No, it’s really not just you. There are more spam SMS messages flying around than ever before. It doesn’t matter where you live or what phone you own, spam text messages trying to con you out of money are everywhere. They vary between convincing and not-at-all convincing, and are often a seemingly endless and annoying interruption.
Why do these messages keep appearing, what are they trying to gain, and how much of a problem is it?
Huge numbers mean big problems
Research from spam call and text-blocking company RoboKiller indicates SMS spam in the U.S. increased by 28% between February and March alone this year, with an almost unfathomable 11 billion spam text messages sent during March. It’s the most the company has seen since its records began in 2017, and puts 2022 on target to easily beat 2021’s estimated total of 86 billion spam SMS message sent.
TrueCaller, a caller ID and spam-blocking service, puts the average number of spam SMS received by one person in the U.S. at 16.9 messages per month. Similarly huge numbers are seen all over the world. In mid-2021 in the U.K., the country’s telecoms regulator Ofcom stated that 45 million people had received a spam SMS over a three-month period.
The massive numbers involved mean that even if only a tiny percentage are lured into clicking a link in the message, a lot of people are opening themselves up to a scam and potentially having money stolen. In the Ofcom report, it’s that stated 2% of the 45 million people who received a spam message interacted with it, and that’s around 900,000 people.
The exact real-world cost of SMS-based fraud isn’t known, but TrueCaller’s data estimates a staggering 59 million people in the U.S. lost money due to a phone-based (that’s SMS and calls) scam during 2021, while a report from Javelin Strategy & Research showed identity fraud scams, which come from SMS, calls, and email, had a per-victim cost of $1,029 in 2021.
Delivery scams are common
You’ll probably be more aware of spam SMS messages that claim to come from a known or reputable company, with a link for you to follow in order to correct a problem or collect a prize. The lure is usually related to money, a product that’s waiting for you, or a desirable service. But how do they achieve this goal? Understanding it is a big step in preventing yourself from being scammed by SMS.
Cybersecurity company Malwarebytes has a great breakdown of a common spam SMS message you may have seen recently. Supposedly from the U.S. Postal Service, the message will tell you a package could not be delivered, and you should follow a link to arrange delivery. Similar spam messages could come from other delivery companies and couriers, or relate to the cancellation of a service, or to insurance or medical costs.
The average amount lost to scams like this is 4,500 British pounds, or about $5,850
The link may lead to a convincing, but fake, website where you will be asked to fill in your personal details and potentially pay a fee, which is supposedly for redelivery in the case of the U.S. Postal Service SMS. All of this is a scam, designed to either collect your personal details so they can be used for further scams or resold to other scammers, or to directly collect money fraudulently.
A study in October 2021 by U.K. bank TSB found 81% of scam SMS messages were related to deliveries, and highlighted another way these scams operate. If you follow the link and provide your details, the scammer may then call you and impersonate your bank’s fraud team, trying to persuade you to place your money into a fake “safe account” after filling in the fake delivery form. The bank says the average amount lost to scams like this is 4,500 British pounds, or about $5,850.
“Clicking on a link in an SMS might seem like a small act, but it could be the beginning of your life savings being stolen from you,” the director of TSB’s fraud prevention team told The Guardian.
What do scam messages look like?
Think you can always recognize a spam SMS? Some can be very convincing, and when you’re busy or expecting a similar genuine message, it’s quite easy to be fooled. The three messages you see below are examples of spam SMS messages sent to one of our editors, and give you a good idea of what to look out for.
The Amazon Prime message is grammatically convincing, spelled correctly, and entirely believable. However, the giveaway that it’s fake — outside of the fact that Amazon won’t send you an SMS message like this — is the use of a URL shortener, which obfuscates where the link will actually take you if you click it. It won’t be Amazon’s website, but a fake version designed to harvest your details, just like the U.S. Postal spam message described above.
The Netflix message is notable because it uses nonstandard fonts. These are designed to circumvent your phone network’s spam filters, so although the message looks odd to us, it won’t be automatically scooped up by an automated filter. It’s the same tactic for spam messages that arrive with irregular spacing between characters.
Can they be stopped?
At a network level, it’s very difficult to stop SMS spam. Verizon recently outlined the steps it has taken to thwart SMS spam before it reaches your phone. Tools include network monitoring to identify unusual activity from new numbers, along with filters to block messages. Verizon says it has stopped a grand total of 20 billion spam calls from reaching phones, but does not list how many messages it has blocked.
Unfortunately, it’s relatively simple for criminals to set up a “SIM farm” to send multiple spam messages, so no matter how many are blocked, more are usually right behind them. The U.K. consumer watchdog group Which? wrote the following in its overview of the spam problem:
“At a basic level, scammers can use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ — devices that operate several SIM cards at a time. The equipment and software are available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.”
Random numbers sending spam SMS is one thing, but fraudsters are clever. Many messages arrive and appear to be from legitimate businesses, increasing credibility and the chances of success. This is due to the way mobile networks operate, and a specific protocol called Signaling System 7 (SS7), which can be exploited to show a different number than the one actually being used to contact you.
According to network security and fraud experts BICS, a company based in Brussels, speaking to the BBC on the subject last year, networks are still reliant on SS7, and are likely to be for another 10 years.
What can you do?
The chance of not receiving a spam SMS is extremely unlikely, given the massive amount being sent each day and the established technology being exploited, but you can take steps to make sure they don’t become an annoyance, or worse, that you fall victim to them.
Report SMS spam to your network, then block the number. Report the spam by forwarding a message to the number 7726, which can be remembered because it spells SPAM on an alphanumeric keyboard. Helpfully, this number is applicable to people all over the world, but check with your carrier if you’re unsure. There are also subscription services, such as RoboKiller and TrueCaller, available if spam becomes a serious problem for you.
Outside of technology, making sure you’re aware of the threat and how these scams work is just as vital for protection. Verizon gives some good advice in an article about how it’s protecting its subscribers. It writes:
“Slow down. Criminals want you to act first and think later. Legitimate organizations will never ask for personal details via email or text message.”
The message is simple yet effective. A moment taken to think about what you’re seeing could make all the difference. The director of TSB’s fraud prevention team said something similar: “It’s important to remain on guard. Never input personal details into an SMS link, and certainly not your card details.”
Next to reporting and blocking spam SMS numbers, remaining on guard and mindful of how dangerous SMS spam can be is an equally important step in protecting yourself from getting scammed.
