How do scammers send SMS that look like the real deal?

Australia Post has sent you a message about a package, and then all of a sudden, you get another from them about a mystery prize. Is it real, and if not, how have scammers achieved this?

One of the more troubling aspects of an SMS scam is the ability to make messages seem legit. It’s not so much the messaging, though scammers are beginning to adopt better grammar and punctuation than before, so we can’t rely on that old rule.

No, the major troubling aspect is how SMS scammers infiltrate our stream of messages, convincing us their scamming link is real by coming into our standard messages.

It’s not just a random name or number anymore, because scammers can arrive in our phone’s SMS inbox by pretending to be a major company. They can’t be Apple or Google — those are off limits — but they can pretend to be Telstra, the NBN, or even Australia Post, and that’s where things get troubling.

Reported by a Pickr reader, one recent scam involved a message that was purportedly from Australia Post coming in under the typical “AusPost” name sent by the company, and yet was a scam. The message came in just as if it were any old message from the company, and even sat between two legit package pick-up messages from Australia’s mail provider.

But as you can probably expect, the whole thing was just a scam, and it’s a criminal doing something a little dodgy by taking advantage of a loophole in phone inboxes to get a way in.

How do scammers do this? How can scammers pretend to be a major company, and what can we do to stop it?

How do scammers pretend to be someone else in SMS?

In a rather troubling move, scammers have made the jump to convince you of their authenticity by using the SMS names of major brands. We’ve seen one attempt JB HiFi with the rather misnamed “JB Store” thus far, but “AusPost” is one Australia Post actually uses, and scammers are copying it.

So how do they do this?

SMS scammers typically rely on online bulk sending message services to send out their attacks, and these allow them to attach a name to them.

But because messages from companies can arrive from more than one phone number, smartphones can still group them based on the send name. If this seems like jargon, it means that if Australia Post uses the name “AusPost” on its SMS and a scammer does as well, the messages will be grouped together under the same “AusPost” name.

It’s a problem because it means all a scammer needs to do to hide their name is become someone else. The moment they attach that name to their SMS, the message they send out will sit under the same banner.

This leads to two problems:

  1. If you’ve ever received a message from the sender, the SMS scam looks legit because it falls in the same message stream, and
  2. If you’ve never received a message from the sender, an official sounding name looks more official than a scam that has come from a nameless number.

How do you know not to click on a scam SMS?

Knowing whether to click on the message comes from learnings you may be picking up as scams evolve, and one of the more direct approaches is to recognise a scam and the tendencies they have.

Scams don’t typically look like messages. They come across like they’re trying to bait you, such as a “mystery package” instead of telling you what post office you should be going to in order to pick things up. Scammers tend not to have these details, and so generally send out a bulk email in order to convince everyone.

It means if you might live out at North Sydney and have to go a North Sydney post office for collection, scammers can’t guess that. Scams have to be a little more generic.

Scams also tend to rely on outlandish URLs, at least for the moment. Scammers are fully aware many of us won’t check the link before clicking, and so won’t always go out of their way to make the link believable.

There are plenty of ways they certainly could, including using similar domain names, but few seem to be doing that. That means, though, that scammers won’t always change the website URL or its domain, opting for whatever they can get their hands on.

In the case of the scams we’re seeing lately, the links are the dead giveaway that the messages are scams, giving you a reason not to click.

Simply put, before you think about clicking, look at the link in its entirety and see if it looks legit. Check the domain and make sure it’s the real deal.

If a link doesn’t look anything like the links provided in previous messages or the whole thing looks less than legit, you’re looking at a scam. Don’t click, delete, and move on.