back to article Three UK: We're sending you this SMS to warn you not to pay attention to unsolicited texts

A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a shortlink and textual urgings to click it and learn more. The definitely-not-smishing-honest message was received by Reg reader Chris, and he was not very chuffed with it. He told us: "They send an unsolicited …

  1. Zog_but_not_the_first
    Facepalm

    Care to guess...

    How many people would just follow the instruction and click on the link?

    1. Version 1.0 Silver badge
      Facepalm

      Re: Care to guess...

      An how many will just delete it? All this Covid spam (texts and phone calls) is getting deleted without even bothering to open it, no wonder tracking is failing.

      But spam calls and texts have been around forever now, and no government has done anything to force the service providers to eliminate it - it's theoretically illegal but nobody in control of it cares. Freedom of Speech has just become Freedom of Spam.

  2. Dan 55 Silver badge
    Facepalm

    Same sender and text with bit.ly link

    How many would go there? I guess a hundred thousand at least.

    We all know Android message clients aren't particularly secure.

    1. Pascal Monett Silver badge

      Re: Same sender and text with bit.ly link

      I never follow shortened URLs. They are a security risk by definition.

      Give me the full URL so I can see where it's going, or get stuffed.

  3. Giles C Silver badge

    They would have done better to put that link as a warning page, to teach people not to click on a link by sticking up a warning banner.

    Mind you send some people a link saying click here so you identity can be stolen and I’m sure a good percentage would do so.

  4. Anonymous Coward
    Anonymous Coward

    Isn't that the whole point. People who are dumb enough to click in the link get educated. People smart enough not to click on the link don't need it.

    1. Dale 3

      Indeed! It's like the argument that scam emails are deliberately written with terrible grammar and spelling because the types of people who wouldn't notice are also the types more likely to believe they've won an email lottery they never entered, so the scammer receives fewer replies but with better chances of getting some cash out of them - it improves the efficiency of the scam.

    2. Anonymous Coward
      Anonymous Coward

      life imitating art

      it reminds me a of (fairly known) web security blog for sys admins about how people click on links before they think. And then they provided an appropriate message on a linked page, and a counter, to prove their point.

    3. Swiss Anton

      Not so long ago I got an e-mail (apparently from my company's training department) informing me that I needed to take a mandatory online course on computer security. The email even had a link, please click here to start your training session. Of course I deleted it. Some weeks later my boss moaned at me because I hadn't taken the mandatory training. The irony.

  5. Individual #6/42
    FAIL

    Typical

    I get a monthly email from an international banking entity that just says:

    “Notice

    Your statement is available. Click here to login and review”

    It’s worse than most phishing attempts but is genuinely from them. Doesn’t even address me by name!

    1. Lee D Silver badge

      Re: Typical

      Most of them won't address you by name or even include the account number in the email now. Just in case an email goes astray to the wrong address and they get done under GDPR, one assumes.

      My Amazon Mastercard is like that. The emails are non-descript and, rightly, just ask you to log into your account to view your statement.

      1. Anonymous Coward
        Anonymous Coward

        Re: Typical

        I am a reseller for a very respected anti-virus company. Every month I bang my head against the wall when the emails appears from their accounts team. My (PDF) statement and my (PDF) confirmation of payment both appear from non-company addresses with an aliased company name attached. (The email comes from a weird Oracle company domain?)

        "Please open the attached file to view your Statement. To view the attachment, you first need the free Adobe Acrobat Reader. If you don't have it yet, visit Adobe's Web site http://www.adobe.com/products/acrobat/readstep.html to download it."

        The email doesn't even have a signature file setup...

        ARGH!!! Why can't someone from their own security team take the accounts department into a quiet room and explain this security thing that they are selling? The front end of the company gets it all right, but it is the accounts team that seem to run this clueless junk automated software.

      2. DiViDeD

        Re: Typical

        My bank just sends me SMS notifications that my statement is ready and suggests I log on to view it - never a link in sight. But at least they call me by my name.

    2. doublelayer Silver badge

      Re: Typical

      I recently got an email after trying to log in to an online service. It started well:

      "We noticed your login attempt seems unusual. To confirm that it is you, please enter the following code in the verification box: ..."

      And then things turned for the worse:

      "If you didn't attempt to log in, you should reset your password immediately." [reset your password is a link, and it goes to a subdomain of the original service]

      While it could be worse and go through some other domain, this is still a perfect setup for a phishing email. I could just copy this directly, change the link, and fire it off to thousands of other users. Maybe some day companies will realize that it's not a good idea to basically create the convincing phishing email for scammers.

  6. ThatOne Silver badge
    Facepalm

    Help people get phished

    An awful lot of institutions and companies, especially among those who should know better (banks...) insist on training users to accept phishing messages without hesitating: Vague reason for the message, generic phrasing (often with errors), obligatory obfuscated link to some place you're supposed to hand your credentials over, it's the basic phishing message, and you're supposed to get used to it being legit.

    If you contact them and tell them so, they just can't see the problem. Of course, since it's the clients' problem, not theirs...

    1. Anonymous Coward
      Anonymous Coward

      Re: Help people get phished

      Don't get me started on the banks... when my bank calls me it starts by asking for my date of birth... That call rarely goes well when I ask them who the fark they are and to proof it... stuck in a catch-22 of them refusing to prove who they are until I answer with my personal details. They phone me. they phone my landline. Why do they not see that *they* are the ones who need to proof who the are. ARGH!!

      1. DiViDeD

        Re: Help people get phished

        My bank in Arsetrailer used to do that - for security, please confirm your address. Me: OK, what address do you have? Them, no, you tell me your address to confirm who you are. Me: but you just rang me. Don't you know who I am?

        After a few weeks of being hung up on, accompanied by increasingly angry emails to the head office, they announced a new secure phone call management protocol. I like to imagine my continuing ire was at least partly responsible.

  7. Anonymous Coward
    Anonymous Coward

    Or the link my Mrs got from 3 telling her her account had been registered and activated and follow the link to login.

    Still no reply from their gdpr people so looks like a trip to the ico...

    1. Anonymous Coward
      Anonymous Coward

      Can you explain...

      Why there is a GDPR issue here? I must be missing something here. Are you saying the message should just have said "go to our website and login, or use the app"?

      1. iron Silver badge

        Re: Can you explain...

        MAybe she didn't open an account and has no idea why 3 are texting her?

        1. Anonymous Coward
          Anonymous Coward

          Re: Can you explain...

          Sorry yes. Unsolicited text saying sign in. Their helpdesk said lots of people had got this...

          1. Lee D Silver badge

            Re: Can you explain...

            I got this too... see my post below.

  8. bonkers

    Smishing?

    Smishing = SMS Phishing?

    Who on earth comes up with these ghastly smashed-together words.

    Some sort of complete Funt, presumably.

    1. General Purpose

      Re: Smishing?

      These ghastly smethered words, surely?

    2. intrigid

      Re: Smishing?

      It sounds like one of the steps in making wine.

      1. BebopWeBop
        Happy

        Re: Smishing?

        Before getting Pished?

  9. Lee D Silver badge

    Couple of weeks ago I got a text to an unpublished number - literally the first outside text ever received on it.

    It was from Three saying that "MyThree" account was ready and I needed to click the link.

    Strange, because I'm not with Three.

    That was followed, ten minutes later, by a text thanking me for activating my MyThree account.

    I contacted Three, and my real provider - Smarty. Now, Smarty uses Three networks but even they said I was right to ask as Three should never send me any messages and I wouldn't be able to use MyThree with their numbers anyway. Three were quite dismissive, but they did ask for a screenshot. They said it looked scammy.

    But, to the casual user, you would have got an SMS from "Three" (no number or other details available because who the hell needs that, right?) that looked like someone was in your account or that you needed to do something. And if you were on a Three-partnered network, that could well have been something you thought you needed to click on.

    But at no point did they bother to look at my account (both companies acted only on screenshots/what I told them) to try to determine the source of this text and/or stop someone sending a text claiming to be Three to their customers.

    At that point, I just think that it's partly their fault. There's no way for a half-intelligent user to know that the SMS wasn't genuine. Now they shouldn't click links, but the links went via a Three redirector, from what I can see, and looked like links to three.co.uk (I'm not going to click them to find out, but everything "looks" genuine). And they take no efforts to stop such anonymous texts being sent to their customers. They just took a screenshot off me, said "We didn't send that" and told me not to click it.

    I wouldn't mind but I've had that number for several months now (it's the data contract on a dual-SIM phone with my real number, so it never gets used except for data) - and that was the first ever text received in all those months.

    Something's going on at Three - and they're not doing very much about fixing it.

    1. Anonymous Coward
      Anonymous Coward

      This suggests, that if not number crunching through sequential numbers, someone at 3 is leaking out the numbers.

      I've not had one on either my real 3 phone, or my other phone that uses 3 as a backhaul, but is a reseller. One newer, one older.

      So it's rather confusing how and when these leaks are happening. When it was BT landlines, it seemed an internal call center leak. As if you phoned BT for an engineer, you'd get a "we sell internet security" phishing call 5 mins later.

  10. Anonymous Coward
    Anonymous Coward

    Is the telco link legit?

    My telco also sends me SMS text messages with URL shortened links.

    I never click on them but I have uploaded them to "urlscan(.)io" before.

    The problem is that some of the scripts used in the telco's webpage are so heavily obfuscated that I still can't figure out if the site is legit, hijacked with a card skimmer or using blackhat fingerprint techniques.

    (Or all of the above)

    Here's an example of one of the obfuscated scripts uploaded to PasteBin:

    https://pastebin.com/3B4Jib47

    1. ThatOne Silver badge
      Devil

      Re: Is the telco link legit?

      > if the site is legit, hijacked with a card skimmer or using blackhat fingerprint techniques

      Probably all three at the same time...

  11. John Robson Silver badge

    Great way to generate a list....

    Send a short URL to each user, those who click on the link can then have all links stripped from future SMS.

    It's a security feature

    1. nagyeger
      Thumb Up

      Re: Great way to generate a list....

      I want a plugin that does that to emails too. (active ones, I don't mind ones I have to read and manually

      copy/paste).

  12. heyrick Silver badge

    It's as bad as the banks

    Sending emails telling you never to follow links in messages claiming to be from the bank...

    ...followed by a big link button to go to your account.

    I kind of wonder if anybody who clicks the link has some sort of "UserIsATwat" flag set on their account?

    1. The Pi Man

      Re: It's as bad as the banks

      I came here to post much the same. The idiots I bank with send me emails When I have a new statement telling me how to recognise fraudulent emails. You can’t opt out of them. If I could, then I’d know that every email purporting to be from my bank was fraudulent. They also now send me txt messages telling my credit card bill is due. Normally a few days after I knew it was due - because I check my account several times a week and have already paid it. They seem obsessed with trying to contact me for absolutely no good reason.

      1. MiguelC Silver badge

        Re: It's as bad as the banks

        Also stupid Paypal and their monthly account activity emails that they tell you to click on to sign into your account...

      2. BebopWeBop

        Re: It's as bad as the banks

        My bank do send regular emails - they identify me by name, but then simply ask that I log in to my account securely (well, getting towards it with 2FA) to read the message (which invariably refers to ever diminishing interest rates).

      3. ThatOne Silver badge

        Re: It's as bad as the banks

        > They seem obsessed with trying to contact me for absolutely no good reason.

        They always have lots of people trying to justify their job by spamming the customer silly. The old quantity vs. quality problem.

        As for the "recognize fraudulent mail" part, I solved this by giving my bank a special, unique mail address nobody else knows about. This way if I receive bank email on another account, I automatically know it's fraudulent.

  13. Marjolica
    FAIL

    Ironically I got my first smishing text on Saturday: allegedly from Three. Said there were problems processing my bill payment and go and provide details by clicking through a bit.ly link. I didn't click the link, went to the Three website instead to check my account details. Going to login I was first redirected to a http address, which threw up the usual stop/warning from HTTPS Everywhere. I had to click through that (!) to get a redirect to a proper https page to login. Needless to say no problems with my account as bill still being prepared and I pay by Direct Debit anyway.

    When I checked where the bit.ly link pointed (no, I didn't click it) it went nowhere, so presumably by then it had been taken down.

    Along with today's faux-pas must say I'm not that impressed by Three's security at the moment.

  14. Anonymous Coward
    Anonymous Coward

    A mildly irritated Three spokesperson told us

    "We're very sorry for this stupid idea, clearly our Good Intentions Team has failed to join the dots on this occasion, the message has been passed to them, thanks!"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon