> Signs that you are getting "Smished": [...] when you receive a message from bigger service providers, (f.e. banks, post offices, or delivery services) they will mostly have their company names displayed instead of their numbers
The formulation in the article may lead to a very bad advice: in some areas, scammers do display a "company name", regularly. So: a numeric sender string increases the chances of the SMS being a scam; an alphanumeric sender string /does not/ decrease the chances of the SMS being a scam.
This is odd and completely counter to my own anecdotal experience. SMS messages from large companies I interact with (My bank, cell phone provider) always come from fairly static short codes.
The elephant in the room here is that SMS is not a medium where integrity or authenticity of a message can be guaranteed—which is one of the big reasons it’s such a popular medium for phishing.
Generally speaking, there are short codes, and long codes. Sometimes alphanumerics are allowed, but the rules vary regionally.
Long codes resemble traditional phone numbers and tend to be treated as more disposable, low volume, and person-to-person. As such, they are typically easier to spoof with.
Short codes tend to be more like car license plates: short random/vanity codes that require a more in-depth process to get access to. They are easier to verify ownership, suited for higher volume messaging, and tend to be backed by automation systems that respond to a set of automated commands like "HELP". These qualities make them less likely to be used for nefarious purposes.
It's definitely a topic I'd love to understand more. Any corrections/additions are very much welcome!
> This is odd and completely counter to my own anecdotal experience. SMS messages from large companies I interact with (My bank, cell phone provider) always come from fairly static short codes
And what do those which come from scammers look like? In some areas, they are identical to those from the «large companies».
> The formulation in the article may lead to a very bad advice: in some areas, scammers do display a "company name", regularly. So: a numeric sender string increases the chances of the SMS being a scam; an alphanumeric sender string /does not/ decrease the chances of the SMS being a scam.
Just curious, which part of the text did you understand this way?
If I would guess it could be with this part:
> The number of the sender and that of the service provider they claim to be, do not match. Moreover, when you receive a message from bigger service providers, (f.e. banks, post offices, or delivery services) they will mostly have their company names displayed instead of their numbers.
As I understand it, the article suggests that you still should compare the numbers even if only a name is displayed?
But yeah your explanation is still on point.
Well, there is a big image below, visually more impactive than the pasted paragraph, that goes "Messages from bigger services #do not# display their numbers". Yes, but neither do scammers.
You are trying to discriminate legitimate entities L from impersonators L̅ through properties P, and especially define ways to identify L̅. You state that P(L), but that says nothing of L̅. And in fact, it is P(L̅) also - logical exhaustion.
Logically the sentence works, because it implies "If messages display their numbers, they are not from bigger services". But in terms of effectiveness in communication, if put in the context of "how to recognize a scammer", the original may be misleading - because there (see the picture) you are focusing on the alphanumeric, not on the number, and the alphanumeric is not a criterion - the number is.
The intention was to state "do not trust numbers". But in that context it is important to stress "do not trust alphanumericals either".
I always wondered how that worked. How does Apple knows to display a company name instead of the "small numbers that are not actual phone numbers" (IIRC they are called Large Accounts)?
> As software capable of zero-click exploit, Pegasus requires no user interaction to operate: ... As a result of a simple click on the URL, the spyware was granted unlimited access to every information stored on the iPhone.
That's a one-click exploit, no?
Pegasus has demonstrated zero-click exploits (e.g. PDF embedded in GIF), but this is not one.
edit: the provided CitizenLab link [0] describes two classes of attacks, "zero-click exploits and malicious SMSes". Looks like the author conflated the two?
I'm not sure it's one-click. Visiting a page isn't exactly "clicking" - I'd expect a "click" in this sense to be like a browser asking "are you sure?" and you clicking through, or "play video".
But it's not super clear cut. Like, let's say you had to open up a message on your phone for the exploit to work - you clicked the message, right? idk
> The number of the sender and that of the service provider they claim to be, do not match.
Don't forget that the caller ID here can be spoofed. It's best to disregard it completely.
One of the infographics in the article suggests looking up the number of the text, which I'd suggest is actively harmful advice - it gives you zero information and risks lulling people into a false sense of security. Assume that all texts are from scammers and act accordingly.
Reminds me of the time in highschool when I would send my teacher an email from the principle to come see them immediately. The teacher would sit down at their computer and a few minutes later leave the class for about 10-15 minutes. The SMTP server totally trusted every device on the network and worked without any authentication whatsoever.
Best practice is to not click on any link in an sms/whatsapp. I don't recall any useful link sent by SMS. Whenever it is important it is always a warning telling you to connect yourself via the offical app/website eventually using the token/parcel code/identifier sent on the actual sms.
It would be great if a section about BEC [0] was included. At $WORK we see a lot of "Smishes" that pretend to be our CEO/CTO that ask for the user to send them money. E.g. "Hello it's $CEO, I'm in a meeting currently and need your help. Can you send me 300 dollars in apple gift cards?"
I know this sounds cold, but I feel like some of these scams are really just a stupidity tax. How do people operate in the outside world if they believe that the CEO would be hitting them up for gift cards?
We had a sales woman fall for it. The email said from our CEO that said he was at a conference and needed her to go out and buy 10 $100 Visa gift cards and send him the numbers bc he wanted to use them as giveaways.
The issue is that our CEO actually WAS at a conference on that day!
She actually went to the closest CVS and bought them and thankfully mentioned something about it to me when she got back. I paused for a moment and then was like wait a second how did you hear about this request? Email only? so I called our CEO to confirm. Was able to go back to CVS and get them all refunded and the scammer got nothing.
But, that being said, I can see how people fall for it. Employee and user training and awareness are key to prevent these types of things.
It is cold. And I think it's harmful to infer that the people that fall for these are stupid. It does nothing to help the situation.
If the prevailing thought is that you're stupid for falling for a scam, then the victim is less likely to share and inform, and then education does not spread. All it does is make them feel awful, which is not helpful and just even more hurtful.
I think we have to come at it from the angle of the scammers are tactical and that it's okay if you are a victim. It sucks, of course, but no blame necessary on the victim.
I know someone who got a similar message from her priest asking for gift cards. The scammer got a hold of the church directory and used that to send out messages. The person thought she was doing a favor for her priest and wanted to help; it is not her fault that the red flags weren't as strong as they should've been. Not everyone operates on suspicion mode.
I know another who was almost a victim of the the sobbing phone call: "Granpda, I'm in jail! Please send me bail. Also don't tell anyone!"
These types of scams target emotions and kindness. That's how these people operate in the real world. It's not that these people are stupid, it's more that they are unaware and not sensitive to the red flags.
I agree with you, but you might not be aware of some of the crap that happens in small companies with certain kinds of CEOs and salespeople. Others too, but the pubic-facing staff are always the problems.
The harried assistants and lower-level functionaries in those companies regularly field requests like "I'm in a sales meeting/airport terminal/Dunkin Donuts and need to demo something, and I need you do something stupid the wrong way".
So, it's a stupidity tax indeed, and even on the right people (CEO), but it's the assistants who get blamed and/or feel responsible.
Even at bigger and well-run companies, the assistants have stories that would shock you. CEO-speak can often tend toward illiterate and nonsensical, and their requests unreasonable -- even if they can be interpreted correctly. In contrast, COOs and CFOs are pretty reliable. And CTOs run the gamut, I'm sorry to say. :)
what are the consequences of what youre saying? is it better if these scams mostly affect stupid people? should we care less about whats happening to stupid people?
> In many cases, simply clicking the provided link can initiate a download process of viruses or malware
I imagine some payloads use JavaScript to infect a device upon clicking. They probably target Chrome, or god forbid the Samsung Internet browser. If you wanted to see the payload, just open the link in a secure sandbox environment and view the source. Congratulations to them, they just allowed you to see their 0day in the wild, and it's no longer a 0day.
> Signs that you are getting "Smished": [...] when you receive a message from bigger service providers, (f.e. banks, post offices, or delivery services) they will mostly have their company names displayed instead of their numbers
The formulation in the article may lead to a very bad advice: in some areas, scammers do display a "company name", regularly. So: a numeric sender string increases the chances of the SMS being a scam; an alphanumeric sender string /does not/ decrease the chances of the SMS being a scam.