Thomas Reid – “A chain is only as strong as its weakest link”
VJ – “An email or SMS is only as legit as the links inside it.” 🙂
Yesterday I received a text message from an unknown number about my M&T bank account being locked. First off, I don’t bank with M&T, second – the msg had some random URL domain (rfj-7.us) which has nothing to do with M&T Bank (mtb.com), third – a spelling mistake (Unknow). What was this? A Smishing attack!
Since these attacks are so common, I decided to write about them so that people are protected from these scammers.
The Attacks/Scams:
There are three different ways in which scammers can try to deceive you.
- Phishing: scamming via emails.
- Smishing: scamming via SMS/text messages.
- Vishing: scamming via phone calls.
Phishing:
Phishing is type of cyber attack which tricks victims into clicking malicious links in a seemingly legitimate email.
An unsuspecting victim clicks on the link which takes them to a page asking for confidential information like personal details, credit card info or username/password. The scammer then uses this info to perform malicious activities such as money transfer, unauthorized credit card purchases, using your Netflix account etc.
Clicking the link could also install malicious software – viruses/spyware on your system which can inflict great harm.
Smishing:
Smishing attacks are very similar to Phishing except that the malicious links are sent via text messages instead of email.
Vishing:
In a vishing attack, a scammer will call you on your phone either personally or use automated calls to trick you into thinking that this is a legit call from a service provider. They will con you into providing vital information which can then be used to perform fraudulent activities.
How do I spot a scam?
The bad actors are very creative in crafting out their attacks so that the victim thinks that the email, SMS or phone call is genuine. There are a few red flags though:
- Sender email address domain is different from the actual domain of the firm contacting you.
- A strange URL in the msg which has nothing to do with the actual service provider URL.
- A button/link/image which says things like: ‘Renew membership’, ‘Verify account details’ but when you hover over it, you see a weird unrelated domain in the target URL.
- Spelling mistakes, bad grammar because the messages may be sent by a foreign source.
- Unexpected messages creating a high sense of urgency and requiring you to take immediate action because of events like: ‘your debit card is locked’, ‘unauthorized transaction detected’, ‘you have won a gift’, ‘your Netflix subscription cannot be renewed’ etc.
- You received an email on a different email address than the one you have saved on the provider website.
- Phone calls from banks, Govt. agencies like IRS, Social Security office asking you to provide detailed info about yourself when there isn’t any reason for interaction.
- Phone calls creating a fake sense or urgency and immediate action required.
What preventive actions can I take?
- Do not click on URLs/links/buttons, or images contained in messages that you don’t recognize.
- Hover over the links/buttons/images (DO NOT CLICK) to see what the actual target URL is.
- Don’t reply to emails or text messages that you think are fake. For emails, you can even select the email and report it as spam or phishing.
- Don’t pick up calls that you don’t recognize. Generally, a legit caller will leave a detailed voice message. You can double check the caller number and info with the company website just to be sure.
- Don’t provide detailed info about yourself to any caller. Hang up, go to the company website, get the real contact number, and call up explaining the situation.
What if you fall for the scam?
- File a police complaint/report detailing the scam.
- Call up the bank, credit card company or financial institution to report and dispute the fraud.
- Change the username (if possible) and password for all your important accounts. Passwords should be changed periodically anyways because of security concerns.
- Monitor your credit report frequently for any red flags. You can do this on Credit Karma for free! You can also add a fraud alert to your credit reports so that creditors will reach out to you for verification before opening a line of credit or you can even request a credit freeze so that no one can access your credit report.
Some examples of phishing/smishing from my private collection!
1. Bank of America phishing email:
Email in inbox seems legit but I know that this is a fraud because I have a different email on file with BOA.
After opening the email, notice the strange email address of the sender. Not a bankofamerica.com domain.
Also, if you hover on the online verification link, you will see that it points to another strange url.
Clearly a Phishing scam!!!
2. Netflix phishing email:
Email in inbox looks legit
After opening the email, you’ll see that the sender does not have a netflix.com email domain.
Also, the ‘hover test’ reveals a weird link which is not netflix.com
Clearly a Phishing scam!!!
3. Bank of America smishing SMS:
Notice the fake url. Its not bankofamerica.com. Clearly a Smishing attack!!!
4. Random group smishing SMS:
A random unexpected gift? URL not familiar? Cleary a smish!
To summarize
These ‘_ISHING’ scams are so common and so simple that a lot of companies require employees to take mandatory training on phishing, smishing and vishing. An attack can be extremely expensive to the firm in terms of cost, bad reputation and lost business and so they must do whatever they can to protect their employees, systems, applications, and data from intruders.
Please do not blindly trust any emails, text messages or phone calls. Double, triple check for legitimacy before you act. Protect yourself, your data, and your money. Better to be safe than sorry!
I’ve gotten similar scam emails/text messages in the past that I just delete.
Thanks! This is useful information
Another smishing text received today about my M&T checking account. Deleted the msg and blocked the number.
Got a Netflix smishing txt today – 06/05/2022. Beware!!!
‘From: NETFLIX
Msg: NETFLIX renewal payment has Failed
and The account is temporary on hol͏d.
See The Complete Details In The Attachment Below.Additional media content is included. Please check the message in detail’
My Mother-in-law got scammed with a similar Netflix text message. They used her credit card details to buy alcohol. She was able to dispute the transaction with the bank though.
I really love your blog.. Excellent colors
& theme. Did you create this amazing site yourself? Please reply
back as I’m attempting to create my very own site and want to learn where you got this from or exactly what the
theme is called. Appreciate it!
Thanks a lot! 🙂 Yup, built the site myself. Started off with the default theme provided by Bluehost and then migrated to OceanWP. Lot’s of material online to get started with building your website using Bluehost.
These scammers are getting more and more crafty these days. Recently I got the below txt msg. An unsuspecting user will naturally click on the malicious links and get scammed.
We’ve suspend͏ed your Amazon due to unusual activity
We’ve blo͏cked login attempt from : Android 10 [ 91.251.239.220 – Argentina ]
If this wasn’t you, verify using link below :
allft.de/0d71/?=9zb1oh2au5
Sincerely, Amazon
These people need to get a real job and stop scamming people!
A few days ago, I got a fake text saying, “your account has been suspended and our system has canceled all your pending orders”…I replied back saying, “Thanks, I don’t need your account”…lol 🙂
A similar thing happened with me. I replied saying, stop scamming people!
I got a text saying, “your package could not be delivered because of an incorrect address. Please update the address” and they put in a weird link to update. Didn’t click it! 🙂
Smart!!! 🙂
Pretty section of content. I just stumbled upon your weblog and in accession capital to assert that I acquire actually enjoyed account your blog posts.
Anyway I will be subscribing to your augment and
even I achievement you access consistently fast.
Thanks for educating us about these scams.
There should be some AI to automatically get rid of these fake emails and text messages.