentially a hybrid term for sms phishing and can attack sms marketing messages or even personal sms. Once a perpetrator has enticed you to click a link, it’s access all areas for them. Just think about all the sensitive data that you store on your phone; and by accessing your contacts, the scammers can pull the same dirty trick on them too by pretending to be you. It’s a very common occurrence on social media platforms, which most of us are probably more familiar with. It often starts with a private message from a friend saying “Hi, how are you?” If you engage in conversation the false sender is careful to keep the chat vague to hook you in. Most often these types of scams are easy to spot thanks to poor spelling and the very quick request for money. You may also see posts on Facebook or Twitter that contain links and lure people in with the promise of weight loss or fast financial gain and you may click on them when you see that it was shared by a trusted friend. Your friend could also be a victim.
How the fraudsters do it
Fraudsters can easily manipulate the most conscientious phone user into falling for a spoof sms or smishing scam. One of the advantages these criminals have is that we are very busy and our phones fit into our fast-paced lifestyles. They may change a very small detail on the sender name, making it look like it has come from a trusted source when in reality it hasn’t.
Replacing an O with a numerical 0 can make the word Vodafone look the same when it has been fraudulently altered. Perhaps if you had time to sit and look at these spoofed sms messages properly, you might realise that all is not what it seems. However, in our attempt to deal with things on the go, it’s easily missed and before you know it, you have clicked on the link that will allow the spoof attackers full access to your sensitive data.
Spoof text messages are not always random. They are usually sent out as bulk messaging via an automated system, but many recipients are targeted so that they do not necessarily spot the con. For example, you may have made a purchase through eBay recently and phone numbers held on the seller’s account may have been phished or smished. You could then receive a spoof sms to ask you to pay extra for shipping costs. Like this:
“You have a recent eBay purchase that requires export costs to be paid before it can be released from customs. Please click the link now to make a payment to avoid delay.”
It’s important to understand that spoofing sms can be a way to defraud you of more cash in the future, an attempt to gain access to your personal details, or both.
Types of sms spoofing and smishing to look out for
1. False sender company name & fake sender IDs
As we have mentioned, this is a very common kind of sms spoofing and often successfully fools the recipient into thinking that they have received an sms message from a legitimate brand. Very often, it will be a brand that the phone owner will have been expecting to hear from, so won’t look too deeply into it.
2. Money transfers
You will mainly see this with shopping online. The spoofing criminals will load up their shopping cart with expensive items and attempt to pay for the goods via a bank transfer. This does require some insider knowledge. It helps if the fraudsters know the phone number that banking messages are sent to. This way, they can send spoofed messages to the number that show the payment has been made, when in fact it has not.
Spoofed text messages can easily look as though they have been sent by a bank or other official body. So, when attempting to defraud an individual or business out of money using fake money transfers, there will usually be a link to direct the victim straight into the trap of giving out all the details the scammers need to complete a transaction.
3. Impersonation/Fake Sender
Many of us will have encountered this type of spoofed text at some point or other. We operate so much of our daily business online and not all of the information we trust with the companies we deal with is safe from hackers and scammers. It only takes for some of our sensitive information to fall into the wrong hands and we become vulnerable. In the days before technology, a scam of this nature may have come in the form of a forged letter perhaps from your bank or insurance company, asking you to write back with personal information or call a telephone number for the same reason. Once that information has been gathered a scammer could attempt to use that information to impersonate you, the victim. This took a lot of effort and was risky on a few counts. Now that we are so available on our phones, the risks are so much greater. For example, when booking your dental appointment online, you know that usually you pay for your treatment at the end of the check-up. However, in the meantime, a fraudster has managed to obtain your phone number and personal details from the dentist’s database and knows that you are due a check-up.
“Hi Beth, just confirm that your check-up appointment has been booked. Due to an increased number of no-shows, we are now taking payment for treatments ahead of appointments. Please click on the link below to confirm the appointment and make payment.”
The message looks almost the same as your usual sms messages from your dentist, the details are slightly vague and the dentist usually signs off with his name, but it sounds reasonable and you thought your private details were safe with the dentist. This is how innocent a phishing scam can look.
4. Personal Agenda
Not all sms spoofing and smishing are led by online criminals and it can be much more personal than that. As stalking and harassment are regularly thrown into the spotlight, it is important to point out that there are people out there who will use your personal data for their own gains and that is not always financial. It could be to play a prank, get revenge, harassment, stalking, or long-term intimidation.
When sms messaging first started, there was a common prank, whereby you send a text message to a friend or colleague to tell them that someone called to speak with them and asked for a call back. The recipient would call the number provided and go through to an automated phone line where a spoof conversation was set up with just the right pauses in the right places to fool the caller into thinking that they were talking to someone who was angry with them. Whilst this was a funny prank and fairly sophisticated for its time, it came at a cost to the caller who unbeknown to them was calling a premium rate number. Each recipient of the spoofed sms would be encouraged to keep it going and send it on to a friend.
In more recent times, workplaces and schools have reported issues with inappropriate material being shared as a prank via sms messages. Once something inappropriate or possibly even illegal has been shared and the link has been clicked, it will be stored in the recipient’s phone history. In schools, this is a bigger problem with the use of Whatsapp and in offices a common prank over email.
How to guard against sms spoofing
Spoofing and smishing are getting harder than ever to detect, so phone users must educate themselves on the latest scams. It is also important that businesses who are using sms marketing campaigns or transactional sms are aware of the risks to their end-users and take measures to advise them on what to look out for or act quickly once they realise there is a problem. Here are our top 5 tips to avoid being caught out by sms spoofing:
- It is not always possible to click on the sender’s name to look at it in greater detail.
- Spoofed text messages can be sent from anywhere in the world and by people of different cultures and nationalities, so it is important to check the spelling and grammar to make sure they are correct. Any legitimate businesses will have a robust proofreading system in operation and won’t be relying on Google Translate to write text messages.
- Spoofed sms messages are usually no-reply, so the scammers have to rely on other methods to get you to engage, such as asking you to call a number, click on a link or email them back.
- Look out for mundane and ordinary transactional sms messages such as payment reminders, attempted deliveries, parcels held up by customs, overdraft limit warnings, speeding and parking fine notices, and password reset requests.
- Be wary of anyone telling you that they owe you money, you have won a prize, you have inherited, or even a random admirer whom you have never met before.
Prevent sms spoofing – Don’t become a victim!
Apart from the obvious indicators in our top 5 tips, you can go further to protect yourself from falling victim or protect those around you:
- Be wary of sms links – They are not always as they seem, clicking on a link will take you to another location away from your inbox possibly in a bid to phish information from you, or could grant access to the personal details stored on your phone. Banks and financial institutions will never ask for information via a link. When in doubt, contact the sender to check the legitimacy of the sms. Go onto the company website and double-check offers and deals you have been sent.
- If it looks too good to be true, it probably is – Don’t get taken in by an unusually amazing offer. You know a good deal from a bad one, but you also should know when something is so good, it’s suspicious. For example:
“Nike is giving away free Nike Air Jordans to the first 200 people who click the link below”.
You might think you would never fall for it, but you were busy and you didn’t have time to think about it and clicked the link.
- Take your time – Looking at text messages in a hurry is how you can get caught out without even realising. So, spoofers rely on our busy lives to catch the majority of their victims. You see some spoofed text messages and think, who in their right mind would fall for that? Well, so many people do after only glancing at it and responding instantly.
- Don’t act instantly – Allow yourself time to process what you are reading and you are more likely to make an informed decision. Show the message to someone else and ask what they think about it if you are unsure. Sometimes, just repeating the message out-loud can help you to alert yourself to inconsistencies.
- Ignore messages from unknown senders and senders you did not opt-in to receive sms from – It sounds obvious, doesn’t it? But sms spoofing relies heavily on cold texts, meaning that they have probably not made contact with you before. They may be impersonating a company but if you haven’t dealt with that company or individual before and don’t remember signing up to receive texts from them, it’s always best to check it out first. It is illegal for a business to send sms marketing messages to you without your consent unless it’s transactional sms.
- Use a spam filter and virus protector – Spam filters and virus protectors are not just for your computer and a good brand can also cover your phone. They will protect your phone from phishing software should you ever inadvertently allow a spoofer access your data. If you set up a spam filter on the email address that you have registered your phone with, it should ensure that sms spoof text messages don’t reach your inbox.
- Check the legitimacy of any websites you visit – Does the page look normal? Is it secure? Is the URL right for the company it is claiming to be such as microsoft.com or are there additional letters and words in it that don’t look right?
What are the legitimate uses and legal uses of SMS spoofing?
Sms spoofing is not all bad, or perhaps when we are talking about legitimate uses, the name spoofing is off-putting and seems like a contradiction in terms. It does have its uses and when applied in the right manner can be very useful. Here are a few perfectly legal uses:
- Bulk sms messages – sms mobile marketing is suitable for different sized organisations. It can work for all businesses, from the one-man band to the international corporate group and it can facilitate the sending of hundreds of thousands of messages at once. It is useful for large scale updates, promotions, and reminders. With bulk sms, the sender ID appears branded so that the recipient can instantly recognise the company. Any reputable company using bulk sms will ensure it is robust and cannot be subject to hacking.
- Official updates – Sms spoofing for official messages and updates is a quick way to ensure that your recipients know that it’s you and can trust the information that has been sent to them. Using a spoof name (their company name or nickname) rather than a number cuts down confusion. Unfortunately, it is often this type of sms spoofing that is preyed upon by scammers who then imitate the sender using a similar or the same sender ID to dupe subscribers into thinking the spoofed sms is from a reliable source.
- Protecting the sender’s identity – There are some instances where senders wish to remain anonymous and will use spoofed text messages to hide their real identity. This is not because they wish to break the law but rather because they are sending out very sensitive information and need to protect themselves. They may be a whistle-blower or work undercover for an official authority such as the police. They may wish to report a criminal offence but not be linked to it in any way.
Protecting your brand against sms spoofing
We can’t always prevent sms spoofing or protect people from falling for the scams, but for businesses, it is important to protect your brand from sms spoofing association. When customers report that they have been a victim of a spoofed text message whereby the sender was impersonating your brand, it can be really bad for your reputation. It’s worth taking a close look at your current sms marketing policies to limit instances of illegal sms spoofing being associated with your brand:
- Educate your subscribers – Make sure they know the difference between legal and illegal sms spoofing.
- Inform your subscribers – If you know that there are scammers out there who are already impersonating you via sms spoofing, let people know. If you are worried about sending out an sms update, take to social media to make an announcement or send out emails.
- Be vigilant with your software – Make sure that you choose a reputable sms marketing company like TextAnywhere to provide you with a quality platform. We are also on hand to offer advice should the worst ever happen.
- Avoid using personal phone numbers – Use shortcodes or a dedicated business number or brand name ID.
- Report illegal sms spoofing to the police fraud department – The sooner you can report it, the quicker the spoofed messages can be shut down and awareness can be raised beyond the company walls, which could save your subscribers from becoming victims.