We have come a long from the first humble SMS text messages from 20 years ago, with new services springing up every year. I know I have used SMS, MMS, iMessage, BBM, Viber, Skype, WhatsApp, Kirk, Eva, Signal, Discord, Telegram, Snapchat and the social media messaging of Facebook, LinkedIn and Twitter. That’s over 16 different systems other than email that could potentially be used to send me a malicious link, or an element of a scam. Many of these systems are linked to a mobile number or email address, which most people give out freely all the time.
So how do the criminals use these services, firstly by creating fake accounts. Pay as you go (PAYG) and prepaid mobile phone SIM cards can be obtained without any forms of ID or personal details and paid via cash in countless stores. Any unused public email address from Outlook.com, Google or Yahoo can be obtained for free, also without any forms of ID or personal details. Now the criminals use these new mobile numbers and email addresses to create and verify their fake accounts. Pictures are then copied from other people's social media accounts, depending on the type of scams the account is meant to be used for. Like this message on the Viber service, the image has been copied from the VK.com social network.
There also new ways to send SMS messages via virtual mobile networks like Hushed and online services like smsreceivefree.com, which can be obtained without verification and can appear to be from practically any country in the world and even display as a local area code landline number. So, the criminals have a vast array of options to either send you malicious links or to trick you into believing they are who they say they are. The criminals are helped by the fact that most of these communication services are on mobile devices, with smaller screens, which makes it easier to trick people into believing a fake website is genuine. As many mobile versions of genuine websites do look different anyway, a lot of people wouldn't notice anything was amiss. The cleverer scams may then use the credentials you just supplied to actually log you into the genuine website or service, so apart from a slight delay, everything appears to be completely normal.
The criminals can also use automated services or ‘bots’ to trick you into believing there is an actual person sending the messages. Even if someone rings you, then messages you the ‘authorisation code’ to enter into a website to help you fix a problem you never knew you had, is in all probability fake. So, to be safe, assume all messaging accounts may be a bot or fake unless you actually have met the person, no matter what their picture looks like, who they claim to be or company they claim to work for. Remember, because many services you have are based on your email address or mobile number, it is quite easy for criminals to send messages to a range of services based on these. For example, a fake ‘urgent – your Microsoft Outlook email has been compromised’ message and phishing link can be sent via SMS, Viber and WhatsApp to a randomly generated mobile number.
But by far the easiest method for the criminals to steal your credentials is get someone you know and hopefully trust, to send you a message that ticks the curiosity box or FOMO box.
Take this example in Facebook Messenger with a known contact sending a message about a YouTube video asking if that is you? Except it’s not a video, but an image made to look like what a YouTube link would appear as within Messenger. When you click it, instead of going to YouTube, you get taken to a fake Facebook login page, which is probably how your friend was also compromised. If you happen not to notice that domain isn’t correct, you’ll find that all your contacts may receive the same message.
Every time you are asked to enter login credentials after pressing or clicking something, pause for thought and check if it is real and something you would be expecting to happen. If you see that the link is fake, best to inform your friend by another means.
Index or next chapter Fake Games