“Your package is out for delivery.”
It’s an SMS we wait for impatiently, from the moment we click, ‘Buy Now.’
Some days, the message takes a matter of hours to arrive. Other times, it can take days, weeks even. That’s why delivery scams can be so effective.
As consumers, we’re buying so much we end up forgetting what we’ve bought after a short while.
And so when a random bleep alerts us to a delivery we’d forgotten all about, we assume it’s for something we purchased...
— ‘Oh, maybe last week?’
…but we need to question the alert that doesn’t ring any memory bells.
While the notification of a package in transit may bring exhilaration at first, it could be hiding a much less agreeable surprise.
SMiShing is serious business
CNN has reported how people across the United States have started to receive questionable text messages from the delivery company FedEx. Why questionable?
Because the messages themselves don’t relate to any actual delivery. Rather, cybercriminals have started a cunning SMS phishing campaign.
It’s a crime now known as…
SMiShing works much like the age-old, ultra-effective email phishing technique: except that it uses text messages in place of emails to coerce the victim into clicking a link.
In the latest ‘FedEx’ campaign, the tactic looks something like this:
- Users receive an SMS, supposedly from FedEx
- The alert includes a ‘tracking code’
- The message requests the recipient clicks a link to set delivery preferences
…and therein lies the trap.
The link takes the recipient to a bogus website disguised as an Amazon listing.
However, the page is entirely fake. The site belongs to the scammers. So, if the clicker follows the instructions to fill out the customer satisfaction survey, they’re falling into the jaws of a criminal underworld.
After answering a few questions, the page requests a few more personal details — including a credit card number — in return for a free gift.
— ‘But why would you need a credit card number?’
Oh, to cover the nominal shipping and handling fee, all seemingly ‘above board.’ Yet, the plot thickens once you enter your card number.
Because the fine print says that, in agreeing to the shipping fee, you’re opting into a 14-day trial with the company behind the fraud.
...and when those 14 days are up, you’ll be landed with a sizey bill of $98.85, payable every month.
To pour salt into this expensive wound, you’ll receive a new supply of whatever reward the scammer offered in the first place.
How to avoid falling for fake rewards
It’s easy to think, ‘Who would fall for such simple trickery?’
The truth is, many people do. Phishing scams are more effective than almost all other cybercrimes. And what makes this SMiShing scam particularly effective?
Well, the text message addresses you by your actual first name. And it has every air of legitimacy.
Plus, in the rush of excitement about the incoming package, it can be all-too-easy to go with the flow. But what can you do to detect that it’s a scam?
Here are four giveaways to look for that could indicate foul play.
Giveaway #1: The Clickable Link
Whether you’re reading an email or a text message, any time you see a clickable link should give you pause for thought.
So, if a message asks you to click, tread carefully: only follow the instruction if you’re 100% sure the text message arrived from a credible source.
If you don’t recognize the sender, or you harbor any doubts at all, ignore the alert. If the message is important, you’ll receive a follow-up.
You can always avoid catastrophe by choosing not to click.
Giveaway #2: Bogus Information
In response to this campaign, FedEx confirmed it would never request personal details or money from customers via email or SMS.
Still, if a message looks legitimate, how can you tell it’s not?
Whenever you see a tracking number, go straight to the source to check it’s real — which means following these three steps:
- Open your web browser
- Type the URL of the shipping company (using your keyboard, no clicking links!)
- Search the tracking number using the search function on the site
By going straight to the source, you avoid entering the scammer’s world. And by searching, you quickly pick up on any bogus ‘tracking’ information.
Giveaway #3: An SMS From The Web
Cybercriminals need to keep their anonymity.
Hence, spammers like to use internet services to send texts — as these hide the identity of the sender.
If you receive a message that looks like it’s come from online, ignore it. Better still, enable the feature on your smartphone that auto-blocks messages from the web.
Giveaway #4: Anti-Phishing Alerts
OK, so this one takes a little action from you.
First, download security software to your mobile phone, and it will notify you of potential threats, even block messages in the first place, offering a dead giveaway of a scam: a red alert from anti-phishing software.
Just make sure every device you own includes a mobile security solution, so you stay protected against the modern-day flurry of cyberthreats.
Stay wary, stay safe.
The only way to protect yourself online is to stay aware of the threat.
Cybercriminals go to extreme lengths to dupe would-be victims into fraudulent traps. But if you’re awake to the tactics, most scams are easy to spot. Be it a spelling mistake in the text or a URL that doesn’t look quite right; there’s nearly always a tell-tale.
And if there’s a freebie on the table that seems too good to be true — the fact remains, it probably is.
Trust your gut and ignore it.
Mobile devices can be a business’s biggest security threat.
Make sure your smartphones are secure by talking to AngelCom — feel free to give us a call on (855) 974-4313.