Beware of ‘smishing’ scams

by Larry Magid
This post first appeared in the Mercury News

The first few times I got a text message from a stranger that appeared to be directed at someone else, I politely informed them that they’d reached the wrong number.

But now I ignore such seemingly misdirected text messages, because they could very well be scams, designed to get you into a conversation and lure you into becoming a victim. If you respond, often they’ll respond back in a gracious manner, perhaps with a question, offer or even photograph, designed to lure you into a conversation. It’s all about establishing rapport with friendly back and forth messages that might lead to “oh by the way, check out this really cool website” or “I want to meet you online” or something designed make you vulnerable to a crime.

The cost of sending such a message is close to zero, so the scammer can afford to send out millions of them in the hopes that a few people will respond and, eventually, fall for a scam.  It’s a form of social engineering or, in a sense, grooming, where the scammer transitions from friendly banter into a trust relationship.

‘Smishing’ scams

Wrong number text messages are one of several examples of “smishing” scams. The name is derived by combining “SMS” (short message system”) with “phishing.”  I rarely got them until a couple of years ago, but now I’m getting at least a few each week.

Delivery, relationship and subscription scams

Another common “smish” seemingly comes from the post office, UPS, Amazon or some other delivery service. I recently got one from “US Postal,” saying “your package is on hold for an invalid recipient address. Fill in the correct address info by this link.” I didn’t click on that link because I’m quite sure it was a scam site.

I would like to think I’m an attractive person, but aside from the fact that I’m happily married and not interested in a romantic relationship with anyone besides my wife, I’m not naive or vain enough to think that much younger women are interested in dating me. Yet, I frequently get messages by text, email and on Facebook that appear to come from attractive young women who are anxious to meet me. I immediately block those requests, because they are clearly scams. And men aren’t the only ones vulnerable. Anyone can be the target of a romance or relationship scam.

Sometimes the message is as simple of “how are you,” but whatever it is, it’s an attempt to get you to start communicating until they loosen you up and get you to fall for some type of scam.

I also get a lot of text messages that appear to come from Netflix or other companies informing me that my account has expired, or I need to update my password or payment information. There is a link to click on or perhaps a phone number to call. The scam is designed to get you to provide information that can help the criminals gain access to one or more of your online accounts as a way to steal your money and/or your identity or expose you to malicious code (malware). If you have any reason to believe that there is a problem with any of your accounts, don’t click on any links. Log into their website by typing in their web address. And when you type in addresses, double check to make sure you’re spelling it correctly. Another scam is to register a domain that’s similar to a legitimate one.

Texted authentication codes

If you’ve read my past columns, you may know that I’m a big advocate of two-factor authentication (sometimes called “multifactor authentication” or MFA).  It requires you to enter a code, typically sent to you as a text message, as a way to verify it’s you when you try to log into an account from a new device or browser. It’s not fool-proof, but it greatly reduces the chances of someone getting into one of your accounts.

However, there is a scam being used to get around this safety procedure. It starts with a text message that appears to be from a bank or other legitimate organization about a payment you made or other notice that requires action on your part. In a post, Forbes blogger and security expert John Wilson explained how it works. The scam starts with a message from your credit card company, perhaps confirming a purchase that you didn’t make. “And now you’re worried, angry and upset,” wrote Wilson, so “you want to take immediate action to resolve the problem.”

The scammer, who already has access to your account’s username and password, tells you that you will soon get a code that you should give to them. The scammer than tries to log in, which prompts your bank to send the code. If you follow the instructions and give the code, the scammer will have defeated the two-factor authentication and be able to log in.

Wilson cautions not to let this scam keep you from continuing to use multifactor authentication. “It’s still effective and important, particularly when you’re using sites or apps where sensitive financial or health care information is stored.  Just remember to never give out a one-time password to anyone, including a bank employee.”

Medicare scams

There are plenty of other scams out there, including ones aimed directly at seniors. Be on the lookout for Medicare scams, especially during the enrollment period (now through December 7) where fake companies try to get you to provide them with sensitive information or pay for bogus plans. If you have any concerns, go directly to medicare.gov or your private plan’s website, contact a reputable broker or call 800 MEDICARE. By the way, medicare.gov has a secure live chat service that’s often much faster to reach than the phone number.

Don’t let fear keep you from services you need

And one more thing. Don’t use the fear of scamming to keep you from accessing legitimate services. I have one friend who is so afraid of Medicare fraud that she doesn’t carry her Medicare card with her when she travels, which was a big problem when she caught COVID while on vacation and had trouble getting the medication she needed. Yes, there’s a slight risk of someone stealing your card and defrauding the government, but there’s a greater risk of not being able to get the care you need if you don’t have your number.

I know of another person who had to wait several months to get her first Social Security payment because she didn’t believe the person who called her to verify information was actually a Social Security employee.  It turned out that the call was legitimate. A better response would have been to call or visit a Social Security office to see what information they needed.

One way to prevent fraud is to disconnect completely, but a better solution is to stay connected and remain cautious.