If you’ve started the year with a message that you’ve won something from JB HiFi, you might want to reset those expectations ASAP.
It wouldn’t be a new year without some sort of nefarious activity making a dent on our everyday life, and wouldn’t you know it, this week it seems to be happening to everyday people from someone pretending to be JB HiFi.
Based on what we’re seeing, plus the occasional request for help on Pickr’s tech support line, it appears Australians are getting sent messages from a fake electronics retailer around lunchtime in Sydney and Melbourne.
Or to put it more simply, just before lunch time on Australia’s east coast this week, someone is trying to con Australians with a message purporting to be JB HiFi notifying them of a supposed win.
Unfortunately, this is just a scam, and while it’s one that JB HiFi has picked up on, it’s also one that isn’t doing something new, and merely is playing off our desire to think we’ve won something, and to hand over details to criminals.
From what we understand, the message doing the rounds suggests to would-be victims that they’ve won a prize, and to click a link to pay two dollars to have that prize shipped. However, that link is fake, and just a phishing link — an attempt to look authentic, but really just take your details and use them to get money from you.
It’s not a new approach for SMS scams at all, and really, this is just the same thing on a different day, playing on good luck in the new year in an attempt to fleece hardworking people out of their money and details.
Unfortunately, JB is a consistent target for users because of its popularity as an electronics store. If you go and shop there, it’s not entirely unreasonable to expect the organisation to contact you, even if you haven’t entered anything. It’s just part of that expectation for being a customer.
But there’s typically no such thing as a free lunch, and if you’ve received a message suggesting you’ve won something, it’s wise to ask yourself whether the SMS you’ve received is real, and whether it’s fake or not. That “free” thing you might be receiving might come at the expense of your real data being sold and used by criminals.
“SMS scams impersonating popular brands are among the main sources of the data being bought and sold unto darknet markets by cyber criminals,” said Noushin Shabab, Senior Security Researcher at Kaspersky.
“These malicious activities not only put the users privacy and online safety in danger, it further enables criminals to boost their techniques and confidence to keep going after more financial gain,” she said.
“In a long run, the money made helps cyber crime businesses grow.”
A quick guide to working out whether an SMS is real
Asking yourself whether an SMS is real is an important step, but looking at the SMS is important, too. Specifically, you should look, but not click.
Scammers are getting better in their approaches, but there are still things you need to pay attention to, and it typically comes from the wording of the message and the link.
We’ve proven just how easy it is for a scammer to manipulate the sender name in an SMS, and they really only need to get close enough to convince many people, so take what you see there with a grain of salt. If it reads as “JBStore” or “JBHiFi”, don’t assume it’s the real deal, as they’re examples of how scammers evade the real name in bulk SMS send systems.
However typically scammers don’t use English as a first language, and so may write with language that doesn’t read the way a local might write it. That might include using the term “lottery” in a prize draw, or speaking in disjointed English.
The real dead giveaway is typically in the link, which is something scammers can’t fake. While they can try to create a fake website, they can’t use the website address of the real store.
It means if a scammer is pretending to be JB HiFi, it can’t use
www.jbhifi.com.au, while if it’s pretending to be Telstra, it won’t be able to hide it in
www.telstra.com.au. Website addresses are locked to actual company, and you can’t just take over them for a scam.
Instead, scammers typically use a website link shortening service, often called a URL shortener. You’ve probably seen them with Bitly links in the past, and these can be unmasked, but not all of them can. It’s worth noting that these aren’t the same, and many are just a random word, phrase, or set of characters that hide a longer URL. That means you shouldn’t just believe a link is legit by looking at it, simply because it was sent to you, because it might be harbouring something deeply nefarious underneath.
If you’re unsure about a message, delete it
The reality of SMS scams is that they’re not going away, and so this is going to happen again and again. However one way you can attempt to prevent being fooled is to delete the message you’re sent if you’re unsure, and move on with your life.
If you have really actually won something, rest assured that a company will likely go to lengths to contact you about it, including calling you about it in the first place. An SMS isn’t the only way to contact you, and you can always make a phone call to the proper store to find out if you have indeed won a prize.
In fact, if you’re unsure about a message that has been sent to you, whether it’s from a store, a telco, or anything else, Google the name of the actual store and call the number for the business you find online. Ask an actual question to a real number, and not to the number messaging you. That’s one way to at least find out whether the message you’ve been sent is the real deal.