Leave a comment

Warning: Fake text messages stealing personal information

Warning: Fake text messages stealing personal information
Photo courtesy of Shutterstock

If you use a smartphone, this is an important warning for you. Please follow along to learn about this scary new threat, and what you need to change right now to be safe. For years, I've been giving you the heads up and the tools to keep you, your family and your money safe from all the bad guys out there who are forever trying to rip you off. Now I've found a scary new way hackers can target you without you even realizing it. And by the time you do catch on, it will probably be way too late!

It all involves your smartphone, your cell provider and text alerts. By now, most folks are completely used to communicating back and forth with family and friends via text. Businesses have caught on, too. Text is a cheap and easy way for companies to connect with customers. One type of company that uses texts a lot is our cellphone providers. After all, they have already have our cellphone numbers so it's simple for them to push out messages.

Cellphone providers regularly send text alerts and other messages to users. These messages might be a warning that you are approaching your data limit or that your monthly bill is ready. Here is a message I just got the other day from Verizon with a friendly heads up that my bill is ready. Pretty convenient, right?

Verizon Crop

Just one problem. You really have no idea if this is actually from your legitimate cellphone provider or where the link might take you! And here's the reality: In your busy life, it is very tempting to just click on the link and enter your login credentials, right? Guess what? If this message is from a hacker, you just gave away the keys to your cellphone account and perhaps everything else that goes with it perhaps even your credit card numbers.

Once again, the bad guys have figured out how to exploit a shortcut many of us use, so they can have a chance to rip us off. So take a look at that Verizon message again:

Verizon Highlight

Did you second guess the number it came from? Did you question the link, mobile.vzw.com? Well you should! Turns out it is way too easy for nearly anyone to pretend to be a big company for little or even no expense at all. In the hacking world, this is called "spoofing." By spoofing a customer into thinking they are communicating with a trusted business, the hacker can trick you into handing over your login user names and passwords.

Don't panic yet, because further down I have the simple steps you can take to protect you and yours from this latest trick. But first, you should understand how this works, so you'll know what to look out for. Texts from your cellular provider and other trusted companies and even non-profits often come from short codes. A short code is a four- or five-digit number from which to send a text. Anyone can buy a short code for a couple thousand dollars, but you can also get a 30-day short code trial for free.

When you receive a text from a short code, you have no way of knowing who actually sent it.

To demonstrate just how confusing this can be, a computer programmer, Dani Grant, spoofed a text to look just like one she received from her cell provider, AT&T. Can you tell the difference?

Screen Shot 2015-01-23 at 9.11.57 AM

Both messages come from a short code number and both have an "att" link right? If you are like most folks, you probably can't tell which one is real. That's what makes this hack so scary!

Here's the answer: the left-hand message is real, the right-hand version is fake. The programmer simply got a short code, 955-77, and a website address that has "att" and "mobility" in it.

To make matters even more confusing, many companies are not consistent with the numbers they send from, the format of their text messages or even the websites they link to. All of this confusion offers tons of opportunities for hackers to fool their victims.

Once a hacker sends their fake text to you, the next step is to trick you into handing over the keys to your account. After all, if you willingly hand over your password, even if it is super strong as I've recommended, the hacker never has to try to crack it! How does the hacker fool you into giving away your login? It all has to do with the link that is in the text message.

Like most folks, you may not think twice about clicking on a link from a trusted sender like your cell provider. To make it even more complicated, even a legitimate link sent to a smartphone via text probably takes you to a special, mobile-optimized site. That is, a site specially built to work well with mobile gadgets and their small screens. That's the case with my Verizon example on the first page. The link "mobile.vzw.com" is not the "verizon.com" website I'm accustomed to visiting from my computer's browser.

This confusion over website links is a perfect opportunity for a hacker to slip in a link that seems pretty similar to the trusted company, maybe with just one letter difference, that you would totally trust.

Next is the real payday for the hacker. Their fake link takes you, the unsuspecting customer, to a look-alike website. This site that pretends to be your cell provider's site is complete with user name and password entry fields. Put in the requested information, click "enter," and boom, you just handed over your login to a crook!

If there's one thing that you can learn from this, it's that text messages can easily be faked. This has been circulating among hackers recently. Now that the information is out there, the hackers will undoubtedly be sending more phishing texts like these to steal your information.

Your first line of defense against these threats is your own awareness. Just reading this article now alerts you to second-guess a message that might have easily fooled you. But I have some other practical steps you can take as well. Follow this advice and you'll make it a lot tougher for the bad guys to rip you off.

When you get a text with a link:

  • Do not click the link
  • If you have an app from the company that is sending the message, check the app for the same message (apps are much safer than text messages)
  • Log in to your account from a browser using the Web address you know to be legitimate
  • Call the company's customer service department to confirm the message

The Internet's dark side is massive. There's a million-dollar market out there for your personal information that exploits tricks like this to steal a buck out of your wallet. How big, you ask? Click here to read about the deep dive I took into the world of online information marketplaces.

Be sure to subscribe to my newsletter for more security alerts and updates on the latest tech news.

Next Story
View Comments ()
I don't think BlackBerry's CEO understands what 'net neutrality' means
Previous Happening Now

I don't think BlackBerry's CEO understands what 'net neutrality' means

Google exec's prostitution/drugs/murder/yacht mystery is now a CBS special
Next Happening Now

Google exec's prostitution/drugs/murder/yacht mystery is now a CBS special