With the holiday shopping season just around the corner, you’ve probably subscribed to all sorts of shopping notifications and shipping alerts. This is smart, since you’ll know exactly when your packages are due to arrive and when hot deals go live.
Unfortunately, scammers are paying attention to these trends, too. That’s why they’re shifting to text messages as part of a new strategy to trap victims. Tap or click here to see one of their favorite tricks.
Text message scams are on the rise, and it’s getting harder to tell them apart from real alerts sent by businesses and shipping services. If you want to keep your money and data safe this holiday season, here are some phony texts you need to watch out for.
New text message scams are taking shape
SMS phishing (also known as “smishing”) is becoming more common as the COVID-19 pandemic rages on. A report from Digital Shadows shows a spike in malicious text messages with phishing links since April. The problem will only get worse as more people shop online during the holiday season.
These text message scams all share a common tactic: impersonating real companies and services. Each text includes an urgent call to action message and a malicious link that takes you to a phishing website. If you enter personal or financial information on one of these sites, the data is sent back to the scammers running the campaign.
To look even more legitimate, some of these scams will actually call you by your first name or reference your home address. If you’re wondering how the scammers got this information, it’s all thanks to data breaches.
Know the signs
If you’re expecting real texts from delivery services or other companies, you might get confused if a scam text reaches your phone. Thankfully, there are a few major red flags that can help you spot the fakes before you get in trouble:
- Spelling and grammar errors: Text message scams sometimes contain obvious spelling and grammar mistakes. This is because many of them are run out of foreign countries where English isn’t the primary language.
- Threatening or urgent-sounding language: Many text message scams give the impression that something bad will happen if you don’t respond. This can include frozen accounts, missing a delivery or financial trouble.
- Payment requests: Some scam texts say you need to pay a deposit or confirm your payment information. You should never give this information away or respond to any message that asks for this.
- Spoofed numbers: Scammers often spoof official phone numbers to mask their identity. The recent batch of scam texts use the following area codes: 917, 765, 646, 470, 347 and 332.
In addition to repeating area codes, many of the scams making the rounds use the same tricks over and over again. Here are the eight most common scams you’ll encounter by text message.
1. That Amazon delivery alert is bogus
With this scam, you get a text message that looks like an Amazon delivery notification. The message asks you to confirm delivery by clicking a link inside. If you click it, you’ll end up on a phishing website that asks for personal information like your name, address and payment card number.
Sometimes, the website will use Amazon’s actual logo to look more real. Most of the time, though, it’s a generic-looking landing page. If you share your information with this site, it will end up in the hands of whoever is running the scam campaign.
2. That USPS notification is a scam
Similar to the Amazon text, the USPS text asks for you to confirm delivery by sharing personal information. The text will try to pressure you by saying your package is either delayed or on the verge of being delivered. Clicking the link in the text will take you to a phishing site.
And just like the Amazon scam, sharing your information will lead to identity theft. The landing page of the phishing site sometimes use the official USPS logo, but more often look generic.
3. FedEx didn’t really text you
The FedEx scam is a lot like the two above — only with a far less convincing website. Some use the official FedEx logo when you click the phishing link, but others will take you to a weird Amazon survey that has nothing to do with the text you received.
You’ll then be asked to enter your information in order to claim a prize. Some variants of this scam ask you to confirm delivery. Both will ask for payment information that the website can steal. The phishing websites also have an unusual address that has nothing to do with FedEx — an easy red flag to check for.
4. Sometimes they don’t even say who they’re with
Besides big-name impersonators, there are plenty of fake delivery texts that don’t even tell you which service they’re from. Usually, these texts will feature a generic delivery alert along with a phishing link.
One common variant uses broken English in the initial text, which can make it easier to spot:
[your name], we came across a parcel from [a recent month] pending for you. Kindly claim ownership and confirm for delivery here, [link]
It should go without saying, but don’t click the link.
5. You’re not getting an iPhone 12
Who doesn’t want free stuff? Scammers are betting on it. This message claims you were selected as a beta tester for the new iPhone 12. From here, you’ll be asked to click a link and fill out your shipping address and payment information to get your new phone.
Of course, no phone ever comes — and the website the text links you to is a phishing site. Interestingly, this scam rarely uses the correct name. Some researchers believe it’s trying to trick victims into thinking they’re getting a secret message intended for someone else.
6. PayPal won’t text you like this
Millions of people rely on PayPal for online transactions, which is why account alerts are no laughing matter. Scammers are aware of this too, which is why they make fake PayPal alerts as urgent and scary as possible.
If you get a fake PayPal text, it may include dangerous scenarios like breached accounts, incoming charges and fraud alerts. Of course, all of these threats are fake — but it’s still worth checking on your account to make sure everything is alright. Just make sure not to click the link from the text. Go to PayPal’s website yourself and log in.
7. Don’t bank on this CashApp text
These texts claim to come from CashApp, one of the most popular peer-to-peer payment and financial apps. The message describes some kind of incoming payment or issue with your account, and you are asked to confirm personal data if you click the link.
This variant will sometimes use urgent language, in form of a large incoming payment, an expensive charge notification or a suspended account alert. Either way, the link will lead you to a phishing site.
8. This card notification is fraud
This scam variant is a bit more vague than the others. Usually, it’s a message describing an issue with a payment card or financial service like a bank. For added realism, the text may even include your name.
And, like usual, clicking the link in the text will take you to a phishing site. This is why it’s so important to use your best judgment with every message you receive — even if it includes your real name or other personal information.
Despite how many scams are circulating right now, most of these tactics aren’t new — especially delivery texts. This means they’ll be easy to spot if you know what to look for.
I fell for one of these scams! What should I do next?
If you gave out your information to one of these scammers, it’s not the end of the world just yet. If you act fast, there are a few ways you can protect yourself, your money and your data. Here’s what you should do:
- If you gave out your payment information, call your bank or card issuer to let them know your card or account number was stolen. Ask them to mail you a new card and request that your old one is frozen. Make sure to ask that your account be monitored for fraud as well.
- If scammers already took money from you, tell your card issuer you were scammed. Ask if there are any fraud recovery options. Some financial institutions may be able to recover your lost money.
- Change any passwords you use for banking apps and set up two-factor authentication to prevent unauthorized logins. Tap or click here to see how to activate 2FA for your bank apps.
- Check HaveIBeenPwned.com to see if any of your accounts were compromised in a data breach. Change the passwords for any compromised accounts.
You might be kicking yourself for getting tricked, but there’s a reason these scams keep popping up — they work. Most of the time, victims don’t even realize they’re getting scammed when it happens. Watch for the signs, and delete those texts!