CHARLOTTE — What should you do about a message from the post office about a delayed package? It looks like the real deal, but the message may be anything but legitimate.
Consumer Adviser Clark Howard is warning people to protect themselves from “smishing” attacks, especially as shipping ramps up around the holiday season.
“It’s not out of the ordinary for anybody to get one of these status updates from a legitimate source,” said threat researcher Willis McDonald. “For one thing, the domain is wrong.”
McDonald told Howard that “domain,” or the link that’s included in the text, is the best way to spot fraud. If it’s not your carrier’s legitimate website, it’s likely a scam.
Another red flag is multiple requests to enter your information, even after they got it.
“They’re selling access to other people. They’re logging into accounts to see, say, how much money you have or get an idea of whether you’re an important person with access to other systems,” McDonald said.
Tracking the scammers
But who’s behind it all? That’s what another threat researcher, who asked to remain anonymous, wanted to know after his wife fell victim to one of these texts.
“So I started digging into their site and did some vulnerability research,” he said. “I was able to use that to crack passwords for those admins, figuring out where they were coming from.”
They were coming from a group called the “Smishing Triad.” The fraudsters would sell smishing kits online for a few hundred dollars.
“The scammers themselves were using a lot of different domains. They’d used over 1,100 domain names, so there’s different URLs in those texts,” the researcher said.
He found more than 400,000 people had entered their credit card number.
“Yeah, there’s a lot of credit cards for a lot of people,” he said.
He sent the information to federal investigators and multiple banks. Eventually, he connected with the owner of the kit and posed as a student interested in developing his own.
“He opened up a little bit more about who he is and he mentioned that, ‘Yeah, I’m a computer science student in China,’” the researcher said. “He’s probably around my age and even though it’s very poorly designed and developed, it’s still making a lot of money off it.”
That’s why you should never click on those text links and report fraud right away.
There are simple steps you can take to protect yourself:
- Freeze your credit files with the major credit bureaus. It’s free and takes less than 15 minutes. (See a how-to guide here)
- Set up two-factor authentication for your accounts.
- Check your accounts at least once a week.
(VIDEO >> Carolina Strong: Mom and daughter join mobile healthcare team helping Helene victims)
This browser does not support the video element.