SMS Scams over the Holidays: Ready, Set, GO.

In the last year, global e-commerce has jumped to over $26.7 trillion, accelerated by COVID-19 according to United Nations UN News. It all sounds like great news for the economy, however fraudsters are following this upward trend and adapting their scams.

With the holidays and gift giving season approaching, more online shopping and package deliveries for consumers also means more opportunities for scammers to get information.


What is SMS Phishing?

SMS Phishing (also known as Smishing) is the act of committing text message fraud to try to lure victims into revealing account information or installing malware. Similar to Phishing, cybercriminals use SMS Phishing in an attempt to steal credit card details or other sensitive information, by disguising as a trustworthy organization. SMS Phishing has grown in popularity with cybercriminals now that smartphones are widely used, as it enables them to steal sensitive financial and personal information without having to break through the security defenses of a computer or network while also attracting considerably higher open rates than email. According to, while email recipients only open about 20% of their messages, SMS recipients open 98% of their texts.

“On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before,” says IDC’s Phil Hochmuth.

Examples of SMS Phishing

  • Fake shipping notifications: Many delivery scams start with a text message about delivering a package to your address, according to the Better Business Bureau. These messages often include a “tracking link” that you are urged to click in order to update your delivery or payment preferences.
  • Phony bank account balance warnings: A link to a website prompting for a bank account number or PIN of a debit card.
  • Fake text from the IRS or Power company: Saying you owe unpaid taxes and that the IRS will arrest you if you don’t pay now via a link.
  • Fake Prize notifications: Requesting personal information to deliver the reward.
  • Bogus Covid-19 contact tracing messages: Requesting Personal information.

Combating the threat of fraudsters

Companies are aggressively looking for ways, including authentication and fraud detection solutions, to simultaneously streamline authentication and strengthen security. A “State of Intelligent Authentication and Fraud Prevention 2021” survey conducted by Opus Research revealed that “customer authentication [across all channels] has a direct impact on fraud detection and fraud prevention,” with a rare 100% of respondents agreeing or strongly agreeing with the statement.

Clearly, decision makers are coming around to acknowledging the link between strong authentication and fraud-loss prevention. When asked about which authentication and fraud detection methods they use, organizations report a wide range of strategies and factors (graph below).


SMS scam blog

While PINs/Passwords are still the most common factor in use, respondents also incorporate other factors including out-of-band delivery of one-time-passwords, knowledge-based authentication via security questions and voice biometrics.

How to Protect yourself: Tips for Identifying Scammers

  1. Do your research to double check the details. If you get an unexpected sms text from a delivery company, or bank, look up the bank, agency or organization and get in touch directly, without using any contact information in the SMS text.
  2. Claim a prize: No legitimate lottery, sweepstakes, or business will ask you to pay to claim a prize or ask for your bank details to deposit your “cash prize”.
  3. Beware of urgent texts: “Attention. Fraudulent activity has been detected on your account. Act Now.” Scammers often create a sense of urgency to bypass your better instincts. Take your time and ask questions to avoid being rushed into a bad situation.
  4. Refund owing to you from a retailer: Notifications involving money owed “Our records show that you overpaid for (a product or service). Kindly supply your bank routing and account number to receive your refund.” Again, don’t click on the link, check with the source.
  5. Never verify passwords via a text: Any text that attempts to verify your Apple ID / Amazon account / Bank account is suspicious.

What can you do if you receive these messages:

  • Report spam texts to the FCC and your carrier—Report as junk or spam. You can also contact your cell phone carrier to report as spam and file a report with the Federal Trade Commission at
  • Stay alert—Don’t click on any links, as they can install malware on your device, which collects your personal information.
  • Ignore spam text—Directly replying to a spam text message lets a spammer know that your number is genuine. What happens next? They can sell your phone number to other spammers who might bombard you with promises of free gifts and product offers.

Finally, keep in mind fraudsters are continuously evolving and adapting their strategies, so most of all, be aware and be safe, especially this holiday shopping season.



The Aculab blog

Cloud news, views and industry insights from Aculab

  • Santa Vs CPaaS - Getting your online orders delivered

    With over a third of shoppers planning to do Christmas shopping solely online, and 61% taking a hybrid approach, how can you ensure your company's orders are delivered, on time and securely? Find out how you can improve Christmas shopping for your customers by using CPaaS.

    Continue reading

  • STIR/SHAKEN and Robocalls

    The STIR/SHAKEN framework has been the talk of the North American telecoms town over the past few years, but what is it, how does it impact your business, and how can you make sure your business’s communications conform to this framework?

    Continue reading

  • STIR / SHAKEN in CPaaS

    Robocalls: Good guy vs Bad guy

    Tired of robocalls? Who isn't. I barely answer my cell phone unless it's from someone I know. With the usage of cell phones in the US rising substantially over the past decade, consumers have seen a sharp rise in the number of spoof and robocalls they receive.

    Continue reading

  • How To: Add voice and video calls to your webpage

    The advent of the internet fundamentally changed how people communicate. We are now able to connect with people across the globe almost instantaneously, not only through voice and text, but also through video communication.

    In this blog post we will be diving into WebRTC, showing how it can help you as a business, and explaining what you can achieve with Aculab Cloud WebRTC.

    Continue reading

  • Reminder: The world is reopening

    Appointment reminders are critical to many industries around the world, now more than ever. From the crucial services to the downright fun, in the new world emerging from lockdown, we all need a little certainty in our lives.

    Continue reading