By Kevin Collier - NBC News
It only took a momentary judgment failure for Alyssa Beckwith to fall for the scam.
The text message he received seemed legitimate, expected even.
After
some personal data
was
stolen
a few years ago, he signed on to text alerts from his bank, Wells Fargo, to confirm every time he made a new purchase.
And that step to protect herself, ironically, is what made her an easy target.
When a scammer texted Beckwith in April, telling him that his Wells Fargo card had been loaded with $ 240 and to "get in touch if you were suspicious," he
didn't think twice and called
.
A robotic voice welcomed him to Wells Fargo and asked him to verify himself, so he entered his credit card number, his Social Security number and his date of birth.
"This information is valid. Thank you," the voice said, and hung up.
Only then did he realize his mistake.
"I was shocked," Beckwith said in a phone interview, "I was surprised they hadn't put me in touch with someone to talk to. Usually that's what happens. That's when I thought, 'My God, my God, I think this is a gotcha".
Within minutes, Beckwith became the latest victim of
smishing
, or
SMS
phishing
, in which a scammer sends a text message to trick a person into handing over sensitive personal information, which can be used for all kinds of scams. such as diverting money from your bank account or opening credit cards in your name.
[This Hollywood actor was arrested for an alleged $ 227 million pyramid scheme]
Unwanted text messages have been around for almost as long as text messages themselves.
But with the increase in the number of people using their phones to make payments, and many bank and utility sites verifying user accounts via text messages, the floodgates of fraud have been opened.
The Federal Trade Commission received 334,833 complaints
about fraudulent text messages in 2020, more than double the previous year.
People around the world were exposed to 125% more
smishing
attempts
every three months, according to a new study from cybersecurity company Lookout
.
They warn about scams in the middle of tax season, how to protect ourselves?
March 15, 202101: 45
Jacinta Tobin, vice president of Proofpoint, a cybersecurity company specializing in threats to cell phones, said that scammers and
criminal
hackers
have found that more and
more merchants and companies are interacting with people through
text
messages
, and simply they followed that trend.
"Before, text was a very clean, relatively peer-to-peer channel. You don't communicate with strangers through text. They are just friends," Tobin said in a phone interview, "but now text messages have been opened. as a more general communication channel for companies, such as transaction confirmations, fraud alerts. "
[Scams related to the COVID-19 vaccine increase, according to authorities]
Scam and
phishing
messages
sent via text are especially stubborn because there is little ability to block them.
Good email providers now block most spam and
phishing
messages
, making
spam
a shadow of the problem it once was.
Although
unwanted phone calls are annoying
, you can at least look at the caller's number and decide not to take the call.
But while smartphones are nearly ubiquitous (97% of people in the United States own one), there is very little that can be done to prevent unwanted text messages.
Apple and Google, the respective makers of the iOS and Android smartphone operating systems,
advise users to block unwanted numbers
, but it's so easy for scammers to pretend they're sending a message from a different number that those strategies lack sense.
Apple, at least, allows users to filter all messages from people who are not already in their contacts, but that does not indicate which texts may be a scam, and it puts them in the same folder as authentic messages from unsaved numbers.
Leaks of users' personal information - including their phone numbers - are frequent, and
hackers
regularly trade people's data with eager scammers. It is so common that in April, after researchers realized that
hackers were capable of obtaining more than 500 million names
and phone numbers of Facebook users, the social network accidentally sent a Dutch reporter a memo. saying, "We anticipate more
scraping
incidents
and we believe it is important both to frame this as a broad industry problem and to normalize the fact that this activity occurs regularly."
Nor is there much indication that the authorities are doing much about it
or have advice for the general public.
When Beckwith realized that she had fallen for a scam, she contacted the Federal Trade Commission, which did not respond, and the Social Security Administration, which told her to watch her credit.
But that was all the help they gave him, and while he hasn't noticed anyone borrowing in his name, the spam messages have only gotten worse.
[They warn about the increase in scams disguised as spam. Here are some tips to protect yourself]
"I get texts about 'your UPS package is waiting, please click this link to confirm," he said.
"Texts from
Amazon
, I get one of those almost every day," he added.
Although phone companies have some antispam measures in place,
their process of protecting against scammers is very weak
and they offer little specific help to customers.
Sprint and Verizon did not respond to a request for comment.
AT&T declined to comment, but pointed to the official guide of the Association of Cellular Telecommunications and Internet, a trade group in the sector, which has some recommendations for users who receive spam messages, including: "If you receive messages that you do not want, respond STOP ".
Alert for a new form of telephone scam in the United States.
March 2, 202102: 39
Responding "STOP" to a marketing company or joining the FTC's "Do Not Call" list can reduce spam from companies claiming to be complying with the law.
But security experts warn that since many scammers have no interest in complying with the law.
Donna Gregory, unit chief at the FBI's Internet Crime Reporting Center, warned of the danger of responding to apparent
smishing
attempts
.
[They warn about scams in the middle of tax season, how to protect ourselves?]
"
If they respond, it shows someone is on the other end
. They may just be looking for live numbers," Gregory said in a telephone interview.
Tobin of cybersecurity firm Proofpoint said responding to
smishing
attacks
likely makes it a target.
"Intelligence about you doesn't dissipate but accumulates," he said, "
every attack that occurs, every text you answer
or every call you answer. Even if the attacker doesn't get that money from you, they can get it by selling your information."
For most people, falling for a
smishing
attack
means losing money or
putting
an increased risk of identity theft. But text messages are also the preferred delivery method for the most extreme form of phone hacking, when criminals or countries gain full control of a phone, turning it into a secret microphone or stealing all your emails and texts.
John Scott-Railton, principal investigator at the University of Toronto Citizen Lab, said he often sees
hackers working for authoritarian countries
sending texts to dissidents who are trying to trick them into downloading a program that will give them access to your phone.
Many pretend to be part of the two-factor authentication process, in which a user verifies their identity through an additional route to their username and password.
[Alert for a new form of telephone scam in the US]
Although cybersecurity experts recommend the use of a trusted and dedicated mobile app to configure the double factor, many companies continue to do so via text.
"Texting is still a loophole
," Scott-Railton said in a phone call, "it is known and used by cybercriminals. Governments who want to scam also use it because text messages are especially well-suited to exploit. a whole category of account password reset and takeover attacks. "
"The real problem is that texting as a second factor is still extremely common," he said, "and as long as it remains extremely common,
phishing
via text messages will also be really common, because
people are conditioned to expect that important things can come through text messages
. "
With no easy solution on the horizon, most people have no choice but to exercise extreme caution not to click on links sent to them by people they don't know.
"SMS numbers can be easily spoofed,
" Tobin said, "don't click on a URL in a text message. Don't trust text message URLs unless you have more guarantees. If you receive a message from text of a bank or a business, write the URL in your browser separately ".