Note: I have heard rumors that the "package is waiting" email is related to human trafficking. It is not. It is just a phishing scam.
The most recent chapter in the history of SMS phishing scams, aka "smishing," is the saga of the fake Apple iPhone 12 giveaway.
Sophos' Paul Ducklin, an authority on information security, recently wrote about this phishing scam on his company's Naked Security blog. It appears that someone on the Sophos team received a text message saying that a package addressed to them (actually someone with a different name) was waiting to be received.
Ducklin goes from first clicking on a link in the SMS message, to a website where a fake chatbot says you won a free Apple iPhone 12, to answering a survey, and finally "claiming" the reward for the iPhone to the point where it explains to the reader how the scam works.
But of course, you must first provide an email address, password, and credit card number. And of course, the iPhone 12 does not yet officially exist. It will likely be announced by Apple in mid-October.
Sound familiar? We have received these emails along with many others touting fake Viagra and CBD oil. In fact, the screenshot on this page is not from Sophos, but from your correspondent's own cell phone. (Our particular scammer seemed unable to decide whether we were getting an iPhone 11, 11 Pro, or Xs.)
The lure of a new iPhone is not so appealing to me as an Android fan, but it is a fun little exercise to step through this con. After all, this is nothing more than a phishing scam to steal your username, password, and credit card information.
You may be wondering which online service the username and password are for. The answer is that it doesn't matter.
With so many people (yes, we've all done it) reusing passwords for so many different websites, almost any username and password combination is bound to be useful to the scammers. To avoid becoming the latest victim, make sure you use the best password manager available.
These bad guys feed phished credentials into automated "credential stuffing" algorithms that feed thousands of credentials per hour to websites like Facebook, Google, and PayPal. They will be penetrated more than a few times.
So how can we protect ourselves from such (frankly obvious) scams? First, if it sounds too good to be true, it definitely is.
Second, never give out your password or credit card number to any website you visit via text message or instant message. Would you give the same information to a stranger who stopped you on the street?
Unfortunately, you can't really stop these scam texts. The numbers they send you are not real, and blocking the numbers does nothing. All you can do is not respond to them and hope the scammers move on to a better place.
Comments