SMS Scams over the Holidays: Ready, Set, GO.

In the last year, global e-commerce has jumped to over $26.7 trillion, accelerated by COVID-19 according to United Nations UN News. It all sounds like great news for the economy, however fraudsters are following this upward trend and adapting their scams.

With the holidays and gift giving season approaching, more online shopping and package deliveries for consumers also means more opportunities for scammers to get information.


What is SMS Phishing?

SMS Phishing (also known as Smishing) is the act of committing text message fraud to try to lure victims into revealing account information or installing malware. Similar to Phishing, cybercriminals use SMS Phishing in an attempt to steal credit card details or other sensitive information, by disguising as a trustworthy organization. SMS Phishing has grown in popularity with cybercriminals now that smartphones are widely used, as it enables them to steal sensitive financial and personal information without having to break through the security defenses of a computer or network while also attracting considerably higher open rates than email. According to, while email recipients only open about 20% of their messages, SMS recipients open 98% of their texts.

“On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before,” says IDC’s Phil Hochmuth.

Examples of SMS Phishing

  • Fake shipping notifications: Many delivery scams start with a text message about delivering a package to your address, according to the Better Business Bureau. These messages often include a “tracking link” that you are urged to click in order to update your delivery or payment preferences.
  • Phony bank account balance warnings: A link to a website prompting for a bank account number or PIN of a debit card.
  • Fake text from the IRS or Power company: Saying you owe unpaid taxes and that the IRS will arrest you if you don’t pay now via a link.
  • Fake Prize notifications: Requesting personal information to deliver the reward.
  • Bogus Covid-19 contact tracing messages: Requesting Personal information.

Combating the threat of fraudsters

Companies are aggressively looking for ways, including authentication and fraud detection solutions, to simultaneously streamline authentication and strengthen security. A “State of Intelligent Authentication and Fraud Prevention 2021” survey conducted by Opus Research revealed that “customer authentication [across all channels] has a direct impact on fraud detection and fraud prevention,” with a rare 100% of respondents agreeing or strongly agreeing with the statement.

Clearly, decision makers are coming around to acknowledging the link between strong authentication and fraud-loss prevention. When asked about which authentication and fraud detection methods they use, organizations report a wide range of strategies and factors (graph below).


SMS scam blog

While PINs/Passwords are still the most common factor in use, respondents also incorporate other factors including out-of-band delivery of one-time-passwords, knowledge-based authentication via security questions and voice biometrics.

How to Protect yourself: Tips for Identifying Scammers

  1. Do your research to double check the details. If you get an unexpected sms text from a delivery company, or bank, look up the bank, agency or organization and get in touch directly, without using any contact information in the SMS text.
  2. Claim a prize: No legitimate lottery, sweepstakes, or business will ask you to pay to claim a prize or ask for your bank details to deposit your “cash prize”.
  3. Beware of urgent texts: “Attention. Fraudulent activity has been detected on your account. Act Now.” Scammers often create a sense of urgency to bypass your better instincts. Take your time and ask questions to avoid being rushed into a bad situation.
  4. Refund owing to you from a retailer: Notifications involving money owed “Our records show that you overpaid for (a product or service). Kindly supply your bank routing and account number to receive your refund.” Again, don’t click on the link, check with the source.
  5. Never verify passwords via a text: Any text that attempts to verify your Apple ID / Amazon account / Bank account is suspicious.

What can you do if you receive these messages:

  • Report spam texts to the FCC and your carrier—Report as junk or spam. You can also contact your cell phone carrier to report as spam and file a report with the Federal Trade Commission at
  • Stay alert—Don’t click on any links, as they can install malware on your device, which collects your personal information.
  • Ignore spam text—Directly replying to a spam text message lets a spammer know that your number is genuine. What happens next? They can sell your phone number to other spammers who might bombard you with promises of free gifts and product offers.

Finally, keep in mind fraudsters are continuously evolving and adapting their strategies, so most of all, be aware and be safe, especially this holiday shopping season.



The Aculab blog

Cloud news, views and industry insights from Aculab