Fraudsters are using the Covid-19 crisis as bait to conduct SMS scams on a global scale. Many of these criminals are adapting their existing campaigns to exploit the situation.
Some of the examples we’ve seen on the twitter hashtag #covid19scamsms include text messages that trick recipients into divulging their personal and financial details based on lures of ‘goodwill payments’, ‘free home testing kits’ or ‘threats of a fine for breaking lockdown conditions’. In this post, we collate guidance from expert organizations and government agencies worldwide to help mobile phone users thwart such attacks as well as providing our own advice.
Firstly, what are the tell-tale signs to look out for?
It can be very difficult to work out whether a message is real or not. The reason for this is that fraudsters are trying to trick you into believing that a message is genuine. One of the problems with SMS is that the sender ID can be easily spoofed. This means that something that looks real — for example, the sender is a name rather than a number, and says something like: “US_Gov” — might not in fact be real. Here’s a list of other things that might suggest an SMS is suspect:
- The message comes from an unrecognisable number.
- The message contains misspelt or poorly worded phrases.
- The message uses strange characters that look like legitimate letters (in order to avoid spam filters and get through to you).
- The message contains a web link for you to go to.
- The message requests payment or suggests you will receive money if you provide your details.
- The message attempts to rush or panic you into taking immediate action.
- The message uses doubtful or clearly false names of government agencies or organizations, either in the web link or the message text itself.
Next, what action should you take?
- Never reply to the SMS or click on suspicious links. These could result in your phone being infected with malware or you losing money if you’re persuaded to enter credit card details or personal information such as addresses or passwords.
- Don’t let anyone pressure you to make quick decisions. Stop and think; challenge the information provided in the SMS.
- Only contact organizations using details obtained from official websites.
- Check whether a government agency actually did send out messages to people. This might take a bit of searching on the web, but sometimes they’ll explain exactly what they sent. One example is the UK’s coronavirus SMS message.
- If the message refers to a charity or non-profit, verify that the organization is registered – for example, in the US follow Federal Trade Commission advice, or in the UK search the charity register. Consider donating money via a different mechanism.
- Keep your mobile phone’s software up-to-date to help reduce the chance that malware could exploit your device.
How can I help others?
We have started to tweet out some examples of these on twitter to help organizations around the world with gathering threat intelligence. The hashtag we are using is:
If you receive a message, in the first instance, you should try and report this to your network operator. They are best-placed to tackle the issue and initiate blocking measures. In many countries you can do this by forwarding the SMS to 7726 (more details provided below). It helps to do this – it is important that the operator knows you’ve received a message that isn’t legitimate because this will tell them that something has got through their filters.
We would encourage anyone who receives a scam SMS message to post a screenshot to the hashtag as a small way of assisting in tackling the problem. For example, the information contained in the message could be a web link to a malicious site which can be taken down before it can cause harm to lots of users. Please make sure you remove any identifying information such as your phone number before you post an image.
And finally, how can you report the fraudulent activity so that government agencies and mobile network operators can take action?
- SCAMwatch urges you to report all spam SMS, whether it be a scam or unsolicited contact by a trader. More info – https://www.scamwatch.gov.au/news/spam-sms-report-it.
- Forward the spam message to the short code 7726 (SPAM)
- Call the Canadian Anti-Fraud Centre on 1-888-495-8501 (toll free) or report online.
- Forward the TXT message to the free shortcode 7726 (SPAM).
- Contact your mobile network operator by forwarding the message to 7726.
- Notify ActionFraud – the UK’s National Fraud and Cyber Crime Reporting Center — either online or by calling 0300 123 2040.
- Copy the message and forward it to 7726 (SPAM).
- Report it to the Federal Trade Commission at ftc.gov/complaint.
Related links and further reading
As stated above, we ask that people post screenshots of any examples of Covid-19 SMS scams. Please use the hashtag #covid19smsscam – https://twitter.com/hashtag/covid19scamsms?src=hashtag_click.
UK government advice on phishing and bogus contact updated to include examples of Coronavirus (COVID-19) scams
US Federal Communications Commission advice on Covid scams
About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.