This week, a new wave of fraudulent text messaging took place on many of our phones. If you are a Verizon customer, there is a high likelihood that you received what is known as a smishing text. The term "smishing" combines the words SMS (short message services, better known as texting) and phishing.

Smishing isn't new, and it's not only found on Verizon customer phones. But what is new is that this week's attack spoofed sending a text message to yourself.

Apple users can legitimately send themselves a text message from another Apple device. If you text your iPhone from your iPad, the text will appear on your phone with the sender set as your own phone number. This week's smishing scam used this tactic fraudulently in a way we've never seen before.

Verizon customers received text messages that appeared as if they themselves had sent the messages from their own phones to themselves. But the messages actually came from scammers.

The smishing attack contained language that appeared to be a legitimate marketing text from Verizon with a short link attached, like in this pictured below:

 

iPhone with smishing text

If you were to click on the link, typically there are three potential things that threat actors want from you:

  • User credentials (bank account, work accounts, etc.)
  • Download malware or other malicious software
  • Send them money

If you clicked on one of these smishing links, here are some examples of the pages it would send you to try and get you to follow through on one of those actions listed above.

One link led to a fake Verizon Customer Survey, promising a basically free Apple Watch or MacBook Pro:

scam survey

Another link sent in the smishing scam to Verizon customers would take you to an imaginary Smart Watch check out page that will blatantly steal your credit card information:

scam smart watch checkout

scammer credit card details

Many of the smishing links from this week's attack are back-linked to Russian state-sponsored media websites:

back-link to Russian state media

So, what can you do to protect yourself from smishing scams like the one Verizon customers faced this week?

To start, keep the following in mind:

  • Don't click links on any messages from unknown contacts that you cannot verify are legitimate.
  • Don't respond to any messages from unknown contacts, including advertising requesting you to type out "STOP" to quit receiving these messages. That is a tactic used by threat actors to determine if you will engage with them.
  • Do delete any message that you can't validate is legitimate.
  • Keep your devices and apps up to date with software and App Store or Google Play store updates.
  • When in doubt, reach out to your IT or MSP (managed services provider) to determine if something is legitimate.

Awareness and caution are our greatest tools to ensure safety on our devices. While it is upsetting to see this behavior continue to impact more and more of our devices, we must be vigilant to do the right thing: Check before you click, and call if you can't confirm!