How SMS scams work (and how to spot them)

There’s a good chance you’re trying to be scammed over messaging lately, and there’s a good reason why: it can work. So how can we beat it? By learning how it works and what to look for.

We’re seeing quite a few SMS scams of late, particularly ones offering prizes or suggesting to log in for information. These scams aren’t new, and they’re still nabbing victims, particularly because they work.

You might not click, but someone else might, and that means someone is falling for a con. It might be one victim out of a hundred or one out of a thousand. Whatever the odds, criminals are still making money, and we’re still falling for it.

In fact, earlier in the year, the Australian Competition and Consumer Commission released a report from last year pointing out just how much we’re all falling for scams, with Aussie losses counted to the tune of just under half a billion dollars.

That’s half a billion dollars that went to criminals, and didn’t need to. It’s half a billion dollars worth of telling cybercriminals that scams work, and to step it up a notch.

Fortunately there’s a way out: education.

If you understand what makes a scam what it is — if you know how to rip apart scam messages and expose them for what they are — you’re less likely to get caught, and maybe be able to help others at the same time.

So let’s get started, because there’s money at stake. Your money, and we’re sure you want to keep it out of the hands of criminals.

How SMS scams trick us

We live in a hurried fast-paced world, and it’s not unusual to quickly glance over your messages and assume what you read is right. It’s not that we’re necessarily too trusting, but rather that there are some easily figured principles we tend to apply to our phones and emails.

They tend to work like this:

  • If someone is sending me an SMS, they must have my number from somewhere
  • If someone sends me an email, they must have my email from somewhere

While we’re all pretty much ready to admit that spam can come from anywhere and use these principles, they become more interesting when someone important or familiar uses them.

  • If someone important or familiar is sending me an SMS, they have my number from somewhere for a reason
  • If someone important or familiar is sending me an email, they may have my email for something and must therefore be sending it for a reason

In essence, context can change everything, and it’s this context that scammers and cybercriminals will play on.

Of course, you’re just a number in one of the thousands they send out. If they have a listing of 20,000 phone numbers and only 1000 of those use the service they’re trying to con, that context is only likely to apply to 1000 of those people, though might be familiar enough to the remaining 19,000.

But scammers typically don’t choose small services. They choose targets that are so familiar, it’s harder for a regular person to determine the difference, and play on that familiarity.

“Big brands and financial institutions stand out to scam artists because it obtains the most customers and are more likely to target users who have personal affiliation with their trusted brands,” said Kieran Cook, Pre-Sales Manager at Kaspersky in Australia.

“Fake replicas in the form of large financial institutions are also easier for victims to fall prey because the brand in itself, is already front of mind,” he said.

“It would not seem unusual to receive something from NBN or Westpac. Inversely, if customers received something from an unknown organisation suggesting to pay a bill or for an investment opportunity, it would be more difficult to attribute an unfamiliar brand in comparison to something more front of mind for a consumer.”

In essence, you’re constantly being targeted by information that is out there, and information that will seem all too familiar because it’s known.

Your information is likely found on marketing databases, on databases they have been broken into or leaked, or just generated from a random number generation system. This information is out there, and it’s likely to be used at one point or another for scams and spam.

So how can you beat it? By knowing what goes into a scam.

Email scams

How criminals make SMS scams

SMS scams are working, and they don’t take a lot of work to create, either.

If you’re a criminal, an SMS scam generally consists of acquiring a database of numbers, using an online SMS service to automate and bulk send the messages, and building a website to act as a storage centre for any details submitted to the scam. In essence, scammers are building a company, website, and SMS marketing campaign to catch people.

But you can break up an SMS scam into two main parts, and they both have ways to help you work out if they’re real or not. They both come with flaws that can help you determine authenticity.

One is the sender, and the other is the link. Both are major parts worth talking about, because not everyone will understand how they can be manipulated into thinking both are legit.

Let’s start with the sender.

The sender

Getting an SMS from someone can suggest your number is known by someone for something, but it doesn’t always mean anything. Numbers can be randomly found by sheer generation, and when phone messages cost practically nothing to send — some are, in fact, free — it may not matter to a criminal.

In the end, when hundreds of thousands of dollars can be made, what’s a few bucks spent here and there. That’s the mindset of a business-focused criminal, where their business is the business of conning you.

You getting a random SMS won’t likely help the criminal’s efforts, however. They need something to clinch the deal.

They need a sender.

Specifically, the criminal needs the SMS to come from somewhere that seems real. It needs to come from a company that you rely on, that the scam is likely to rely on.

Pretending to have a real sender can make an SMS scam that much more reliable, because it means you’re more likely to believe what’s in front of you.

That means you can get a message that says it’s from “NBN Co” or “Telstra”, or from another company. No longer is the message just another number in the bunch. It’s now a number that seems more real in the first place.

How scammers can manipulate the sender on an SMS

One of the first things you need to understand about SMS scams is that they typically go out at once. This is something an online service can help automate. These online services not only allow a message send to be automated to several numbers at once, but they allow you to change the sender name.

Some names can’t be touched, though. Names like “Apple” and “Google” are likely off-limits, but not local companies, and not deviations of the names. That makes it easier for a criminal to use a name that is like a company you know, or one that is identical to it, and helps create a sense of reality for a scam message.

It means the message you receive from “NBN Co” or “Telstra” can be simulated, even if it means the scammer has to change it to “NBN Australia” or “Telstra Mobile AU” at points.

Next is the link.

The link

The link is an important part of the con because it can almost never be real, even though it will have real consequences.

What you need to understand about web domains — the www-dot-whatever of websites — is that if someone owns them and it exists, a criminal can’t just come along and use it. That’s not how the web works.

But what if the criminal uses a link that’s close? What if the URL was similar?

Email scams can typically get away with having an outlandish URL that’s hidden by text because an email can disguise its link in the coding language of the web, in HTML. You have to hover over them to see the link in an email, which many can miss.

But an SMS has to be more direct. There’s no HTML to disguise a link, and phones will only recognise a link if it reads like a link, with the “http” and the rest. So scammers tend to go with something either outlandish or something close.

Regardless of what they choose, that link will likely take you to a website designed to capture details. This is called “phishing”, and once you’re here, you’ve fallen for the con, and are more likely to enter your details.

“Despite dating back to the days of dial-up, consumers are still falling for phishing scams on a regular basis,” said Alex Merton-McCann, Consumer Online Safety Expert at McAfee and “Cybermum” for the company.

“A combination of cleverly timed texts from what appears to be a legitimate company, and fake webpages that look identical to the real deal apart from a few minor details, easily convince those who don’t know how – or can’t be bothered – to do a proper check of the links they are clicking on.”

Simply put, if you click on a link and get a page designed for you to login somewhere, there’s a solid chance you’re at a scam and should close the link and window down immediately.

However understanding that link can help you come to grips with how scammers make us think their link is real.

How scammers can trick us into thinking a link is real

Remember that there are two types of link to trick with: outlandish and similar.

Going with something outlandish is easier to spot: if the URL looks nothing like what the company would use, you know it’s fake. If a link for a brand name you recognise has a link that says "jimbobsdeliveries.com.au" or something equally random, it’s a fake, and it’s not the only one.

If the NBN apparently sends you a message to log in, know that:

  1. The NBN Co won’t send you anything directly because it’s a wholesaler and doesn’t talk to individual customers, and
  2. The scammer can’t use “nbnco” in its URL, at least not in the way NBN Co uses it

Likewise if Telstra apparently sends you a message to log in and check your account, you can also glean that it’s not the real thing because the URL isn’t going to be Telstra’s own, which you can look up yourself.

Outlandish URLs are easy to spot and scammers rely on them because many of us don’t check. But by reading that URL, you can get a hold on what a scammer is doing.

It gets complicated when a scammer starts looking at more difficult situations: similar links.

There’s an idea that suggests the human brain can automatically read garbled and misspelled words because of context, something that helps us understand language when someone has not used spellcheck at the end of an email or just didn’t know how to spell the word in the first place. It has great uses, but it can be abused, too.

Essentially, if your brain can understand the wrong spelling of a name or word, intentionally misspelling that name or word in a link may end up doing the same thing.

That means sneaky scammers can use similar spellings or misspellings of URLs to trick us. They can use familiar names, differences, and add words to the end of a domain that is available and able to be purchased to trick us into clicking.

Take the previous example of the NBN. Obviously a criminal can’t use the proper NBN website, but if a savvy one bought something similar, they may be able to get close.

In fact, there are quite a few variations available to buy that you can imagine a scammer would use if they needed it, making it just that much harder to spot. They might use "nbco.com.au" or "nbncoo.com.au", or even "nbnau.com.au", all of which were examples of what would be available.

Open domains can be used to phish more realistically

The same is true with Telstra, possibly more so, because not only is “Telstra” a longer name with more characters to spoof, it’s also a company that does more than just one thing. It does phones, it does internet, and more.

Frankly, if someone wanted to con a domain name by pretending to be Telstra, the options would be even more difficult to spot, as seen from this domain name look up we did on similar names.

Open domains can be used to phish more realistically

Telstra scammers could use "tlstra.com.au", "telstraphone.com.au", or "telstranet.com.au", and for not a whole lot of cash. Domain names typically cost around $20 per year each.

The point of all of this is that scammers have options available when it comes to trying to trick you, and that means you need to read messages carefully.

“Phone call and email scams are still certainly the favourite and most profitable delivery methods for scams, however we are seeing SMS scams grow steadily in popularity every year,” said McCann.

“The tools and information needed to set up an SMS scam are straightforward for scammers to get their hands on and the work involved is minimal,” she said.

“This is likely why these types of scams are increasing so significantly each year.”

Remember that criminals have a focus here: money. Specifically your money. That’s the point.

If your money and information is worth something to you, then you owe it to yourself to ensure that when a message comes in, you read it carefully, not clicking unless you need to.

The lesson is always read your messages

It’s unlikely we’ll ever stop scams going out over SMS, but staying on guard can help keep you protected.

Remember that it’s always important to read your messages before clicking them, and to be skeptical. Scammers are doing this as a job, and with money and personal information the target, they will do what they can to ensure you’re clicking and falling for their tactics.

With so much at stake, it’s important to remain vigilant and be aware that not every message you’re sent will be the real deal.

Instead, take everything with a grain of salt, read, and if it seems fake, delete it immediately and move on with your life. It’s just easier that way.

Is this SMS real? No... it's clearly a scam.
Whether a scam is trying to trick you with a fake store like “JB Store” or warning you of a potential arrest, make sure to read it carefully before even thinking of clicking on the link.