Terminology: smishing and spoofing
First, let’s establish the terminology we’ll need to understand this situation.
Smishing — or SMS phishing — is a common tactic used by fraudsters. It involves sending someone a text message, typically one that appears to be from a friend or a trusted business (a network provider, for example, or a bank).
Using that fake identity, the sender can request information or urge their victim to click a link. The link will then infect their device with malware or lead them to expose their passwords.
To make the ruse more convincing, hackers can spoof another phone number, a simple process that allows them to mask their own number with that of the person they’re impersonating.
A familiar number
There have been numerous reports in recent weeks of people in the US receiving spam texts from their own phone numbers.
On the surface, these messages looked like any other smishing scam, except for one thing: it appears that the criminals spoofed the phone numbers of the people they targeted.
Beyond the familiar phone number, of course, they seemed like classic smishing attacks, intended to trick people into clicking on a suspicious hyperlink. But an extra layer was added to the mystery when people started following those links.
The Russian connection
Most smishing attacks are launched by lone-wolf hackers intent on stealing money and login credentials. Yet the specific spam texts we’re talking about today included links to Russian state media sites.
It’s impossible to say for sure why these attacks are happening and where they originated. But cyberattacks and phishing operations from within Russia have surged in recent weeks following the invasion of Ukraine, so that context certainly seems relevant.
According to Avanan, an email cybersecurity firm, Russian phishing attacks increased eightfold in February 2022. These strange smishing attempts look like they could be part of this wider trend.
The Kremlin has long been accused of using cyber warfare, malware, and other aggressive digital strategies; this wouldn’t be the first time that a cybercrime in the US was traced back to Russia.
How can you protect yourself?
There’s not a lot that you can do to prevent number spoofing and spam messages. That responsibility lies with your phone provider and its spam detection systems.
However, that doesn’t mean you can’t take steps to protect yourself. The number one thing that anyone can do to limit the threat of smishing attacks is to avoid clicking the links in these messages.
Even if you recognize the number messaging you — yes, even if you’ve already saved that number to your mobile contacts! — you shouldn’t rush to click on any links the alleged sender delivered. Instead, contact the person or organization you think just texted you and have them confirm the authenticity of their last message.
Caution is still one of the best defenses against scams of all kinds.