It would not surprise if every phone owner in Australia has seen examples of one specific scam that has been doing the rounds for several years, but in the past year has really ramped up: tolls.
Yes, the very thing charged to your car trips has become an easy way for scammers to try ripping you off, and it turns out Australians aren’t alone. All too a fairly massive scale.
Security company Bitdefender has been studying the sheer number of SMS phishing attempts, a category known as “smishing”, and found over a dozen countries affected by toll-based scams, with messages in several languages and covering nearly 32,000 unique URLs.
Nearly 80,000 text messages were sent in the few months of December last year to April this year, though the number could be much higher, with variations targeting different countries using their respective toll companies, and sometimes the police and other government departments.
In Australia, that means fraudulent SMS posing as Linkt given its use across NSW, Queensland, and Victoria, with over 2000 shortened links being used to hide malicious websites, while in New Zealand, the scammers ran the same line under “NZ Police”. In the UK, it was “Air-Pay”, in Ireland “eFlow”, in Spain “DGT”, while Canada simply saw a “parking notice”.
Clicks to the link would take potential victims to a phishing site designed to look legitimate, but as with all phishing sites was anything but. The site would note a short deadline, the risk of a penalty fee, and the suggestion that legal action is possible.
But like all scams, it would all be a lie.
The consistent messages
If there’s one consistent message behind every scam it’s “act now”. Urgency drives responses, typically forcing us to do something without thinking.
That’s a problem, especially when we think our phones are sacred, that only the right people have our phone numbers, when that’s clearly not the case.
Your phone number is on databases that have been leaked, breached, and sold. Your phone number is unique, but not to the point where only the right people know to call it. Scammers can use databases of these numbers, or simply just send messages to random numbers. If even one makes a sale, that’s a win for them.
Helping the scammers is something called “ID spoofing” where the message comes in looking legitimate because it features the brand as the sender ID.
Brands are largely supposed to be off limits, but some SMS send providers may not follow the rules, or alternatively, scammers might get smart, such as changing “Linkt” the wording, a move that tends to work, as does using similar Cyrillic characters instead. This problem not only makes the message more convincing, but if the scammers can get away with using the real name and no unusual characters, it can also push that scam message into a thread with existing legitimate messages (though this is rarer).
The consistent message you might see from scammers could be enough to convince you they’re getting better at this, but you can, too. What can you do?
What you can do?
The good news is there are obvious options to train yourself to have the right dose of skepticism without feeling that you need to be overly vigilant on every message that arrives on your phone.
Be a little skeptical
Being skeptical is one of the most important tips for dealing with any scam, but you might want to apply that to any message that pushes for urgency.
Remember: urgency is what scammers play on primarily. It’s the hope that you’ll act without thinking, either through an email, SMS, or even a phone call.
When someone calls pretending to be from Amazon claiming a charge has been applied to your account, it’s the urgency that you need to do something about it that drives the chances of it working. They want you to act without thinking.
Question the links
Whether sent over SMS or email, phishing scams put all their power on the link you press. That will take you to the page designed to look legitimate, and is a scammer’s hope that you’ll believe it.
However, scammers can’t simply use the real website of a company they’re trying to imitate, so instead, they’ll use something completely different.
To mask this in a message, they’ll often use a link shortener, which sometimes you can unmask before visiting.
Even if you can’t, simply clicking on the link isn’t inherently dangerous. However, believing what’s at that site can be, and the good news is there are ways to tell you’re not at the real location.
If they’re pretending to be Linkt, they can’t use Linkt’s actual website, so you can check which website you’re really at by looking at the URL bar on your device. Whether that’s your phone, tablet, laptop, or desktop, you can simply click the URL bar (also called the omnibar) and look for that actual website URL after “https” to see where you are.
It’s actually the same trick we suggest for email scams, where you can directly check the sender ID’s domain, and if needed to, also check the link you’re at.
For added security, if you feel the need to open the link, do it in a private or incognito browser. Private browsing comes with the added bonus of not using your existing logins, so it can feel that little bit safer, though you still need to keep your wits about you.
Don’t download anything at the link
Scammers are getting smarter, and with more people cottoning onto their games, they’re having to try different approaches, namely using malware at the phishing sites.
To combat this, don’t download anything at the sites you’re directed to. Whether on mobile or desktop, finding your way to one of these sites and doing what you’re told to “download” something could backfire dramatically.
Bitdefender’s research on these scams noted this approached specifically used in India, but that doesn’t mean it hasn’t or won’t make its way out to other parts of the world.
Just delete the message
About the most powerful message you can send is to delete the message and move on with your life.
If your mobile supports it, call it spam and help your mobile’s spam filters work out where to actually send it.
These days, phones are actually getting better at automatically classifying these sorts of messages as spam, and keeping it away from your inbox, particularly if it comes from an unknown sender. In Australia, depending on the telco you use, some of these messages mightn’t even make it to your phone, with services such as Telstra’s Cleaner Pipes helping to keep them out of the network, and in turn your phone.
Stay on guard
Ultimately, it’s worth staying on guard for this type of scam, and simply telling family and friends what to do as well.
Scammers won’t stop because it works. Last year alone generated over two billion dollars for criminals in Australian scam losses, and while most had very little to do with a smishing scam like these, the numbers can still be sizeable enough for criminals to keep trying.
With a little bit of vigilance and keeping our wits about us, however, they don’t have to win, and your phone will be a slightly better place, as will your wallet.
