
Care to guess...
How many people would just follow the instruction and click on the link?
A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a shortlink and textual urgings to click it and learn more. The definitely-not-smishing-honest message was received by Reg reader Chris, and he was not very chuffed with it. He told us: "They send an unsolicited …
An how many will just delete it? All this Covid spam (texts and phone calls) is getting deleted without even bothering to open it, no wonder tracking is failing.
But spam calls and texts have been around forever now, and no government has done anything to force the service providers to eliminate it - it's theoretically illegal but nobody in control of it cares. Freedom of Speech has just become Freedom of Spam.
Indeed! It's like the argument that scam emails are deliberately written with terrible grammar and spelling because the types of people who wouldn't notice are also the types more likely to believe they've won an email lottery they never entered, so the scammer receives fewer replies but with better chances of getting some cash out of them - it improves the efficiency of the scam.
Not so long ago I got an e-mail (apparently from my company's training department) informing me that I needed to take a mandatory online course on computer security. The email even had a link, please click here to start your training session. Of course I deleted it. Some weeks later my boss moaned at me because I hadn't taken the mandatory training. The irony.
Most of them won't address you by name or even include the account number in the email now. Just in case an email goes astray to the wrong address and they get done under GDPR, one assumes.
My Amazon Mastercard is like that. The emails are non-descript and, rightly, just ask you to log into your account to view your statement.
I am a reseller for a very respected anti-virus company. Every month I bang my head against the wall when the emails appears from their accounts team. My (PDF) statement and my (PDF) confirmation of payment both appear from non-company addresses with an aliased company name attached. (The email comes from a weird Oracle company domain?)
"Please open the attached file to view your Statement. To view the attachment, you first need the free Adobe Acrobat Reader. If you don't have it yet, visit Adobe's Web site http://www.adobe.com/products/acrobat/readstep.html to download it."
The email doesn't even have a signature file setup...
ARGH!!! Why can't someone from their own security team take the accounts department into a quiet room and explain this security thing that they are selling? The front end of the company gets it all right, but it is the accounts team that seem to run this clueless junk automated software.
I recently got an email after trying to log in to an online service. It started well:
"We noticed your login attempt seems unusual. To confirm that it is you, please enter the following code in the verification box: ..."
And then things turned for the worse:
"If you didn't attempt to log in, you should reset your password immediately." [reset your password is a link, and it goes to a subdomain of the original service]
While it could be worse and go through some other domain, this is still a perfect setup for a phishing email. I could just copy this directly, change the link, and fire it off to thousands of other users. Maybe some day companies will realize that it's not a good idea to basically create the convincing phishing email for scammers.
An awful lot of institutions and companies, especially among those who should know better (banks...) insist on training users to accept phishing messages without hesitating: Vague reason for the message, generic phrasing (often with errors), obligatory obfuscated link to some place you're supposed to hand your credentials over, it's the basic phishing message, and you're supposed to get used to it being legit.
If you contact them and tell them so, they just can't see the problem. Of course, since it's the clients' problem, not theirs...
Don't get me started on the banks... when my bank calls me it starts by asking for my date of birth... That call rarely goes well when I ask them who the fark they are and to proof it... stuck in a catch-22 of them refusing to prove who they are until I answer with my personal details. They phone me. they phone my landline. Why do they not see that *they* are the ones who need to proof who the are. ARGH!!
My bank in Arsetrailer used to do that - for security, please confirm your address. Me: OK, what address do you have? Them, no, you tell me your address to confirm who you are. Me: but you just rang me. Don't you know who I am?
After a few weeks of being hung up on, accompanied by increasingly angry emails to the head office, they announced a new secure phone call management protocol. I like to imagine my continuing ire was at least partly responsible.
Couple of weeks ago I got a text to an unpublished number - literally the first outside text ever received on it.
It was from Three saying that "MyThree" account was ready and I needed to click the link.
Strange, because I'm not with Three.
That was followed, ten minutes later, by a text thanking me for activating my MyThree account.
I contacted Three, and my real provider - Smarty. Now, Smarty uses Three networks but even they said I was right to ask as Three should never send me any messages and I wouldn't be able to use MyThree with their numbers anyway. Three were quite dismissive, but they did ask for a screenshot. They said it looked scammy.
But, to the casual user, you would have got an SMS from "Three" (no number or other details available because who the hell needs that, right?) that looked like someone was in your account or that you needed to do something. And if you were on a Three-partnered network, that could well have been something you thought you needed to click on.
But at no point did they bother to look at my account (both companies acted only on screenshots/what I told them) to try to determine the source of this text and/or stop someone sending a text claiming to be Three to their customers.
At that point, I just think that it's partly their fault. There's no way for a half-intelligent user to know that the SMS wasn't genuine. Now they shouldn't click links, but the links went via a Three redirector, from what I can see, and looked like links to three.co.uk (I'm not going to click them to find out, but everything "looks" genuine). And they take no efforts to stop such anonymous texts being sent to their customers. They just took a screenshot off me, said "We didn't send that" and told me not to click it.
I wouldn't mind but I've had that number for several months now (it's the data contract on a dual-SIM phone with my real number, so it never gets used except for data) - and that was the first ever text received in all those months.
Something's going on at Three - and they're not doing very much about fixing it.
This suggests, that if not number crunching through sequential numbers, someone at 3 is leaking out the numbers.
I've not had one on either my real 3 phone, or my other phone that uses 3 as a backhaul, but is a reseller. One newer, one older.
So it's rather confusing how and when these leaks are happening. When it was BT landlines, it seemed an internal call center leak. As if you phoned BT for an engineer, you'd get a "we sell internet security" phishing call 5 mins later.
My telco also sends me SMS text messages with URL shortened links.
I never click on them but I have uploaded them to "urlscan(.)io" before.
The problem is that some of the scripts used in the telco's webpage are so heavily obfuscated that I still can't figure out if the site is legit, hijacked with a card skimmer or using blackhat fingerprint techniques.
(Or all of the above)
Here's an example of one of the obfuscated scripts uploaded to PasteBin:
https://pastebin.com/3B4Jib47
I came here to post much the same. The idiots I bank with send me emails When I have a new statement telling me how to recognise fraudulent emails. You can’t opt out of them. If I could, then I’d know that every email purporting to be from my bank was fraudulent. They also now send me txt messages telling my credit card bill is due. Normally a few days after I knew it was due - because I check my account several times a week and have already paid it. They seem obsessed with trying to contact me for absolutely no good reason.
> They seem obsessed with trying to contact me for absolutely no good reason.
They always have lots of people trying to justify their job by spamming the customer silly. The old quantity vs. quality problem.
As for the "recognize fraudulent mail" part, I solved this by giving my bank a special, unique mail address nobody else knows about. This way if I receive bank email on another account, I automatically know it's fraudulent.
Ironically I got my first smishing text on Saturday: allegedly from Three. Said there were problems processing my bill payment and go and provide details by clicking through a bit.ly link. I didn't click the link, went to the Three website instead to check my account details. Going to login I was first redirected to a http address, which threw up the usual stop/warning from HTTPS Everywhere. I had to click through that (!) to get a redirect to a proper https page to login. Needless to say no problems with my account as bill still being prepared and I pay by Direct Debit anyway.
When I checked where the bit.ly link pointed (no, I didn't click it) it went nowhere, so presumably by then it had been taken down.
Along with today's faux-pas must say I'm not that impressed by Three's security at the moment.