The Federal Communications Commission (FCC) warned about a “substantial increase” in Robotext scams via automated smishing attacks.
These attacks involve unsolicited and automated text messages impersonating entities such as government agencies or familiar businesses.
Early this year, the Better Business Bureau (BBB) also warned about “wrong number” text scams from chatbots.
Robotext scams make “false but believable claims” to put you on edge.
The FCC noted that unwanted text messages include false but believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions.
According to the Federal Trade Commission, Amazon is the most impersonated brand in smishing attacks. Apple, Chase, Bank of America, Citigroup, and Wells Fargo are also common in robotext scams.
Some malicious SMSs may also contain links aimed at stealing personal information for use in subsequent attacks or sale to other threat actors. Cybercriminals such as FluBot operators also leveraged smishing attacks to spread malware.
The attackers also steal people’s finances by tricking them into logging on to fake banking websites or parcel delivery services.
“Some recipients have been pressured to ‘login’ to a fake bank web site to verify a purchase or unlock a credit card that was frozen. Others use package delivery updates as phishing bait,” the FCC alert stated.
FCC says complaints about unwanted texts increased from 5,700 in 2019 to 15,300 in 2021 and 8,500 in just the first half of 2022.
According to the 2022 United States Spam Text Trends report by RoboKiller, Americans received over 12 billion robotexts in July 2022, an average of 44 spam texts per person.
FTC reported that Americans lost $137 million in 2021 from text scams, with the median amount being $1,000.
“Cybercriminals are increasingly using text messages as a method to bypass the security controls typically implemented in email and other communication systems,” Josh Yavor, chief information security officer at Tessian, said.
Yavor added that text messages were more dangerous than email because they lack basic protections present in the latter.
“With email, people have a better chance to identify that a sender or email address is illegitimate, but that is much more difficult with short codes and spoofed numbers on SMS.”
He advises recipients to call or log in directly to companies’ portals instead of responding to text messages or clicking on links.
“It’s imperative to always establish trust outside the SMS conversation and remember that legitimate organizations would never give an ultimatum (like call back in 12 hours or else) or ask for financial details or passwords over text.”
FCC guidelines on robotext scams and smishing attacks
The agency recommended safety measures to protect against robotext scams from automated smishing attacks.
- Avoid responding to unsolicited text messages even with the word “STOP” or “NO.”
- Do not click on any links included in such SMSs. If your contact sends a link via text, confirm that they have not been hacked.
- Avoid sending sensitive information via text messages
- Confirm companies’ numbers online and call them when necessary.
- Report texting scam messages to SPAM (7726) and file a complaint with the FCC.
- Check for misspellings and text messages from email addresses.
- Always remember that government organizations do not contact people via text messages.
- Delete all malicious texts from your phone
- Update your device’s operating system and security apps
- Review companies’ SMS opt-out policies.
- Consider installing anti-malware software.
- Review your mobile phone’s text blocking tools, third-party apps, and network operator’s text blocking services
According to the FCC, text messages in smishing attacks have common characteristics such as unknown numbers, misleading information, mysterious links, sales pitches, and incomplete information.
FCC’s proposed actions on robotext scams and smishing attack
The FCC has proposed regulations requiring text messaging service providers to block messages used in robotext scams and apply caller-ID authentication technology to text messages.
Additionally, the agency proposed prohibiting sending automated messages to recipients unless they have explicitly consented or for emergency services. The FCC will also give service providers authority to block non-compliant text messages and seeks enforcement actions for breach of robotext regulations.
Consequently, the FCC seeks coordination and partnership with state Attorneys General to coordinate investigations on combating robotext scams and smishing attacks.