Smishing is probably the cutest name for a cybersecurity attack I've ever heard, but it doesn't make it any less dangerous. It's clear to me we're not talking enough about this mashup of SMS texting and phishing or educating people on how to recognize and respond to it.
For the past few months, I've been the target of multiple, aggressive smishing attacks that might fall under the heading of “long-lost friend or acquaintance.”
These social engineering phishing attempts invariably come from various unknown phone numbers via standard green bubble SMS on my iPhone 15 Pro Max, usually with a short, friendly, and inquisitive message.
They arrive with names like Mia, Diana, and Alyssa. Usually, they claim we've met before. Mia told me she stumbled on my number in her address book, implying we had met, perhaps at an event, and exchanged contact info. I meet a lot of people in my line of work but rarely hand out my phone number. In fact, I don't even carry business cards. I tell people to Google me, and they will quickly figure out how to contact me.
Sometimes, these smishers act as if we bumped into each other in a hallway, and, out of an abundance of politeness, they introduce themselves and want to know my name. That was Diana's approach, who texted me, “My name is Diana. What's your name?”
I see you coming
My scam detection alert system is probably set higher than most people, so I don't fall for these come-ons. That said, I am curious not so much about what they want (my personal details, including bank account and social security numbers) but how they plan to get it.
Still, my annoyance level is so high that I rarely reply in a way that leaves the door open for further communication. With Diana, I replied, “You texted me. If you don't know, we got nothing to talk about.”
Undeterred, Diana told me she didn't know either, writing, “I saw this number when I was sorting through my address book [as one does, I guess], but there was no name on it. Have we had business conversations before?”
Still in grumpy mode, I replied ” No idea. Don't know who you are.” This led to the best part: a photo of Diana with the message “Now you know who I am.”
The image of a woman of Asian descent appears to be a combination of a real person with an AI-generated head sitting in a non-descript and carefully cropped location. What's especially comical about this is that if you string any of these people far enough along, they will all provide images that are in some ways strikingly similar: all feature young, appropriately dressed Asian women in entirely banal settings.
To Diana, I replied, “Nope, does not ring a bell.” Diana, though, was relentless: “What's your name? Maybe you can share a photo with me.” When I didn't respond, Diana sent a “Hello.” Days later, I responded with a photo sent to me by a different smisher. Diana took a while but eventually said I looked Chinese and called me a “beautiful lady.”
Eventually, she asked me in Chinese to add her as a WeChat contact. Another smisher who I strung along also eventually lapsed into Chinese while asking to see a picture of me.
A growing problem
While the whole thing seems comical, there are some fairly dire risks in engaging with these people. A 2022 FTC study found that text-based SPAM text attacks account for $330M in losses. Naturally, that number is likely far larger now. And while spam texts from fake banks, fake Social Security, fake FBI, and fake Aamzon may be easier to spot because of phone numbers that ask you to call and links they want you to follow, these new “connection smishes” might be more diabolical and ultimately dangerous. They play on people's loneliness, faulty memories, politeness, and need for connection.
It's not lost on me that all these smish attacks appear to come from women and that the images are of people who are young and relatively attractive. It's almost a text form of catfishing. If one can break through and convince you to truly connect with a Diana, Mia, or Alyssa, they could soon have you wiring them money to help them pay bills, and you both make plans to “meet in person” at some point in the distant future.
What do do
Cellular service companies can help you block some spam texts, and, as Verizon notes, they automatically block billions of spam texts before you even see them. Still, they seem less effective at blocking these types of smishing activities. In the US, you can also report them to the Federal Trade Commission, but since they mostly use temporary or spoofed phone numbers, there's little the FTC can do. Which means it's up to you.
I get that it isn't always easy to tell the difference between a true friend or contact randomly reaching out and one of these attackers. When Alyssa contacted me, the first message was a playful “Guess who I am😆.”
“No idea,” I responded, wondering if this was a friend I simply hadn't labeled with a name in my address book.
“I'm Alyssa, have you forgotten me?”
This gave me pause. I know an Alyssa whom I haven't chatted with in ages. Could it be her?
“Alyssa? Alyssa who?” I interrogated. (Another telltale sign of these scams is how long it takes for the middle-aged, bloated dude sitting in a basement outside Beijing, China, to figure out the perfect text response).
The next message eventually showed up with a photo of a young Asian woman sitting beside a bouquet, “We had exchanged numbers before at the reception. Have you forgotten me?”
The hope on the scammer's side is that I'll think of some event I recently attended and then wrack my brains trying to remember who I talked to and if one of them was “Alyssa.”
In situations like these and other scam attempts, the best course of action is to keep engagement to a minimum. If they know you, it will be obvious to you; otherwise, every bit of the conversation will be missing crucial info as the scammer does their best to get you to spill all sorts of personal details. One of them asked me where I lived as if I was going to provide my home address.
The other action you can take is to click on the info button next to the phone number and block the caller. That will instantly end the conversation, or at least that conversation. Unfortunately, you'll probably get other such smishing attempts. All I can tell you is to rinse and repeat on not engaging and call blocking, and maybe tell your friends and relatives to do the same.