Some Verizon customers are reportedly receiving an unusual flurry of spam text messages. The reason they're so unusual is that the texts appear to be coming from the recipient's own phone number.
“Spoofing” a telephone number is a common trick used by scammers to encourage targets to answer a call or respond to a message. But tech experts say it may be the first time spammers have “spoofed” the target's own number.
Chris Welch, writing in The Verge, was among the first to go public with the new wave of spam messages, although other Verizon customers have posted accounts of similar incidents on message boards. For its part, Verizon said it is working on the problem.
“Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number,” the company said in a statement. “Our team is actively working to block these messages, and we have engaged with U.S. law enforcement to identify and stop the source of this fraudulent activity.”
Trying to sidestep multi-factor authentication
Bryan Hornung is the CEO of Xact IT Solutions. He tells ConsumerAffairs that cybercriminals are apparently trying to get around multi-factor authentication by using the target’s phone number.
“The text messages we have observed from both AT&T and Verizon customers are similar in nature where you are presented with a ‘gift’ for paying your bill on time,” Hornung said. “This is an attempt to steal the credentials of a wireless service customer so they can then gain access to the account and then potentially set themselves up to receive the victim's MFA codes that are sent via text message.”
Getting one of these spoofed spam messages doesn’t mean your phone has been taken over, but Hornung says that’s the ultimate goal.
“Spoofing and the act of impersonating or disguising one’s identity in order to appear as a trusted source could be one of the oldest cyberattacks,” Mark Ostrowski, head of engineering at Check Point Technologies, told ConsumerAffairs. “The applicability of SMS spoofing is relatively easy to do as the scheme provides fields in which false information fields can be populated.”
Molly Antos, a vice president at Dadascope, says most communication channels that consumers access are now targeted for abuse in some way, putting sensitive information at risk.
“For a hacker, the cost of sending out these spoof messages via SMS is almost nothing,” she told us. “To compound the low cost, cybercriminals know that people, over time, have come to trust SMS messages more than they do email given the high volume of spam emails that most consumers see and receive daily.”
Antos says email systems have had years to find ways to filter out spam and phishing attempts. Wireless companies, she says, have not developed the same tools.
When it comes to consumers' security, experts all agree – when receiving a text that appears to be coming from your own phone number, don’t click on any links and delete it immediately.