Covid-19 SMS/text message scams: advice for mobile phone users

Fraudsters are using the Covid-19 crisis as bait to conduct SMS scams on a global scale. Many of these criminals are adapting their existing campaigns to exploit the situation.

Some of the examples we’ve seen on the twitter hashtag #covid19scamsms include text messages that trick recipients into divulging their personal and financial details based on lures of ‘goodwill payments’, ‘free home testing kits’ or ‘threats of a fine for breaking lockdown conditions’. In this post, we collate guidance from expert organizations and government agencies worldwide to help mobile phone users thwart such attacks as well as providing our own advice.

Two examples of scam SMS messages being sent by fraudsters exploiting the coronavirus pandemic.

Firstly, what are the tell-tale signs to look out for?

It can be very difficult to work out whether a message is real or not. The reason for this is that fraudsters are trying to trick you into believing that a message is genuine. One of the problems with SMS is that the sender ID can be easily spoofed. This means that something that looks real — for example, the sender is a name rather than a number, and says something like: “US_Gov” — might not in fact be real. Here’s a list of other things that might suggest an SMS is suspect:

  • The message comes from an unrecognisable number.
  • The message contains misspelt or poorly worded phrases.
  • The message uses strange characters that look like legitimate letters (in order to avoid spam filters and get through to you).
  • The message contains a web link for you to go to.
  • The message requests payment or suggests you will receive money if you provide your details.
  • The message attempts to rush or panic you into taking immediate action.
  • The message uses doubtful or clearly false names of government agencies or organizations, either in the web link or the message text itself.

Next, what action should you take?

  • Never reply to the SMS or click on suspicious links. These could result in your phone being infected with malware or you losing money if you’re persuaded to enter credit card details or personal information such as addresses or passwords.
  • Don’t let anyone pressure you to make quick decisions. Stop and think; challenge the information provided in the SMS.
  • Only contact organizations using details obtained from official websites.
  • Check whether a government agency actually did send out messages to people. This might take a bit of searching on the web, but sometimes they’ll explain exactly what they sent. One example is the UK’s coronavirus SMS message.
  • If the message refers to a charity or non-profit, verify that the organization is registered – for example, in the US follow Federal Trade Commission advice, or in the UK search the charity register. Consider donating money via a different mechanism.
  • Keep your mobile phone’s software up-to-date to help reduce the chance that malware could exploit your device.

How can I help others?

We have started to tweet out some examples of these on twitter to help organizations around the world with gathering threat intelligence. The hashtag we are using is:

#covid19scamsms

If you receive a message, in the first instance, you should try and report this to your network operator. They are best-placed to tackle the issue and initiate blocking measures. In many countries you can do this by forwarding the SMS to 7726 (more details provided below). It helps to do this – it is important that the operator knows you’ve received a message that isn’t legitimate because this will tell them that something has got through their filters.

We would encourage anyone who receives a scam SMS message to post a screenshot to the hashtag as a small way of assisting in tackling the problem. For example, the information contained in the message could be a web link to a malicious site which can be taken down before it can cause harm to lots of users. Please make sure you remove any identifying information such as your phone number before you post an image.

And finally, how can you report the fraudulent activity so that government agencies and mobile network operators can take action?

Australia
Canada
  • Forward the spam message to the short code 7726 (SPAM)
  • Call the Canadian Anti-Fraud Centre on 1-888-495-8501 (toll free) or report online.
European Union
New Zealand
  • Forward the TXT message to the free shortcode 7726 (SPAM).
UK
  • Contact your mobile network operator by forwarding the message to 7726.
  • Notify ActionFraud – the UK’s National Fraud and Cyber Crime Reporting Center — either online or by calling 0300 123 2040.
USA
  • Copy the message and forward it to 7726 (SPAM).
  • Report it to the Federal Trade Commission at ftc.gov/complaint.

Related links and further reading

As stated above, we ask that people post screenshots of any examples of Covid-19 SMS scams. Please use the hashtag #covid19smsscam – https://twitter.com/hashtag/covid19scamsms?src=hashtag_click.

Australian government advice

Canadian Anti-Fraud Centre

New Zealand government advice

UK government advice on phishing and bogus contact updated to include examples of Coronavirus (COVID-19) scams

US Federal Communications Commission advice on Covid scams

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Further Thoughts on SIM Swap

I recently wrote about the topic of SIM swapping on my company’s site. This was also posted to the GSMA’s Fraud & Security Group blog. There has been an increase in the amount of awareness of the issue over the last 18 months or so and I expect that to continue throughout 2020. Some factors are driving it – the recently published Princeton paper is probably the first scientific analysis of these problems, especially on the social engineering aspect. Others are the sheer life impact as I describe in my earlier blog – either a huge loss of money or life-takeover of all the victim’s online accounts.

Some feedback I received from industry colleagues on Linkedin is worth mentioning:

  • While I refer to ‘SIM swap’ – because that is the colloquial term we all understand, what is really happening is a re-assignment of the user’s credentials to access services, by the operator to another SIM card, rather than a specific issue with the SIM itself. It’s primarily a process and procedural issue.
  • Like many other cyber security issues we face (not just in telecoms), particularly for trans-national issues, there is almost a complete absence of law enforcement. I’m not just talking about action, but even basic interest would be useful. Where it comes to technical topics, it can be very difficult for the victim to describe it to the Police, but a lack of Police training and structure for dealing with cyber security issues means ultimately criminals get away with it. This perpetuates the cycle of crime. If it’s international, then probably nothing will happen.
  • The authentication of the real user is at the core of the issue – improving these procedures in line with the increased attack surface and asset value is overdue.
  • SMS 2FA is not the solution that should be recommended because SS7 is too vulnerable – I actually disagree with this one on the basis that as an interim solution it is easy for operators to deploy and would raise the bar significantly. SS7 attacks are much more difficult to conduct than social engineering and it ignores the fact that SS7 monitoring, controls and firewalls in-line with GSMA guidance have been and are being implemented across the world.
  • One side-point was made that SMS 2FA isn’t 2FA because the phone number isn’t something the user controls. I think this is not correct – the second factor is really a combination of “something you have (the phone that receives the message)” and “something you know (the code that is sent)”. This point also kind of ignores the practicalities of the problem – you need something that is going to work for millions of users. SMS 2FA is still the easiest and least worst solution for this. Arguably you’re sending the message ‘in-band’ and associated with the thing that is being targeted, however logically, at that point it is under the control of the authentic user. These days there are other channels the operator could possibly use which are sort-of ‘out-of-band’ and they should explore these – i.e. Whatsapp, Signal messages or using an authenticator app such as Duo. I would argue that at least for the last two of these, they’re still quite niche for the ordinary user and that raises complexity in the customer service chain, ultimately actually reducing security. It would also have to carefully thought through – attackers don’t remain static.
  • One point was made that “We have to stop knitting new applications with old technology” and “Same horse same speed… ” – I and others would agree with this. With 5G we had a real opportunity to make a clean break from legacy technologies, however it hasn’t happened. We’ll carry some of those problems with us. I guess there are some similar analogies to replacing lead pipes in houses and cities – it is an economic and practical upgrade problem. We’ll get there I think.
  • Other comments talked about regulation and putting the liability onto operators for the financial losses of users. It is really not that simple in my view. If the target of the service is someone’s email or breaking into the bank – does the network operator retain sole liability for that? We also have to remember that the issue here is the criminals doing this – let’s focus on them a bit more and start prosecuting them.

The UK’s National Cyber Security Centre has an excellent and pragmatic guide for enterprises using SMS: ‘Protecting SMS messages used in critical business processes‘.

Victim blaming when it comes to fraud

I was quoted today in a Guardian article after the Metropolitan Police Commissioner, Sir Bernard Hogan-Howe suggested that fraud victims should not be compensated by banks in cyber crime situations.

Image of what people are being conditioned to think a cyber criminal looks like! (Or perhaps I should have gone with hacker in hoodie?!)

His point is that people use weak passwords and don’t upgrade their systems so end up as easy pickings for online criminals. Whilst of course users need to take responsibility for their own actions (or inaction) it is nowhere near as simple as that, especially when it comes to things like deliberate social engineering of people and website insecurity.

My full quote was as follows: “I think the Met Chief’s comments are short-sighted. There are many reasons consumers are defrauded and a lot of those are not really things that they can control. To trivialise these to all being about user concerns misses the point. How does a consumer control the theft of their data from a website for example? We all have a role to play and a lot of work is underway in bodies like the worldwide web consortium (W3C) to reduce the use of passwords and to increase the use of hardware-backed security. The banks are doing a good job in a difficult environment but they are ultimately responsible for identifying and preventing fraud issues when they occur.”

The W3C’s work on web authentication is underway, which will standardise the work of the FIDO Alliance for the web in order to help eliminate the password. This of course will take a while and we won’t fully eliminate passwords from the web for many years. To further protect consumers, there is another effort to bring hardware security backing to important elements of the web, this will also hopefully be chartered to do that in W3C. In the software updates world, Microsoft have led the way on desktops and Apple in mobile for ensuring people are patched quickly and effectively. We still have a long way to go and I’m leading some work in the mobile industry, through the GSMA to try and make things better.

The Met and the wider police have a key role in investigating cyber crime, something they’ve not done well at all over the past few years, so they have failed consumers repeatedly. Blaming users is something akin to throwing stones in glasshouses.

Cyber Security at Mobile World Congress

Here is a re-post of the blog I did for the Smart UK site (@smartukproject) in preparation for Mobile World Congress. I’m doing quite a few things out there, but I’m looking forward to this on the Tuesday morning (28th), it is going to be a great event,. There are still places available and I encourage anyone interested in mobile security and fraud related topics to sign-up.


The UK government recently published the Cyber Security Strategy. What implications does this have for the mobile industry and society at large? With the mobile device at the centre of nearly everyone’s life, the integrity of mobility is paramount. The mobile industry has weathered a variety of security incidents over the years but has been relatively successful in comparison to other industries. Can any lessons be learnt from the past successes of mobile that will help for the future? Is the industry living on borrowed time?

This year’s UKTI and ICT KTN Mobile World Congress seminar: Cyber Security in the Mobile World; will look at the vast array of subjects which now come under mobile security – including cyber bullying between children, fraud against telephony systems through to emerging technologies such as machine-to-machine and LTE infrastructure. Crossing all of these varied topics are industry needs such as the lack of security-aware software engineers and the need to prosecute criminals who defraud or attack electronic systems.

While the mobile industry has made great efforts to learn the past mistakes of the PC world in terms of security, the anti-virus industry has reached saturation in its traditional space. Do mobile devices really need anti-virus or can newer operating systems and technologies negate the need for this type of end point security? Can these companies transform their business models to the changing mobile security landscape and continue to provide a useful service to consumers? How can application stores and developer programmes be improved?

We are pleased to have some of the world’s leading mobile security experts speaking at the event next week. Make sure you sign up as soon as possible in order to reserve your place.

David Rogers runs http://blog.mobilephonesecurity.org. He is also advising the UK Department for Business, Innovation & Skills on Cyber Security for mobile.