Spoofed emails have been a problem for quite a while now, but recently there has been a surge of spoofed texts, fake phone calls, and spoofed emails. Today I’ll dive into this ever-increasing problem and what you can do to identify this blatant fakery.
First, let’s look at a couple of questions:
- Why am I getting these to begin with?
In a nutshell, the primary reason you get any spam (be it text, phone call, or email), all boils down to money. Generally, there is always something they are trying to gain from you and when it comes to all the ‘little people’ out there, it is usually either your money or your identity (which also equates to money).
Typically, people that take the effort to send out spam are trying to get you to:
- Buy their product (masquerading as someone you trust)
- Give them your login details for an account
- Attempt to set up a trust relationship (get information from you by acting like someone you trust)
- Install a virus or ransomware on your computer
- Be scared and con you into giving them money
- How do I get so many spam texts, phone calls, and emails? Why me?
The answer is simpler than you know. At some point in the last 1-20 years, you have probably either subscribed for something, been part of a data breach or been the lucky recipient of a random information guess. In the dark web, nothing is more valuable than large lists of accurate contact information. There are massive lists containing millions of PII (Personally Identifiable Information) such as phone numbers, email addresses, usernames, passwords, and social security numbers (just to name a few).
There is probably an extremely high chance that you are not directly being targeted. You are just a number and one of the millions of poor saps they are counting on to click that link or pick up that call.
How the data collection works and why it is important NOT to pick up that call or click that link
As stated above, there are massive databases (collections of data) out there that contain your information. Probably a lot more private information than you think. What can you do to get yourself out of those databases? In short, not much. However, if you continue to not click links, not answer fake calls and not respond to fake texts, then you won’t be considered a “valid” contact and might eventually drop off some of them.
The spammer gets these lists of contact information and puts it into a program on a computer or a series of computers they have set up as a network. These programs have templates for email, text, and even voice calls and they essentially war dial you, which means they transmit out the template to you or call you and wait. When you get a fake text or email and click the link, it sends a message back to the software and marks you as a “real” person. If it is a phone call you are getting and you pick it up and hear some generic record message, it detects that the line was picked up. You don’t have to say a word or press a button, all you have to do is pick up the phone. That then automatically marks you as a “real” phone number.
Now, it gets a little trickier with phone calls. When you validate that your number is real, not only does it know that someone will pick up on the other end because it knows that the number is real it also adds your number to a spoof list. Later, when it tries to call out, it can use your phone number as the outbound number in the hopes that someone you know might pick up the call. I know, scary, huh? The reason for this setup is that spammers know establishing trust is the most important thing. Showing as a phone number that someone might trust or showing as an email address that others might trust, enhances the potential for buying the product, downloading the virus, or replying to the contact.
How to recognize and how to avoid spoofed / spam communications
- Question all links – especially if they are coming through text. Very few companies will send a link via text. If you’re on a desktop and it is an email, float over the link. This will show where the link is really pointing. If it does not make sense or looks fake, it probably is.
- Shortcodes and Phone numbers – Large companies do not use phone numbers, because they are too easy to spoof. If a marketing text comes through from AT&T or Amazon and it is coming from a phone number, it’s fake. Shortcodes are special numbers 5-6 digits long that identify with a registered company. Unfortunately, I have not been able to find a (valid) directory for shortcodes. But if I do find it, I’ll edit this article to include it.
- Email addresses are frequently spoofed. If you float over the name of the sender (in most email programs or websites), it will display who the email is truly coming from. Sometimes they don’t even bother to masquerade and just count on your freaking out about the money due or the content of the email.
Some interesting examples of emails and texts are below. I’ve highlighted and explained the proof of each.
Things to remember:
- Take a breath and keep your cool
- Do not react – don’t click, don’t call, don’t reply.
- Contact someone you trust (yes, you can even contact me personally). Ask them to validate it and help you figure out if it is real.
- Make sure you have a solid Antivirus / Threat Protection software such as Sophos on your computer (yes, even if you have a Mac)