Skip to Content

Phishing scam steals your login using your smartphone

As a loyal reader, you know that phishing emails are popular with cybercriminals. This is when scammers create fraudulent emails appearing to be from a trusted source, hoping to trick you into clicking a malicious link.

Unfortunately, things are about to get worse. Scammers are now turning their attention to mobile devices and the new technique is super tricky.

How criminals are targeting mobile devices

Cybercriminals are now creating fraudulent SMS, or text messages, that are set up like phishing scams. It’s called “smishing,” short for SMS phishing. The latest smishing scam is so convincing, anyone could fall for it.

Scammers are now sending text messages with a new technique being dubbed “URL padding.” How it works is, an unsuspecting victim receives a message claiming to be from a trusted source such as Facebook, Apple or Comcast.

The message contains a link that’s supposedly going to the source’s mobile site. For example, Facebook’s mobile address is

Now, criminals are creating links that disguise its true domain by adding multiple hyphens. PhishLabs researchers found examples that look like the following:


The address box on your mobile browser is only so big. By adding hyphens after the official address in these links, the victim doesn’t see where the link is actually going to take them.

Once you click the link you’re taken to a spoofed website. It looks like a real Facebook login page. There, you will be asked to give the criminal your credentials. The following image shows an example of a spoofed Facebook page:

Image: Example of spoofed Facebook page. (Source: Arstechnica)

This scam doesn’t only target Facebook users. Criminals are also setting up spoofed sites for financial institutions where they ask for credit and debit card information.

The cybercriminals behind these attacks could also change the payload at any time. Down the road, instead of requiring banking or login details the malicious links could infect your gadget with malware or ransomware. You really need to be prepared for anything these days.

How to defeat a smishing scam:

  • Use caution with links – Do not click on a link inside a text that’s from someone you don’t know. There’s a chance it’s malicious and will take you to a spoofed site. If you need to log into one of your online accounts, type the web address directly into your browser.
  • Be vigilant – Never assume that a text message or email is genuine. Scammers can spoof phone numbers, websites and email addresses to make them look official. Don’t click on links within these messages, always type the website address into your browser or call the phone number located on the back of your card.
  • Trust your instincts – If a text or email seems suspicious, delete it immediately. Follow up by calling the company using the trusted phone number on the back of your card.
  • Security details – You should NEVER reveal your security details like your full passwords or PIN code over the phone. A bank will never ask for your online account password over the phone. They might ask you to answer a preset security question, which is fine, but never your password.
  • Phone number – If you receive a text or email claiming to be from your bank, do NOT call the phone number that is provided. Whenever you need to discuss banking details, always call the number that is printed on the back of your debit or credit card. That way you know the number is legit and you’re not going to be scammed.
Note: If you are reading this article using the App, click here to see an example of a spoofed Facebook page.

More stories you can’t miss:

3 essential security tasks to do right now

5 password mistakes that will likely get you hacked

Amazon Prime launches new cashback perk

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook