Verizon is cracking down on a widespread outbreak of scam texts sent to its customers that appear to be coming from customers’ own numbers.
The scam texts try to entice customers to click on a web link. One common version of the fake text said: “Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you.”
“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number,” Verizon spokesman Rich Young said on Wednesday. “Our company has significantly curtailed this current activity, but virtually all wireless providers have faced similar fraudulent activity in recent months. We are actively working with others in our industry and with US Law Enforcement as part of an investigation aimed at identifying and stopping these fraudsters.”
The carrier recommended that customers not click on any links in texts that look suspicious or come from unfamiliar sources. Customers can also forward the text to 7726.
The texts don’t actually originate with customers’ numbers. Instead, in a scheme security experts have dubbed “smishing,” the scammers send the texts from a different number but spoof the customer’s number in the hopes of tricking them into clicking on the link in the message. The name “smishing” combines the SMS system that carries text messages with the older scam e-mail technique known as phishing.
Verizon said it is slowly tracing the originating numbers and blocking them from sending messages on its network.
Boston College professor Kevin Powers, who is director of the school’s cybersecurity policy and governance programs, said he was among those Verizon customers who received the smishing texts. “I looked at it, saw it from me, and deleted it right away,” he said.
The telecommunications industry and the Federal Communications Commission last year added a new security protocol to the mobile phone network, called STIR/SHAKEN, to crack down on spoofed phone numbers, but the system only protects voice calls, not text messages.
Smishing is “really just an extension of what we’ve been dealing with with compromised e-mail links for a long time,” Powers said. Once the crooks get access to a victim’s phone from the link in the text message, they can gain access to passwords and other accounts to steal funds or commit identity theft, he said.
Unfortunately, there is no simple solution. “The problem is here to stay — you just have to be on the lookout for it,” Powers advised. “Think before you click, whether it’s in an e-mail or text. Don’t trust, verify.”
“The challenge is in many cases, once we stop these individuals or groups, they find a workaround to start again in another fashion,” Verizon spokesman Young said. “It’s like a game of whack-a-mole.”
Although some reports on Twitter said the links in the scam messages opened what appeared to be Russian web sites, Verizon said it had not linked the campaign to Russia.
“We have zero indication of any connection to or involvement by Russia,” Young said.