There has been a increase in targeted social engineering scams occurring over text message. The attacker will gain your phone number and name, which isn’t hard to do in today’s social media driven society. Think about anybody in sales or people that run a business and leave their contact information for support. Its super easy to scrap webpages for contact information. Once the attacker has your contact information, they will pick a theme such as you winning something or offering you something, which to claim you must click a link. The message will state your first name as if they know you and sometimes provide a fake order or survey number with the hope of looking legit. For example, you could see “Costco: Bob, the code 62345 printed on your receipt from 29 came in first in our iPad draw: LINK“, which the LINK would be a tiny URL masking where you would be sent if you click the link. Remember that clicking these links is the same as going to a malicious website on your computer. The attacker hopes you are more vulnerable through a text message based attack.
If you click the link within one of these emails, you will be taken to either a website that attempts to exploit your mobile device or you will be asked to fill out some information. Filling out information is harvested for further exploitation such as stealing your social security number, passwords, etc. My advise is to NEVER click a link that you don’t absolutely trust the resource. Instead, open a web browser and go directly to the resource. For example, if a bank says your account has been compromised and offers a link to take you to the reset page, do NOT click the link. Open a web browser, go to the banks website and see if you have any warning messages within your mail. This is a classic attack that has spread to the mobile device world.
Costco is just one of the many covers used for these attacks. If you go to Costco’s spam warning page found HERE, you find many examples of these attacks. Below are a few examples of these fake messages. In short, be mindful these scams exist, question any text message that offers you something or asks you for something and never click a hyperlink. Instead, go directly to the source and validate if the message seen is real.