Do not ignore this warning. While sophisticated malware attacks grab the headlines—this is a much more realistic threat to you and your finances. And it’s surging…
We’re barely into 2024, yet dangerous malware warnings have already made headlines multiple times. And while most target Android’s more open ecosystem, iPhone users have not been immune. As fast as the platforms shore up their defenses, threat actors seem to find ever more sophisticated ways through.
The world of smartphones and mobile networks has come together this week in Barcelona, at Mobile World Congress, to celebrate all things 5G and AI. But as fast as the smartphone world is changing, some things are stubbornly staying the same.
One of the fastest changing technologies is messaging. This year we have seen iMessage step into post-quantum cryptography and Google Messages into generative AI. And the biggest change of all is yet to come—with Apple’s reluctant adoption of RCS due in the fall, finally advancing Android-iPhone messaging beyond the 1990s.
But that archaic 1990s SMS technology is still here, and it’s built into every one of our smartphones. It’s used by most of us for delivery reminders, one-time passcodes, bank balance updates and purchase confirmations, even if personal messages have shifted to WhatsApp or Telegram or walled-garden RCS/iMessage IP chats.
“Who will stop global SMS fraud? And how?” MWC asked this week. SMS fraud or smishing (a play on phishing, for texts Vs emails) is quietly surging. In the US alone, it defrauds smartphone users of more than $300m each year, up fivefold in five years. There are around 400,000 dangerous texts sent every day, and research suggests nearly 40% of all smartphone users now receive them.
You knows them when you receive them—pretending to be from Amazon or Apple or FedEx or the IRS. There is no junk mail equivalent when it comes to SMS, albeit the networks stop what they can and today’s smartphones can filter unknown senders.
A shocking ENEA report published this month estimates that “4.8% of global messaging traffic is fraudulent… this is now so pervasive in the messaging ecosystem that between 19.8 billion and 35.7 billion fraudulent messages were sent in 2023… with brands incurring costs of $1.16 billion due to fraudulent messages.”
Last month, Bitdefender also warned that “SMS scams are everywhere, and attackers are always looking for a social or political issue to exploit for profit. As scams get more creative, whether it’s a package delivery, a government refund or a banking credential issue, anybody can become a victim.”
And the problem is not going away. “If you think that the new RCS messaging standard will offer any protection,” Bitdefender says, “you would be wrong; these types of scams will continue to spread regardless of the messaging standard used.”
In reality, it’s the convenience and ubiquity of SMS that has undermined its safety. It’s on every phone—from the smartest to the simplest, and the newest to the oldest. It works cross-platform, network and geography. And because we use SMS for so many notifications, we don’t disable it or filter what comes through.
I suspect most of you reading this assume you will spot the fraud and will not be duped—and 99 times out of 100, I would think you’re right. Most fraudulent SMS messages are easy to identify and ignore. Either it’s a brand or service you don’t use, or it’s clumsily crafted. But they only need to get you once.
“SMS is still as simple as when it was first delivered, yet its simplicity is what also makes it a prime target with fraudsters,” warns ESET’s Jake Moore. “Unknown phone numbers connected to a text message are more likely to be accepted and have far more manipulation than a dodgy looking email address with the same content. It is surprising the technology is still so relied upon around the world.”
Fraudulent SMS campaigns are pure social engineering. It’s a widespread spray attack, that is looking to match a message with a target. The person who is waiting for a delivery or a refund or has not seen a check clear in their bank. A simple click and then you’re jumping down the rabbit hole.
And so, here are five simple rules:
- Never open an SMS from a brand you don’t use—just delete it
- Never click a link in an SMS unless you are expecting that very specifically—even then my advice would be to avoid all links
- If the message is from your bank or Amazon or Apple or another brand you use, then login the usual way and do not opt for the quick link provided
- Don’t leave suspect SMS messages in your inbox—delete them and then block the numbers to avoid any further messages
- Filter unknown senders if you can, to separate them from known traffic; and when you get OTPs or updates from your accounts, save the number
“Authentication apps and encrypted communication channels remain far more secure than SMS,” Moore says, “with SMS ideally only for quick, one way updates.”
This surge in SMS fraud makes it even more critical to find industry solutions. But that’s proving difficult—albeit we now have trusted brand accreditation in platforms like WhatsApp and hiding personal numbers in Signal, which all helps.
In the meantime: Do not ignore this message—delete it.
