When was the last time you got a text from an unfamiliar number? Maybe it sounded like it could be from someone you knew but didn’t quite remember? or it was about a transaction you didn’t recall?

Did it occur to you that it could be a scam?

If not, it should have. Text message scams are becoming more common, which isn’t surprising given that 80% of the total North American population―a whopping 292 million people―send and receive SMS messages. From the point of view of a scammer, that’s a lot of opportunities to trick someone. Plus, text messages can be sent quickly, anonymously, and on a massive scale very similar to email. With little effort, text scammers can reach a lot of potential victims.

Despite how common text scams are, few of us think about SMS messages as risky. In part, that’s because we don’t hear about text message scams as often as other types of scams. For instance, we hear about email phishing scams in the news and at work, and phone scams have been around for decades. (Plus, who answers phone calls anymore?) In contrast, when’s the last time you heard about “smishing” (short for SMS phishing)?

Whether you hear about text scams in the news or not, they’re happening. According to the Federal Trade Commission (FTC), Americans lost $86 million to text scams in 2020 alone with victims losing an average of $800. Alarmingly, the Federal Communications Commission (FCC) received around 14,000 complaints about text scams last year; as of May 2021, they had already received 6,900 reports.

Read on to learn how to protect yourself from text scams, including how to block them, how to identify them, and where to report them.

How Text Scams Work

A text scammer’s main goal is to access your personal data, particularly login credentials. They might do this by installing malware on your device that tracks your activity and snaps up passwords as you type them. However, because smartphone operating systems are designed differently from computer operating systems, it’s much harder to install malware on a smartphone. So instead, scammers try to trick victims into giving up their personal information willingly. This information can then be used to access the victim’s bank and online accounts, whereby scammers can withdraw or move money, make purchases, and quickly move on to new victims.

Hackers use two main methods to trick victims into giving up personal information. The first is sending a link that directs users to a website that installs malware on their device. These links are accompanied with text urging the recipient to follow the link to gain something desirable (like a free prize). The second strategy hackers use is to simply ask for information. They get away with this by claiming their message comes from someone trustworthy such as a bank, a retail store, or a government agency (often the IRS).

Even if hackers don’t get your bank information or social security number, they can steal other valuable things from you. You may not think login information for your social media accounts is all that valuable, but some scammers will use these accounts to scam your family and friends. For instance, back in April I received an Instagram message from a friend telling me about her new health problem. At first, I assumed the message was genuine since it came from her account. It wasn’t until I called her with questions that we discovered her account had been stolen. After all, no one’s first instinct is to doubt their loved ones. This trust makes your online profiles very useful to hackers.

Note: It’s tempting to reply to text message scams with “stop” or “unsubscribe.” But scams don’t work the same way spam texts do. Companies that send spam text are acting legally (even if they’re obnoxious) and they are obligated to stop if you reply. But scammers are not operating legally and do not have to stop messaging you. In fact, replying to text message scams makes them more likely to message you again because they know your phone number is active. Plus, if you’ve engaged with them once then they may think you’re more likely to engage again.

Tips for Identifying Text Scams

Just like with any scam, there are many variations to text scams with some being easier to spot than others. However, most will come from a number you don’t know, contain a message that urges you to act quickly, and pretend to be from someone trustworthy, such as a friend of a friend or an organization you do business with. Typically, scammers pressure you to do one of two things: click on a link or confirm personal information. When in doubt, always check information you receive through text before you take any other action.

Here are a few other ways to identify text scams. Beware of SMS messages that are:

Urgent

Scammers urge people to respond quickly. This keeps their victims from thinking critically about the message they received. Scammers do this by using language like “hurry” or “act fast” and often frame something as an emergency. For instance, according to the FTC, one of the most common text scams involves a message from someone claiming a family member or close friend needs help. Other popular scams involve messages warning recipients that their bank account will be closed if they don’t respond immediately or that they have won a prize that they must claim quickly.

Random

If you receive a message that seems like it was not intended for you or is unusual, it might be a scam. For instance, with the increase in online ordering during the pandemic, one fraud that has seen increasing popularity is texts claiming to be from package delivery services. These texts explain the delivery service is encountering problems delivering a package and need the recipient to follow a link to enter more information or reschedule delivery. If you haven’t ordered a package that’s being delivered through that service, then this text is very likely a scam. (Also, most shipping services leave tickets for people when they miss a delivery rather than texting. But you can always call a service to ask if a text you received is real.)

A similar scam claims to be from a friend of a friend and reads something like, “Hey, [name] gave me your number and said we should hang out. Check out my profile here [URL].” If you weren’t expecting your friend to introduce you to someone, it’s likely a scammer playing on your curiosity. Another very old scam offers recipients a prize for a contest they never entered. Prizes are usually high-value items like iPads or cruises that can be yours if you just click this link fast enough… Just be suspicious when strange, unusual, or unexpected texts reach you and always verify them before taking action.

Poorly Written

We all make typos, especially when typing on small devices with big thumbs. However, many scammers work outside the U.S. If you receive a text with odd grammar and misspellings, it’s very likely a scammer. This is especially true if the text claims to be from a business or government agency.

Sent from Strange Phone Numbers or Email Addresses

If a text comes from a number that is too long or too short to be an actual phone number, it may be an international scammer or someone using a burner number. Messages from very long email addresses or email addresses that are random strings of characters are also suspicious. Like with burner phone numbers, these are likely to be throw-away email addresses.

Filled with Suspicious Links

When texts contain links made up of strings of numbers or random characters, this is a likely sign the link leads to malware. Trustworthy websites use URLs made of words separated by dashes so visitors know what to expect when following the link.

Many organizations do use tools like Bit.ly to shorten long URLs, which may replace words and dashes with seemingly random characters. But a Bit.ly link can be verified using your browser. Simply type the shortened link with a + at the end and hit enter. If the link is trustworthy, you’ll be directed to a page that provides the full URL. Never click a shortened link until it has been verified.

Two-Factor Authentication Scams

As privacy becomes more important to the average consumer, more and more businesses are implementing 2FA (two-factor authentication) and MFA (multi-factor authentication) on their websites. 2FA works by requiring users to prove their identity in two different ways, such as swiping a debit card (first factor) and entering a PIN (second factor) or having a smartphone (first factor) and knowing a pattern (second factor). (MFA sometimes requires more than two methods of proving your identity, hence the word “multi” in its name.)

2FA has proven highly effective at blocking hackers. However, that doesn’t mean that it’s perfect. As we explained in our post “What Is Two-Factor Authentication And Does It Work?”, even the best 2FA is vulnerable to phishing attacks, where users are tricked into giving up information that can be used to access their accounts. One common factor for 2FA involves texting a code to a user’s phone. Typically a user will enter their password and then the code is sent. The user then enters the code to access the website. Although this is simple and easy for users, hackers have begun exploiting this method.

For instance, recently my sister posted some items on Facebook Marketplace. She received a few messages from people interested in her items, along with dozens of messages from hackers asking her to call and answer questions about the item. These messages asking her to call were trying to get my sister to give up her phone number. Since the hackers knew my sister’s name, they could easily go to Facebook and use her phone number to reset her password, accessing her social media account. From there, they could scam other users, spread propaganda, or possibly steal credit or debit card information.

It’s important to be aware of what information you are giving up in your online interactions. As a general rule, only give up what is required and always, always verify you are sharing it with an authentic website or service provider.

How to Report Text Scams

If you receive a scam text, there are a few steps you can take to protect yourself and others. The first step is to use protections built into your phone’s operating system. Many major phone manufacturers now allow users to press and hold messages and then “mark as spam.” Not only does this remove the message from your device, but it also blocks the number and reports the message as spam to your service provider. When a number gets reported frequently enough, a service provider will block its activity on their network. The FTC also provides guides for how to block numbers on iOS and Android devices, and WindowsCentral.com offers directions for blocking numbers on Windows phones as well.

If you’re using an older phone, you may need to block a scammer’s number and then report it to your service provider separately. The organization CTIA, a trade organization that represents the wireless communications industry in the U.S., has a section of their website dedicated to blocking robocalls, spammers, and scammers. You can use it to find directions for reporting suspicious numbers to your wireless provider.

You should also report text scammers to the FTC and the FCC. Doing this helps these organizations track current scams, offer better advice to consumers, and prevent future scams. Report smishing attempts to the FTC here. You can report them to the FCC either by filing a complaint here or by forwarding the suspicious text to 7726 (“SPAM”).

Finally, if the text claims to come from a business, you can report the scam to them as well. Companies like Amazon and UPS are constantly revising their business practices to keep customers safer, and in some cases that can take measures to stop scammers and warn other customers.

What to Do If You Fall for a Text Message Scam

Falling for a text scam is easy; that’s why it happens to so many people. It only takes one time of paying half-attention to click the wrong thing and end up in a scammer’s trap. So what happens if you do get tricked?

People who fall for text message scams are significantly more likely to become victims of identity theft, so it’s important to take steps to protect your identity such as monitoring your debit and credit cards and watching your credit report. You should also change your passwords on any sites with access to billing information or social media accounts. Familiarize yourself with signs of identity theft, and if you see something suspicious, act quickly to minimize the impact. You can learn more in our blog post “How To Recognize And Recover From Identity Theft.”

Your Business Faces Sophisticated Cyberattacks Daily

Who’s protecting it?

With one phone call, that could be us.

With over 20 years of experience in cybersecurity and IT support, the TracSoft team has the experience and skills to protect your company’s most sensitive data. Contact us today for a free, no-obligation security assessment and learn how TracSoft can protect you better.