While we are all aware that the internet can be a dangerous place, our cell phones often feel incredibly personal to us, with text messaging being used generally only between friends and family.

However, just as businesses and other organizations such as doctors surgeries, energy providers and pharmacies have been making use of text messaging to contact customers, so too have hackers broadened their approach to include fraudulent texts and phishing scams that come directly to your cell phone.

Why would someone try to phish your phone?

Ultimately the goal with phone phishing is the same as any other hacking or scamming activity, which is to steal your money or your information.

The end goal is to access your online accounts to facilitate further attacks or fraud. For example, a scammer could access your email account and then use this to reset passwords and gain access to your PayPal or social media accounts.

A hacker could also use your iCloud or Google accounts to gain access to a complete copy of your phone if you backup to the cloud. This would provide them with passwords, personal information, photos, text history, location mapping history and more.

This all sounds very scary, but it is important to remember that if you configure your phone correctly it should be secure. If your configuration and security measures are up to date, phishing is often the only option for hackers to get into your phone; meaning that you have to click a link and enter some information to give them access. In this instance it is reassuring to know that proper vigilance and care can protect you from these scams.

What do fraudulent text messages look like?

Unfortunately, unless you look very closely, some scam text messages will look remarkably similar to a genuine message. For this reason, it is important to always be vigilant.

A typical phishing scam could be a threat or a warning that your account has been locked or there has been suspicious activity on your account. There will then be a link provided to log-in and restore your access. Another common theme is an offer, competition win, or coupon followed by a link to ‘claim your prize’ or claim a tax rebate.

There have been a number of scams reported in the last few weeks with some text scams impersonating US government agencies. The FCC has warned of a text scam claiming to be from the “FCC Financial Care Center” and offering $30,000 in COVID-19 relief, but there is no FCC program to provide relief funds to consumers. The text is likely a phishing attempt to get banking or other personal information from its victims.

Another fraudulent text begins with “IRS COVID-19 News” and includes a link and instructions for recipients “to register/update your information in order to receive the economic impact payment regardless of your status.” The link points to a website designed to look like the IRS’s and asks for identifying information, including date of birth, social security number and filing status. Ultimately, it requests a debit or credit card number to “verify your identity.”

Example COVID-19 phishing text message

How to spot phishing via text

This is not an exhaustive list but some red flags to look out for are:

  • An unknown number, overseas number or blocked number, or any others that appear suspicious.
  • An email address, or link domain that doesn’t follow the regular pattern. For example, if the message claims to be from ACME Inc, but the link is “http://jtdf3iu333.biz” then this could be an indicator of phishing.
  • Spelling or grammar mistakes.
  • Peculiar fonts.
  • Anything that makes you feel pressured to share any information or make a payment immediately.
  • Scammers often spoof phone numbers to trick you into answering or responding. If the number seems genuine but the content of the message or call is suspicious ignore or hang up the phone.
  • Do not click any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren’t hacked.
  • Always check on a charity (for example, by calling or looking at its actual website) before donating.

What to do if you receive a text message that you think might be a scam

If you receive a text with a link it is vitally important that you do not click on the link without first assessing the message carefully to see if it is genuine. If the message comes from a number or an email address that seems suspicious or doesn’t follow a regular format, or if the message is asking you for payment it is likely to be a scam.

Never share your personal or financial information via email, text messages, or over the phone.

Many organizations, including the government, will have a statement on their website regarding these phishing messages, stating that they will never ask you to confirm your payment or personal information in a text message. They will often also have a process in place for reporting scammers who are purporting to be from their organization. Make use of these resources if you can, to report a scam or verify a message that you are suspicious of.

How to protect yourself from text phishing scams

  1. Use a text filtering app to block spam.
  2. Use two-factor authentication for important accounts. This will keep your data safe even if your password is compromised.
  3. Change your passwords regularly.
  4. Be vigilant of offers or winning a competition that you didn’t enter; if it looks too good to be true it probably is.
  5. Beware of any messages that ask you to: log into an account, reset your password, confirm a security code, or provide any other personal information.

Technology to help protect you

If you are an iPhone user, you can employ a security app to use in conjunction with Apple’s Message Filtering feature. This feature gives security apps access to your messages which means they can scan them and let you know when you receive a phishing message.

For Android phone users it is even easier, you can either use Android’s built in Spam Protection for messages or use a third-party call and messaging filtering app.

Some examples of filtering apps are as follows:

  • SpamHound
  • Truecaller
  • SMS Shield

All phone users should employ two-factor authentication for any important accounts. These include your Apple ID, Google account, email accounts, social media and banking. This means that even if a hacker works out your password via a phishing attack, they still cannot access your accounts.

What to do if you fear you have already fallen for a phishing scam?

In many cases just clicking a link would not open you up to a phishing scam, you would typically have to perform another action, such as logging into a fake website that the hacker has created, designed to collect your username and password. However, if you are worried that a hacker may have gained access to your phone or accounts here are some steps you can take.

  1. Change your passwords right away.
  2. Enable two-factor authentication on all important accounts if you have not done so already.
  3. Contact your bank or the organization you feel may have been impersonated to check on your account status.
  4. Use a spyware scanning tool such as our Android app, Certo Mobile Security, or our iOS spyware detection tool, Certo AntiSpy, to make sure that your phone has not been infected with any malware.
iPhone spyware scan
iPhone spyware scan
Android spyware scan
Android spyware scan

Following these steps should set your mind at ease that your phone has not been compromised, and help you spot suspicious texts and avoid being caught out again.