SMS services remain a critical part of telecommunications; they don't require Internet access, and companies use them to inform their customers. This combination of features makes them incredibly useful for criminals who use the technology as a stepping stone in their never-ending campaigns. And if you think that the new RCS messaging standard will offer any protection, you would be wrong. These types of scams will continue to spread regardless of the messaging standard used.
SMS scams are everywhere, and attackers are always looking for a social or political issue to exploit for profit. As scams get more creative, whether it's a package delivery, a government refund or a banking credential issue, anybody can become a victim.
We looked at SMS campaigns worldwide to determine which scams are most prevalent and where they are primarily located. Our research spans from the beginning of September to the beginning of December.
Key findings:
Based on our telemetry and by determining the likely behavior of non-Bitdefender users over a three-month period, we approximate that 15% of SMS will result in a person clicking a URL. From this cohort, we expect that 10% will actually enter personal details that may result in money loss that averages to $1000. From the above data, we estimate it's likely attackers made at least $40 million in three months, which is a conservative number.
Keep in mind the likely user behavior used to calculate the attackers' profit doesn't apply to people using Bitdefender's security solutions. The software displays warnings when the user receives a malicious SMS, which makes it less likely for the user to become a victim.
It’s also worth noting that the profits are not going to a single group of attackers, as the campaigns described in this research likely stem from multiple groups.
Using a novel Bitdefender technology that lets us group apparently unrelated SMS messages from different campaigns and track their worldwide evolution, we plotted a heatmap of the regions with the largest numbers of scams per user. Most of our attack insights came from the specific areas outlined on the map.
The scams are diverse and always focus on getting people to share their data. Our new technology discovered major scam attack campaigns in most countries, ranging from typical package delivery messages to government-related ones.
Looking at areas of higher scam density, we notice a few regions with a greater prevalence of scams, such as the ones described below.
In South Korea, most SMS scams contain invitations to join Telegram or Kakaotalk channels, which include investment and stock information or receiving fake prizes or payments.
Australia, another popular country for scammers, has received plenty of fake package delivery messages and government and banking-related attacks. In the United States, users receive many spam messages concerning political surveys, donations, job openings, or service reviews. Apart from this, plenty of banking attacks have also been identified.
In Turkey, SMS messages get delivered from betting and casino websites, some of which may be spam. Looking at the European region, we notice that most countries have a prevalence for scams, with the highest percentage being Turkey, Ireland, Germany, France and the United Kingdom.
Compared to the European average value of messages received per user, in Germany, France and the United Kingdom, users received twice as much as most Europeans have in this period.
In Turkey, most messages are casino-related, but in other European countries, scammers prefer messages related to banking, package delivery and government issues.
Regarding the northern and southern American regions, the average value of scams per user is four times larger than the European number. The most significant number of scams have been identified in the United States, followed by Colombia, Chile and Canada.
We delimited the scam campaigns popular in most countries and placed them on a map showing the incidence of certain scams in a specific country.
We analyzed countries with the highest incidence of scam campaigns and split them into categories, comparing keywords and domains of the attacks. Even though most scams can be seen in many countries, where delivery is the most prevalent scam worldwide, the incidence of each scam category varies by country.
Shifting our focus to the European countries where campaigns are widespread, we have analyzed the most significant categories in each country.
While the names of most scams are self-explanatory, such as banking-related or package delivery failure, media streaming scams stand out. In this case, users are warned they might lose access to their account due to a missed payment, missing credit information, or any variation of this message.
In northern and southern America, the trends are similar to those in Europe, apart from the United States, where most received SMS are spam related to political candidates, jobs or surveys. We noticed a high incidence of banking scams in southern American countries.
Taking a further look, we distinguish five major categories SMS scams typically fall into:
Delivery-related scams have been going on for a few years and scammers are always finding new ways to trick people into giving their data. Delivery and postal scams ask the user to pay an additional fee or a custom tax, reschedule a package, or track the shipment.
This is the most popular scam we find in almost every country we analyzed.
E.V.R.I.: If you don't reschedule a new delivery date, your parcel will be sent back to the sender visit: https://evri-delivery-reschedule[.]com/book
📲
E.V.R.I.: If you don't reschedule a new delivery date, your parcel will be sent back to the sender visit: https://evri-delivery-reschedule[.]com/book
📲
NL4XXXX31Z pakket is onderhevig aan douanerechten (2.99), ga naar https://pakketdiensten[.]com om uw levering te hervatten.
📲
Chronopost : votre colis a subi une erreur logistique. Veuillez confirmer vos informations : https://erreur-logistique[.]com
📲
Yurtici kargo: koliniz adres nedeniyle gonderim merkezine iade edilmistir,tekrar gonderilebilmesi icin lutfen adresinizi guncelleyiniz!https://is[.]gd/qFBPMX
Banking scams are found in many countries and usually present people with an urgent situation they need to solve by giving out their credit card information. The messages often state that the users' account might be disabled unless the user reauthenticates on the provided fake link in the SMS.
Here are some examples:
📲
SantanUk: You recently set up a new beneficiary via mobile banking on Nov-02. NOT you, go to: https://auth-user-login[.]web.app
📲
Please complete our security process by 24h to avoid a block on your online access. https://rbcroyalbank[.]cm
📲
El 26/10 a las 16:49 hemos detectado un pago en un comercio online por alto importe. Si no ha sido usted, revise: https:// ing.directs[.]com.es
📲
Dear 'AXIS BANK' user,. Your 'AXIS BANK' A/c Will be suspended today. Please update self PAN-Card immediately.'Click on the link below-' https://t[.]ly/AXIS_ePAN
📲
DIe Phototan ist ab 03.12.2023 nicht mehr verfügbar. Wir empfehlen umgehend Commerz.265268[.]com für das aktuelle Sicherheitssystem zu verwenden.
Government scams vary depending on what social issue is a hot topic in the country at a given time. We found that most government-related SMS attacks take place in France, the United Kingdom, the Netherlands and Australia, but many other countries have this type of attack but at a smaller incidence.
In Australia, malicious SMS messages are related to the health care program, Medicare, or specific actions people should take to update a Centrelink or myGov account.
📲
Latest News [My.Gov]: There is a $1,560 refund pending on the account. Please update your information to receive:https:// eckerink[.]tech
📲
Medicare Notice:Regularly review and update your Medicare information for uninterrupted services:medlcare-au[.]cc.
Fraudsters in the United Kingdom are imitating the Driver and Vehicle Licensing Agency (DVLA) to persuade drivers to give out their personal information.
📲
DVLA: Our routine check requires confirmation of your driver's licence record, so please act accordingly on my-dvla.agency-uk[.]com
In France, for instance, many campaigns are about the health insurance program (Ameli and Carte Vitale) or a transport card-related action that must be taken (Navigo). Some of the scams have been going on for years.
📲
Votre nouvelle carte vitale est disponible. Veuillez remplir le formulaire afin de continuer a etre couvert: ameli-renouvellement[.]fr
📲
NAVIGO vous rembourse 184.10euros Visitez https://navigo-agence.com afin de bénéficier de votre remboursement.
Tax refunds are a common scam in many countries. In Australia, the most common ones concern the A.T.O. refund.
📲
A.T.O.: Hello, you've got an immediate pending issue on your 2022/2023 income tax lodgement, Visit https:// lodgementrefund2023[.]top/UPdate/ to fix immediately
📲
A.T.O. Your refund is now available to be claimed at: mygov-refunds.publicvm[.]com/ret/ato by completing the steps.
In the U.K., another scam that appeared years ago and is still in use today imitates HMRC, the national tax authority, to get people to input their data for a tax refund.
📲
HMRC GOVUK:Our records show that your tax refund of £398.90 can now be claime.Please continue via:https://ukhmre-tax-refund[.]com to claim your refund
📲
Your refund up to £5389 is unclaimed. Tax was taken from past PPI/Loans and is owed back. Click now: https://trendglo.co.ukvsms[.]io/GB
In the Netherlands, similar attacks focus on receiving a tax refund or outstanding debts.
📲
Uw openstaande schuld van: €436,28 is tot op heden niet betaald. Betaal dit nog voor 11-09-2023 via: https://schuld-aflossen.xyz/belastingdienst/BD567.430.31/
Toll payments are featured in a frequent campaign in countries such as Australia, New Zealand and Hong Kong. The messages usually state that you must pay a toll tax or receive a fine.
📲
Your toll has not been paid by the deadline of November 18, 2023. Please pay it as soon as possible. Avoid being fined. Learn more https://www.tollceas[.]center
📲
N.Z.T.A. -You have tolls that have not been paid and are overdue. Click: https://nzta.bplcw[.]com/ to update the information and pay the toll.
The most widespread campaign addresses an inability to use a Netflix account if a payment is not made, or the user's credit card information is not updated. The scam also leverages other services such as Amazon, Apple or Disney.
📲
NETFLIX: Votre dernier paiement a été refusé, veuillez confirmer vos informations de paiement ou votre compte sera suspendu: espace-support[.]com
📲
N.E.T.F.L.I.X.: Account on hold. Please update your details to avoid cancellation: https://confirmprofile[.]info
📲
NETFLIX : Letzte Warnung vor der Einschränkung Ihres Kontos Bitte bestätigen Sie Ihre Angaben bis 24 Uhr : https://mynetflix-int[.]com
📲
amazon PRIME: Payment rejected, go to processpaymentamazon[.]ca
A common scam is about fake prizes that the user has allegedly won. The messages usually seem to come from a large chain store and allegedly offer either electronics or vouchers. Normally, the messages also contain the user's full name and phone number.
Similar messages have been seen in multiple countries, such as Spain, Romania, Sweden or even South Africa.
Also, this category included messages seemingly from casino and betting websites, stating that the user has won an amount of money.
In the US, texts about donations and surveys regarding political candidates are received by most people. The large number of SMS messages an average person receives in the US makes it challenging to distinguish between legitimate and fake political campaigns.
Most scams create a sense of urgency around their request, which shows up in all sorts of shapes or forms. Whether it concerns a package about to be sent back if details are not provided, a prize available for a limited time, or a bank account that will soon be suspended, these messages seek to make the potential victim react quickly and without giving much thought to what is asked of them.
Always remain wary of demands that make you give out your data. When in doubt, contact the company or institution that sent the SMS by other means of communication to confirm if the request is legit and was sent by them.