The coronavirus pandemic has produced a ripe environment for text message phishing attacks. Such scams are socially engineered to exploit people’s vulnerable impulses, experts say, and sharply rose in 2020. Many Americans sign up for text message notifications and reminders, from health care providers to shipping services, but as SMS phishing becomes more widespread, consumers will have to exercise more vigilance with texts of unknown origins.
According to the security firm Proofpoint, mobile phishing attempts increased by more than 300 percent in the third quarter of 2020, compared to the second. These scammers are primarily impersonating financial institutions and major technology companies, although the Proofpoint report noted that they’ve also zeroed in on “brands that consumers are frequently turning to during the pandemic.” The US Department of Health and Human Services warned the public in late December of potential fraud schemes related to Covid-19 tests, contact tracing, vaccine eligibility, and Medicare prescription cards.
An unsuspecting recipient might be prompted to click on a hyperlink sent via text to confirm the delivery of a delayed package or to check the status of a Covid-19 test. The wording of these attacks might vary; people have received malicious texts about Netflix or Amazon accounts being locked due to a declined payment, for example. Regardless of the method, the scammer’s goal is to get away with a person’s financial details and personal data, which could be used for identity theft.
An analysis of 80,000 self-reported scams from the background check company BeenVerified discovered that nearly one in 10 fraud attempts in 2020 was related to package deliveries. “It definitely has overtaken 2019’s top scam, which were texts and calls targeting people’s Social Security information,” said Richard Gargan, a spokesperson for the company. “What scammers do is they quickly pivot their tactics depending on what is happening in the nation, what they think will work. As soon as stay-at-home orders were being given, and people started to order online more, these delivery texts began to shoot up.”
Last March, Recode’s Sara Morrison reported that scammers were exploiting fear of the new outbreak to steal private information or to lure people into downloading malware through phishing emails. “National emergencies or disasters add a fear factor that acts as one more hook for hackers to get what they need,” Ron Culler, senior director of technology and solutions at ADT Cybersecurity, told Morrison. “When fear is added to any targeted campaign — be it a legitimate or scam campaign — the effectiveness of that campaign is increased.”
Quincy, a Texas resident who asked to withhold his last name for privacy reasons, told Vox that he has been the recipient of various text message scams since 2018. The schemes change to address current events, and although he has been persistent in blocking and reporting the senders, the scams have grown more sophisticated in the past year.
“I never respond or click on the link so I have no idea where it leads,” said Quincy, although he was “almost convinced” by a recent delivery text. Lately, he has been bombarded with offers to receive $6,000 from senders with various area codes.
“None specifically mentioned Covid, though the sender knows that people are experiencing financial hardships so the text messages use financial assistance as the hook,” Quincy concluded. “It’s easy to get scammed out here.”
Older adults are more vulnerable to financial cybercrimes than other age groups; a 2019 report by the Aspen Tech Policy Hub found that scammers have disproportionately targeted the demographic. However, the sheer number of daily SMS phishing messages being sent — and the variety of approaches — suggests that these schemes are broadly targeting regular smartphone users.
Scammers are constantly testing tactics and variations of their messages to determine which are the most effective. “The messages are always changing, and we’re worried they might pivot to Covid testing scams,” said Gargan of BeenVerified. More people have become attuned to computer malware schemes, which are usually sent via email, or robocalls.
The format of an SMS scam, however, often mirrors a text a person could receive from a legitimate service provider; the distinguishing factor usually lies in the hyperlink. If anyone is ever doubtful of a message they’ve received, say, for a package delivery, Gargan suggests using a second source to double-check the text. “We know scammers are targeting people with a lack of time,” he said. “Check the URL. Go on your computer and check from the actual website. That might save you more time in the long run.”