By Mary Grlic
“Spam” is defined as uninvited and insignificant virtual messages that have been sent to a mass number of recipients. If you have an email address or a cell phone number, you’re no stranger to spam. And if you have a mailing address, we usually just call it “junk mail.” They sound identical, right? They’re not. Junk mail could be a nuisance but the threat usually stops there. All you’re left with is the task of deciding how to discard of it. (We recommend shredding + recycling!)
Spam, on the other hand, can be much more insidious. Some spam is just junk mail but a lot of spam carries malware. Malware is a catch-all term for any kind of malicious software and it usually enters your system by way of phishing. In this case, deception is what usually makes you click. The thought that a legitimate company apparently contacted you means not always thinking twice when your finger or mouse hits that link.
We can all agree that spam is quite annoying and can make our inboxes, call lists and voicemails a mess. Many email providers and cell phone services can distinguish between legitimate and spam emails or calls. For example, on many smartphones, you might receive a call from “Spam Risk” or “Scam Likely,” rather than from just a random number. Email services like Gmail create a spam folder. Machine learning understands what messages are spam. This way, it’s easier to avoid such messages. More recently, however, spammers have started to target cell phone users by sending spam text messages. The difference? It becomes harder to filter, ignore, and block these text messages. Oftentimes, we call these texts “malspam,” or malicious spam. Let’s look at spam text messages and how you can avoid falling for any traps.
Spam Text Messages
Threat actors might try to target cell phone users by sending spam text messages. These messages often come from a computer and are sent using a fake email address instead of a phone number. However, some spam texts do come from phone numbers as well, which makes them look even more genuine. Scammers will often purchase branded short domains, which work just like regular domains to resemble legitimate companies. Brands use these domains to reflect their company name, tagline, products or services, and they use them for branded/custom short links across social media, in marketing messages and more.
These short links function the same way as “bitly” or “tinyurl” links but have a custom, branded appearance, making them look more trustworthy, one of the main reasons brands opt for them. In addition, they appear more aesthetically pleasing when compared to a long URL, not to mention they avoid truncation. Scammers will imitate these branded short domains and short links, to trick users into thinking they’re from the company itself.
The list of short domains is extensive and goes far beyond what you can purchase through GoDaddy. Take a look at this insane list of short domain extensions from iwantmyname.com, to see how far the imagination can go. As a side note, we love short domain extensions when they’re legit.
Spoofers love to pretend that they are any sort of legitimate company or source in order to scam individuals. They might “spoof” their identity and pretend to be credit card companies, banks, financial institutions, service providers, account services (i.e. Amazon, PayPal, Netflix), etc. Text message scams can come in a variety of forms, each asking you to take some sort of action that will likely put your cell phone, and personal and financial accounts in danger.
Common Types of Malicious Spam Texts
Account Terminated or “Locked”
Some spam messages will require you to take action or else the company will “terminate” your account. A fake sender might disguise themselves as your bank, email provider, or other service provider. If you don’t click the link they send, or take the supposed steps they require, they claim that they’ll terminate your account and delete anything associated with it. Whenever this happens, whether it’s REAL, malicious or unknown, remember that accounts aren’t people. Accounts are opened and closed (“terminated”) all the time, so condition yourself to not panic when this happens. Oftentimes, you can work out any confusion with the company. If it is in fact malspam you encounter, you’ll be safer when you remember to think twice.
“Your password has successfully been changed. If this was not you, please click here.” When you think someone else has changed your login information, your first instinct might be to click on that link but don’t do it. Spam text messages might contain this message, stating the password to your bank account or some other account is at risk.
As a side note, we searched the web endlessly to see if “askciti.us” was a legitimate domain owned by Citi Bank and it remains unclear, so we think it’s safe to assume that it’s fraudulent. Usually when companies or brands utilize these types of alternative vanity domains, they’re typically reserved for specific landing pages, and there’s usually some place where they exist on the web (think of this like a history of evidence) such as the brand’s website or social media pages (meaning that if you Google it, something will come up somewhere) but we could find no such thing.
“Redeem your Prize”
Some text messages will claim that you have a gift card, coupon, or some other sort of prize that you have to redeem before the time is up. Others might ask you to complete a survey to earn some cash prize or sum of money in rewards.
NOTE: Notice how the O’s in the “$100” in this text aren’t actual zeros/0’s but capital O’s. The characters are wider, that’s how you can tell. Odd details like this are telling because they’re so unusual. Real brands would never make this mistake. Scammers do this on purpose to avoid someone/software from flagging the message.
Spam texts might tell you that you have a package on the way or a delivery that hasn’t yet shipped, even if you haven’t ordered anything. Then again, remember how easy it is to sometimes forget when you did order something. Shipping times vary and scammers, in general, are betting on your forgetfulness.
NOTE: Again, the text looks odd. In this case, this is an alternative font that’s being used to spell out “U S P S.” Fonts like this (“fancy text”) can be found on the web. There are various generators on the web. It’s also strange that “U S P S” has spaces to begin with (it shouldn’t). Why would this be? This is probably a tactic to prevent the text from being flagged as fraudulent.
And much more…
Above are just a few common examples of spam messages. They can vary greatly and there are many more types of spam texts that you could encounter. Perhaps a text will tell you to apply for a specific program, or ask you to verify a purchase made through your bank account. They come from different senders, which might be cell phone numbers or email addresses, and they often contain oddly specific messages with short links meant to trick you. It can be easy to fall for text spam messages, especially when they appear quite dire, and especially if they look aesthetically similar to something you would actually receive from a particular company or brand. However, protecting your cell phone from any suspicious activity is really important, so it’s wise to always be a skeptic when it comes to digital communications of any kind.
Some Tips to Avoiding Spam Text Messages
Many people are starting to realize the real danger of spam text messages as they are becoming more common. The term “spam text messages” has a high search volume itself, with 22,200 monthly searches. That’s even more than the average search volume for the keyword: “spam email.” Individuals have to try their best to avoid falling for spam messages, as they can jeopardize the security of your data. Think about it: if an outside attacker somehow gains access to your phone, everything could be at risk. Financial information, account passwords and credentials, photos, phone numbers, and so much more are at risk when you click a link in a fishy spam message. It’s critical to understand the possible consequences of spam messages and to take the right precautions to protect yourself and your data.
Analyze Who Sent the Message
When in doubt, do not click on suspicious links from any unknown sender(s). This doesn’t just pertain to text messages but goes for email and general internet use as well. These links can contain malware or viruses that will automatically deploy on your device. Check who sent the message. As mentioned earlier, spam texts are often from long and suspicious email addresses rather than actual cell phone numbers. But this isn’t always the case. With spam email, depending on your email provider, it might not be clear, at first, who even sent the message. You have to click the sender, or somewhere along those lines, to display the actual email address it came from.
Some spammers might actually use a phone number to send their messages, others will spoof a number entirely or fill out their Caller ID information to appear like they’re calling from a company they have no business representing. They might purchase a branded short domain to look even more legitimate, so it’s important to realize that messages can come in any form, from ANY sender.
Read the Message Carefully
Unfortunately, a lot of intuition comes with preventing scams from text messages. You’ll probably need to read the text message carefully to figure out if it’s a real text or not.
Resist Taking Action
Many spam messages require you to take action to prevent account termination, passcode changes, etc. Learn to understand the minute details between a legitimate text and a spam text message to avoid bad situations.
When in Doubt, Call a Trustworthy Source
If you’re unsure whether or not you received a spam text message, call or contact a trusted number. For example, if your “bank” texts you that someone hacked your account, do not click anything they sent you. Instead, contact your bank to further clarify the situation. Make sure you do not call any numbers embedded in the spam message. Use verified information to contact a trusted individual, such as your broker or local bank. This way, you can resolve the issue with a reliable source.
Use a URL Safety Checker
If you must scratch the itch of curiosity, the please go to your computer and type the URL from your text message into a URL safety checker like this one from Trend Micro: Site Safety Center
There is one thing you should know about how these work though. Usually, the domain must have already been submitted by someone else for it to be flagged. It’s possible that you’ll end up with a result that isn’t clear if it’s safe. In that scenario, just assume that it’s a risk.
Do NOT Reply
It’s best to never reply to any spam messages. Sending “STOP” or “NO” will not prevent these spammers from trying to get in contact with you. Contrary to what you may think, it could do more harm than good, as the spammers now know your phone number is reachable and currently active. This gives them an incentive to send you more messages in the future. You might be put on a list that other spammers can access, which could make the issue even more unbearable.
Don’t Share or Publish Your Contact Information
One of the main reasons you’re getting spam text messages is because your number was available somewhere on the internet, at some time. Avoid sharing your phone number, email address, physical address and any other personal information. Companies often sell details like this to 3rd parties and from there, it can end up in anyone’s hands.
Save Numbers You’re Familiar With & Ignore the Rest
Unless it’s in your phone’s address book, don’t pick up. Save numbers you’re familiar with, including those of businesses you patronize, and ignore the rest. Whether it’s your bank, local pharmacy, or another merchant, take the time to program these numbers into your phone so that you don’t miss when they call, and so that you’re more prepared when you get calls from numbers you genuinely aren’t familiar with. This way, you never have to second guess yourself. Allow unknown numbers to go to voicemail. Many spammers won’t bother, or simply have chosen not to invest in such software that allows them to do so.
How to Stay Safe From Spam
Spamming is a really common method that scammers use to get access to your information. This is not an issue specific to the digital world; scammers can spam you through the mail, in person, and more. It has become even easier through mediums like texting, emailing, and calling. Use your best judgment and the tips above to help prevent scams through spam.
One of our partners, Trend Micro, has created an all-in-one browser extension and mobile app for detecting scams, phishing attacks, malware, and dangerous links — and it’s completely FREE! There are no ads or in-app purchases. Nice, right? Trend Micro Check is available on Safari, Google Chrome and Microsoft Edge, as well as on iOS and Android operating systems.