Why robotexts are scammers’ favorite new tool
If you’ve recently received a text claiming to have a delivery update for a package you never ordered or providing an urgent security alert for a bank you don’t belong to, you’re not alone.
So far in 2022, the Federal Communications Commission has received more than 8,500 complaints about “unwanted text messages,” according to a consumer alert released last month.
That number is on track to surpass the number of complaints in 2021, which included 15,300 messages. But according to industry data, the number is likely just a small sliver of the problem. Spam-blocking app RoboKiller estimated that consumers received more than 12 billion robotexts in June alone.
Like robocalls, robotexts aren’t just a nuisance — they’re a powerful tool for scammers. In fact, experts say that in some ways scam text messages can be even more dangerous than robocalls. With one click, a victim could be tricked into providing information used to hack into their bank account or work email.
“I would argue that, in a way, robotexts are actually more dangerous,” said Teresa Murray at Public Interest Research Group, a consumer watchdog group. “Maybe not more annoying, but more dangerous because it’s more difficult for consumers to determine whether a robotext is legitimate or not.”
Part of the increase in texts, Murray says, stems from a decrease in robocalls. Since an FCC mandate requiring all voice providers to implement call verification software went into effect last summer, robocalls declined by nearly 50 percent, according to a report from her group. More than half of U.S. phone providers have since implemented some sort of robocall mitigation software for voice calls, forcing scammers into a new line of business.
“Their main source of income was robocalls so now they’ve moved on to robotexts,” says Murray.
How robotexts work
Robotext scams tend to follow the same playbook as email-based “phishing” scams in which criminals pose as a legitimate actor to lure a target into providing personal information or downloading malware that will steal that information. Once the cybercriminal has collected the information, they can use it for their primary objective, such as draining a bank account or infiltrating a company network.
Customizable malware kits available on the dark web make it easy for SMS-based attackers to keep new campaigns coming, says Hank Schless, senior manager for security solutions at the cybersecurity firm Lookout. Schless pointed to the example of the banking trojan FluBot, which hit European users last year via SMS messages claiming to be delivery notifications.
“That sort of shows you how straightforward it is and how quick it can be for a lot of these sort of lower tech campaigns,” says Schless.
Common lures for “smishing” (SMS-phishing) campaigns include posing as delivery services, such as UPS and Amazon, or tech support for a work email account. The sense of urgency the texts spark can be enough to make even the savviest consumer put their guard down.
“You have this text message, that something bad is happening and you need to act immediately to stop it from happening,” said Murray. “Even the smartest people can, just for a couple of seconds, kind of throw their common sense out the window and click on the link.”
The same red flags that would stand out on a desktop can be harder to discern on a mobile screen, experts also say. For instance, it’s more difficult to preview links.
Other giveaways that a text may be a part of a scam include misspellings and texts that are sent from a number that is 10-digit or longer, according to the FCC.
The bigger technical hurdle for smishing criminals is obtaining infrastructure that can send out thousands of texts at once without setting off alarms. Unlike email-based phishing campaigns, which might require as little as access to email, criminals sending SMS scams need either costly hardware to operate multiple SIM cards at once or sophisticated hacking skills to tap into closed mobile networks, Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, explained to CyberScoop in an email.
What lawmakers are doing about it.
Experts CyberScoop spoke with expect to continue to see the number of robotexts continue to rise. One possible way to thwart the growing trend would be additional action by U.S. regulators.
Current FCC Chairwoman Jessica Rosenworcel (D) has advocated for expanding the crackdown on robocalls to robotexts. In October, Rosenworcel proposed a rule that would require mobile wireless providers to block illegal text messages just as they did with spam calls. The proposal has not seen a vote.
“The proposal is still pending before the Commission but has the Chairwoman’s strong support,” FCC spokesman Will Wiquist wrote to CyberScoop in an email.
Members of Congress have also sought to intervene. In July, Reps. Raja Krishnamoorthi, D-Ill., and Katie Porter, D-Calif, introduced legislation that would expand existing restrictions on robocalls to also include texts.
If you’re experiencing spam text messages, the Federal Trade Commission advises that you report the text to your cellular provider, which you can do by copying the message and sending it to 7726 (SPAM). Many phone providers also provide filter features to help sort out spam messages, which you can learn more about here.