Is this SMS real?

A timely reminder that scam season is always here.

With the arrival of an SMS “informing” of a potential win, it’s a good time to point out that scams don’t really have a season, and are more a permanent year-round thing.

You don’t need to give cybercriminals a time frame for when they should start trying to extract money or details from you. The bitter reality is that it’s all the time.

This week, we saw a reminder of that, as the SMS scams kicked in once more, a random occurrence that didn’t so much have to do with anything special let alone the time of the year, but more that people are always out to get your money and details, hoping to convince you of your luck when in fact it is actually the opposite.

It can start with an SMS.

Is this SMS real? No... it's clearly a scam.

Truth be told, they can start with any type of message, though email and SMS are the most likely.

From there, it’s about tone. If a criminal is going to convince you to click on their dodgy link, there’s a chance they’ll do it by either:

  1. Threatening you with something, or
  2. Rewarding you with something

In this instance, it’s the idea of a reward, because “you’re a winner” (he says with enough sarcasm to drown you in), and that provides an incentive to click on the link to collect your reward. The problem is that’s the lure and bait, and the result isn’t necessarily going to be what you think.

“SMS scams are very common, as scammers attempt to take advantage of the fact that people almost always have their phones in arms reach, and exploit the quick and easy nature of replying to a text message,” said Tim Falinski, Senior Director for Trend Micro in Australia.

“Scammers can make money by sending consumers an SMS encouraging them to enter a competition by replying to a message and then charging a premium price for every message sent or received,” he said.

“Phishing scams via SMS are also used by cybercriminals to ascertain personal details, including logins, passwords, or bank details. The payload in this instance is access to identifiable information that they can then use to hack into a bank account for identity theft, or to sell on the dark web for a financial return.”

Understandably, this can introduce some pretty serious warnings into checking your messages, because if you just aimlessly click any link sent your way, it can lead you down a dark path if you follow the instructions on the wrong message.

Of course, there are things to watch out for, such as who has sent you the message and if you know them. If you don’t in fact recognise the sender, ask yourself why you’re receiving this message: did you enter a competition, and does the message look legit? Has it come out of the blue? Seriously, who is this person, and does the name actually relate to a real thing?

If you find yourself questioning its authenticity, ask yourself why, because it probably comes down to the sender name and the web link in the message.

“SMS scams have one thing in common where the URL is never an official one,” said Margrith Appleby, General Manager of Kaspersky in Australia and New Zealand.

“Always check the web address carefully to ensure it is genuine before clicking on them,” she said.

And it’s true: most scams have to fake an approximation of a URL, and go so outlandish that it doesn’t look real. They’re not real, so they can’t use the official website, because that’s not how the internet works. Someone pretending to be JB HiFi — as is the case in the scam we received — can’t just use JB’s website to send a message. Instead, they have to use a different link.

However if you look closely at the URL you’re being asked to click, you can see the flaws, and it’s yet another way you can tell the difference between the real and fake.

Some of the things worth paying attention to in a scam message.
Look at the parts of this message that don’t add up. The sender is “JBStore”, not JB HiFi. Who and what is a “JBStore”? The spacing and name of “JB Store” is different in the text, and we don’t know who that is. Prize draws aren’t typically called a “lottery”, at least not in Australia, suggesting this is an overseas scam. Oh and that link? It’s definitely a random URL, outlandish enough to not even be close to what it should be. Don’t go to that dodgy link at all.

Not all will be easy to spot, but Trend Micro highlighted some other pointers that suggest a con is going on.

“Other red flags include a sense of urgency (for example, your account will be deactivated unless you respond to this message in the next 24 hours), competitions, or the offer of a voucher, discount, or gift card,” Falinski told Pickr.

“We recommended ignoring these messages and contacting the organisation via their verified phone number or social media accounts if you are hopeful there’s a prize up for grabs,” he said.

Ultimately, if it doesn’t look legit, consider just plain deleting the message.

Criminals are sending these out to a lot of people, and much like the old phrase “a sucker is born every minute”, they don’t need everyone to respond, just one.

“While more people today recognise fraud attempts, all it takes is for a cybercriminal to have a large pool of numbers at hand to send out SMS scams. From this large pool, unfortunately, there are still many that become repeated or new victims, ” said Kaspersky Australia’s Rustam Teregulov.

“The general recommendation is not to respond to text messages that come from unknown numbers,” he said.

“Another important rule is not to provide any personal and payment data to an unknown caller or enter them to an unknown resource. If you realise that you have done this, contact immediately your bank or internet provider immediately.”

And ultimately, it’s worth checking Australia’s resource on scams, ScamWatch, a service run by the Australian Competition & Consumer Commission, the ACCC, which is updated often about the type of scams going around the country.

Frustratingly, scams aren’t likely to stop because it does make criminals money, but the more education we have on it, the better we can all be, eroding that pool of cybercriminal marks one person at a time.