How to Help Your Business and Customers Avoid Text Smishing Scams

As if 2020 wasn’t delivering us enough to contend with. Now, many of us are receiving unwanted SMS text scams (supposedly, but not really) from USPS. And with Amazon Prime Day kicking off soon, along with what may be a rollercoaster Black Friday-Cyber Monday-Holiday Shopping Season that may basically last the rest of the year (hopefully giving a nice boost to the economy), two things are for sure... There will be more shipping than ever before. And more scamming.

SMS phishing — also called “smishing” — is the act of committing text message fraud to dupe unsuspecting victims into revealing account info, their trackable location, or installing malware. The ruse typically includes links to fake websites (that often look legit) and/or requests for personal data ranging from passwords to social security numbers to common ID/password protection questions.

High-Tech Scammers Have Gotten Sleek, Savvy, Stealthy — and Increasingly Dangerous

Not all heroes wear capes. And not all scammers appear shady. Smishing has become a well-oiled machine. So brilliantly deceptive that people may not even realize they’re being hoodwinked — until it’s too late. “The scammers are pretty crafty in putting these things together and trying to trick people to fall for them by making them think that they’re real messages,” said Alvaro Puig, consumer education specialist with the Federal Trade Commission.

West Virginia Attorney General Patrick Morrisey adds that, “Scammers will use every form of technology and pose as anyone to steal your personal, identifiable information… This is why consumers must always remain on guard. That means never click on an unfamiliar link and never share information without verifying the legitimacy of the person or entity on the other end.”

Indeed, these high-tech pickpockets may already have manipulated access to publicly available data. In many cases, they know the cell phone user’s names or have usurped other commonly identifiable information to appear more legit.

Did You Have Smishing on Your 2020 Bingo Card?

Many of us are socially distancing and avoiding enclosed spaces wherever we can, ordering groceries and toilet paper and perhaps a new book in ways we haven’t before. Numerous stay-at-home orders are even split up and shipped out separately (hopefully in boxes getting recycled?). Is it any wonder that we can’t keep track of every single delivery request? When we receive a text claiming there’s an issue with a package… or that a package is waiting for us… it certainly seems plausible.

Scammers also often use current events against us, preying on our already heightened concerns about delays with the postal delivery service in addition to spiraling orders and shipments. Or they text promises of prizes to be claimed or surveys to be taken for a small reward — and “innocuously” request the personal data of the claimant (and intended mark).

‘Tis the Season to Shop ‘Til We Drop — But Don’t Let Your Guard Down With It

Klaviyo, a marketing platform focused on eCommerce business, predicts that 2020 will be the biggest year on record for eCommerce — with expectations topping the year off with a record-smashing $1.1 trillion dollars in sales. 

That’s more than just a jump. That’s a Superman-inspired leap.

Way back in that simpler time before the pandemic reshaped economies, the original 2020 projections were $691.4 billion dollars (which was still a healthy increase from the previous year). It may well be that 2020 eComm sales actually eclipses 2021 if shoppers feel more comfortable returning to physical stores.

In an article for Medium, author Chris Hays details how scammers operate and how easy it is for them to apply Phishing Site Software to disrupt everyone’s holiday cheer. He writes that “Phishing sites are usually deployed using pre-built phishing kits… The kits make it easy to deploy a site, capture sensitive information, verify visitors as potential targets... redirect users to the real site after they’ve been phished, and switch the kit on and off.” He also notes that Phishing Sites are monitored in real-time so they can disband quickly if they are detected (like a thief in the middle of the night).

By its very nature, smishing can be even more potent than just the regular game of phishing. Since SMS is inherently limited to 160 characters of text (or less), messages often pack a more powerful punch. Texts are opened faster and engagement is often extraordinarily quicker. While this is normally a net positive for business, it can be dangerous in the hands of criminals.

Words that invoke fear or urgency automatically jump out — and often scare people into giving out personal info faster than other channels.

Protect Your Clients, Your Business & Yourself

Be proactive. Warn subscribers about any specific hoax on your radar or offer general best practices for account security and protection. One telltale red flag to be on the lookout for is the domain name for any links.

Remember that only the last two parts of a link are the domain. As an example, in the link http://eztexting.fakeurl.com, the domain is fakeurl.com and not eztexting.com 

Some other things to be on the lookout for in messages from untrusted numbers include:

• Claims related to problems with your account or payment information
• Asking for confirmation of personal information
• Refund offers - specifically reporting to be from the government
• Make sure links and invoices are from trusted numbers

Here are other ways businesses can help keep their customers safe:

• Build customer trust by creating your own official texting updates to track packages. Shoppers weary of scams will feel more secure.
• Ensure clients are aware mail may be delayed with the increased activity and holiday rush. 
• Remind consumers that reputable companies or government agencies never send unsolicited messages requesting personal information or asking for random payments outside of their own site. They also never send messages from unauthorized accounts.
• Stay updated on the latest scams and alerts by regularly consulting the Federal Trade Commission’s website or following them on social media. 
• Advise subscribers on call-blocking apps that pull double duty and also block unwanted text messages. The FTC recommends going to CTIA for a list of these apps.
• Provide your database with several options to report the unwanted messages. Along with directly reporting it to you, they can also inform the FTC, or copy the distressing spam message and forward it to 7726 (SPAM).