- Scammers can exploit vulnerabilities in the phone system to blast dangerous links to your phone.
- Insider got a look behind the scenes at an operation thwarting the scammers.
- Scammers can make a significant payload off a small investment. Here’s how to stop them.
- See more stories on Insider’s business page.
They’re designed to strike the part of your brain that feels an instant obligation to fix something, and fix it now.
Your package has been lost. We noticed an error on your unemployment application. This message is from the CBE Group, a debt collector, please contact us. You have a package that is over a week old that will be returned to our warehouse. AT&T billed you incorrectly. Hi there, this is Jason from Walmart, you have an item addressed to you, can you please collect it by today?
Those messages aren’t really from the companies they purport to be. Manipulative, believable, and increasingly popular, criminals who want to bilk consumers out of money are orchestrating sophisticated phishing and scamming attacks using text messages.
For years, texts have become an increasingly integral part of commerce in America. Scammers, many of whom are ripping straight from the successful scam robocall playbook, are invading messaging apps with clever and deceptive messages designed to separate targets from their money or information, and the profits are ridiculous.
Essentially, the scammers have designed a computer that turns cents into dollars, and they’re only just getting started.
Because of the nature of the scams, it’s nearly impossible for the regulators or the carriers to stop them. Even when they do manage to slap them with a fine, the scammers just don’t pay it. But there are things consumers can do to stop them, and to protect vulnerable family members.
Scam texts 101
Aaron Foss, the founder of anti-spam app Nomorobo, offered Insider a look into the volume of scams coming into American phones.
Over the course of a week, Nomorobo observed 666,704 text messages come on to users’ phones from numbers that were not in their address book. About one in 10 – 9.98%, specifically – were flagged as malicious, attempts to scam the users, and were blocked by the service prior to hitting inboxes.
Foss and his company are constantly evaluating the flows of automated text messages across the system, identifying bad actors and shutting down their access in real time. It’s a never-ending fight, and the scammers are increasingly clever.
“We’re seeing that 10% of all unknown text messages, if they’re not in your contacts, are spam, scam, or phishing,” Foss said. “The vast majority do things like impersonate US Postal Service, Amazon, Costco. They usually have a link in there. They’ll say something like, ‘Congratulations, you’ve won some raffle,’ or ‘Thanks to COVID, Netflix is giving you a free account,’ or something like that.”
Your basic scammer is targeting someone who can be easily confused, who who isn’t attuned to the business practices of these companies. When they click the link, they’re sent to a “rewards” site, perhaps with the appearance of a game or a spinning wheel, and are told they won something.
In reality, after inputting their information, they’re signed up for a recurring app purchase.
The math is extremely simple for the scammers. If they spend a few dollars on the domain, send out hundreds of thousands, maybe millions of texts for a fraction of a penny apiece, even if just 0.1% click on it, and even if just five people get fooled, they’re up several hundred dollars.
“Once you have a system like that? You put $1 in one side, and it spits out $500 on the other side. You’re just gonna do every single thing that you can to find ways to do more and more,” Foss said. “Fine, I’ll work with six shady text messaging companies; fine, I’ll buy 1,000 domain names. It doesn’t matter at all, I’m not going to get caught. You’re not gonna catch me in this.”
But other, more sophisticated attacks can confuse and steal from people who aren’t so easily fooled.
The goal of a phisher is to get personal information that can be used to steal. The modus operandi is to spam out a message that directly appeals to a subset of the population – something like “there’s an error on your unemployment form” or “your Amazon package is late.”
These are effective because text spam is a numbers game: Amazon sends out 1.6 million packages every day, and because of the pandemic, millions of Americans are on some form of unemployment right now. The low cost of text messages – a quarter of a cent per text, when bought in bulk – means that the numbers game favors the scammers.
“There’s going to be a good proportion of people who think, ‘Actually, yeah, COVID pandemic, I need that money to survive.’ They click and put in their information,” Foss said. “In a couple of these, we’ve done some digging where the scammers that put this together are very poor programmers, and left a lot their stuff open. You can see all the victims that they’ve gotten. There’s hundreds of people that have unfortunately fallen for the scam and put in their information.”
These are well-designed rip-offs. Can you tell the difference between the actual Ohio unemployment site, and a fake unemployment site Foss spotted last week?
It’s the URL. The scammers are algorithmically buying up fake but similar URLs to actual websites, and then spamming them out en masse, with the understanding that they have just a few hours until they’re shut down.
This particular registration, per documentation Foss sent over, had an IP address in Russia and had been obtained very recently.
“They know that they’re only going to get a couple of hours out of that URL,” Foss said. “When we see that it’s usually automated, it is actually one registrar that particularly turns a blind eye to these kinds of things.”
The scammers send the messages out through wholesale carriers. Wholesale carriers are smaller providers that sell access to the same phone system used by your carrier, which could be AT&T or Verizon. There are thousands of theses smaller carriers: following the deregulation of the US telecommunications industry, anyone can technically set up a carrier that can get their message into the US phone system, at which point it’s treated equal to any other text. The scammers simply need to find the weak link in the chain, a carrier willing to take money from sketchy texters.
“These are resellers, a wholesale carrier might sell to another wholesale carrier, which sells to another company, and you might be three or four steps down,” Foss said. “In general, they will find overseas companies, or domestic companies that they’ll look the other way.”
The phone number they send the text from is spoofed, the imitation website they built is designed to last on the order of hours, and typically there’s a personal identification value somewhere on the URL so if a person clicks once, the scammer knows they’re a number that’s likely to click again, so even if they don’t get you this time, they’ll have plenty of other chances.
After all, when the texts are a quarter of a penny and the domain name is a couple dollars, they don’t need a lot of people to be fooled in order to break even.
And when state unemployment offices use Social Security numbers as their usernames, the effects of falling for a phishing attack can have substantial long-term impacts beyond a thief stealing unemployment payments.
“The part of this that’s really the worst? They really are taking advantage of people that are already down on their luck,” Foss said. “The pandemic comes in, and you lose your job, and you need a way to eat and afford rent, and now you get scammed from somebody trying to steal your unemployment benefits.”
How to spot scam texts and how to stop them
Operating a robotext operation is ridiculously profitable, but often low-risk. When operators work outside the United States, it can be incredibly difficult to enforce actions against them.
Even when there is enforcement, collecting sizable fines is a separate matter. The FCC ordered TCPA violators to pay $208 million in fines from 2015 to 2019, but it only collected $6,790 as of 2019.
A spokesperson for the FCC declined to comment about any specific company or FCC investigatory methods or challenges.
The FCC did send a number of recommendations, urging consumers to “think twice before clicking any links in a text message,” and to “report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726.” The Federal Trade Commission offers a number of resources explaining the package phishing scams and other fake calls from Amazon or Apple. The Department of Justice is currently investigating unemployment-related fraud, including phishing scams.
Texting STOP will put an end to any legitimate marketer – lest they face thousands of dollars in FCC fines – but a scammer won’t care in the slightest. It would have the same effect as saying “STOP” to a mugger. If they don’t care about the possible consequences of doing identify theft, they probably aren’t worried about an FCC fine they’ll likely never pay anyways.
Applications that insert a filter between your cellphone and the wild west of the text messaging infrastructure may be the most effective way to screen out malicious texts.
“These guys are criminals,” Foss said. “They’re criminal businesses. They’re really good criminals. And they’re really good businesses. And when you put them together, this is what we got.”