What is SMS Spoofing?
SMS spoofing is a technique that uses text messages to try and defraud people or obtain other private information.
The process is similar to other forms of hacking, phishing, and even scam calling, however, SMS spoofing relies specifically on text messages. Normally, text messages are thought of as more secure and not as common as the dozens of spam calls that people get every day.
But, SMS spoofing is on the rise and something you want to be aware of to protect yourself and your loved ones from fraudsters.
What is SMS Spoofing?
SMS spoofing is a technique that allows people to change the name of text messages sent via the short message service (SMS) system. SMS messages can be sent by other mobile phones, and similar devices, even from computers to mobile devices that are connected via a network or account.
The original sender ID is commonly a phone number, or the name a person has entered in their phones. SMS spoofing lets people change the sender’s name in order to trick people about the real origin of the sender and attempt to obtain personal information.
Beyond changing the name of the sender, the mobile number can also be changed. This can let potential hackers completely pretend to be someone else, even someone you think you know.
In the United States, it can be more difficult for spoofing to occur, since cellular networks have much more strict protocols in place for message delivery, but it can still happen.
Often SMS spoofing can be done in bulk. Fraudsters will use an SMS gateway software that will mask who’s actually sending out the message. This is similar to robocalls, which can be done automatically, hitting thousands of people at once.
Some people will even go as far as to create their own SMS gateway to blast out messages, or even hack into an actual company and use their actual network of numbers.
SMS Spoofing and SMS Phishing (Smishing)
Smishing is the combination of SMS messaging and phishing. With phishing, criminals will attempt to gain access to your accounts, or obtain other private information by sending out malicious links.
Smishing is usually combined with spoofing, so the true identity of the sender will also be masked.
One of the most common examples of phishing is getting a fake email from someone impersonating your bank who wants you to call a phone number, respond to the email with your banking information, or even click a link to visit a website that will look legitimate enough for you to enter your banking information.
Smishing can be used without spoofing, so instead you’ll just receive a message from an unknown number.
Here are a few other common SMS phishing attempts:
- Prize alerts, just click the link to claim your prize
- Fake texts from your boss or company you work for
- Requests to change your password or authenticate your device
The true danger of combining smishing and SMS spoofing is that the text message you receive can seem completely legitimate.
The rise of messaging apps like WeChat, WhatsApp, or iMessage can fall under the umbrella of messaging as well, even though they’re non-SMS messengers. These messaging platforms almost make spoofing and smishing easier, since there’s less of a verification process for creating an account.
Why Smishing and Spoofing are on the Rise
One of the big reasons why smishing and spoofing are becoming increasingly prevalent is because of the medium of text messages.
Since text messages are such an instant and intimate communication medium, scammers can take advantage of that. Most people will receive an instant alert on their phone that they’ve received text messages.
Sometimes there’s even a preview of the message. So, if the spoofer has masked the name and the name seems familiar, there’s a good chance the message will get opened.
Most people are already aware of email and calling spam, but since text message spoofing is less common, there’s more of a risk for unsuspecting users.
Types of SMS Spoofing
SMS spoofing can be used to mislead people in many ways. Here are some of the most common ways that SMS spoofing can be used to trick and con people:
Fake Company Name
Someone who’s using SMS spoofing can pretend to be the name of a well-known company when in reality they’re just trying to get information from you.
For example, they could change the name of your cell carrier and send you a message about a payment that is overdue. If you forgot to pay your bill, this is something you could easily fall for, and accidentally respond to the message.
Fraudsters are even impersonating big companies like Facebook and Google and using this to gain access to your personal login information and accounts.
Fake Money Transfers
A lot of SMS spoofers will attempt to be legitimate companies, or even local businesses and attempt to get in touch with you to obtain your credit card information.
If you’ve recently completed a purchase at a local business, then you could receive a message saying your purchase wasn’t able to be completed, or you need to update your payment information on your account.
The same goes for text messages from your bank asking you to enter your account information. Never give out your banking login information via text message or online anywhere that isn’t the official bank website.
Obtain Sensitive Information
A lot of people who are using SMS spoofing for nefarious purposes will be trying to get you to take action quickly on the text message.
For example, you could get an SMS text message saying your account will be deleted within 24 hours if you don’t take action, or click the link that was sent. Or, you may be asked to submit photos or other personally-identifying information.
This is very similar to email phishing, where scammers will send an email that looks like it came from the original source and direct people to a web page that also looks legitimate.
Scams like this are only becoming more prevalent. If you have been the victim of an SMS spoofing scam you should report whatever information you have to law enforcement as soon as possible.
Install Malware on the Device
You could receive a message that looks like it’s coming from a friend or person you trust. However, it includes a link, which then installs malware on your phone.
The malware can be installed without you really knowing, and will run in the background, and can steal information from any of the apps you’re opening while it’s installed.
Playing on People’s Generosity
With the amount of information available on Facebook, scammers can pretend to know people in your network, or use spoofing to actually try and be one of these people.
For example, someone pretending to be from a local charity, or church, and asking for donations via text message.
How to Protect Yourself From SMS Spoofing
When it comes to staying secure online and across all of your digital devices you must educate yourself on the risks that are out there.
It’s important to be aware of what’s going on in the cybersecurity realm, so you can keep yourself, your family, and your friends safe.
Here are a few tips that will help to protect you from being scammed via a fake SMS:
- Avoid clicking links that are sent via SMS. If your friend is texting you, you’ll probably have a good idea of their texting style. Text messages that are urging you to take very fast actions should be avoided and deleted.
- Don’t get fooled by offers that seem too good to be true. Especially, if it’s asking you to input too much personal information. Always exercise caution, especially if it’s coming from a brand you don’t remember giving your phone number to.
- Don’t click on password reset text messages, unless you just made that request and are expecting an SMS alert.
- Watch out for spoof SMS messages that are asking you to input your verification code, especially if you didn’t just request a password reset or start using another service that would require phone verification.
- Never respond to banks, cell phone service providers, or other companies via text. They’ll never ask you to respond to text messages with your personal details. If you do receive a text message and are unsure, you can always get in contact with the legitimate company in question.
- If the message has completely arrived out of the blue and you have no idea who the sender is, or who the name is, then delete the message immediately.
It’s also important that you never respond to these messages. If you engage this notifies the spammer that it’s a real number and they might spam you more aggressively.
You can also block the number on your phone, which will prevent you from receiving any further communication.
How Did They Get My Number?
There are several ways someone can obtain your number, some of them are even legal:
- They’ve purchased a list of legal numbers from a company that you have shared your details with and didn’t properly read the terms and conditions.
- They’ve purchased the list illegally from a company who has scraped the web for listed phone numbers.
- They use a random generator to generate strings of numbers (this is why it’s important never to respond to a spam/scam message)
- Automatic Number Identification (AIN) system, when you call a toll-free number your number can be captured and stored in a database.
These numbers then get put into SMS gateway software, which allows spammers to send out millions of text messages at once.
How Using a People Search Tool Can Help Prevent SMS Spoofing
Using a people search tool can be a great way to see if the number that’s contacting you is spoofed, or it’s a real person who just texted the wrong number.
You can use a reverse phone number lookup tool and see if any results come up. Often something that’s using a spoofing tool will try to hide the real number with a fake one that’s been generated.
This is done in scenarios where you’ll receive a text message or phone call from a number that’s from your local area code when in reality it’s a spam call from another part of the world.
If you do a reverse phone search and there are no results, then this should be a big red flag. You can even type the number into Google and see if there are a lot of spam results for the number.
By using a phone search tool you should receive information like the following if the number is legitimate.
A people search report should include the full name of the person that’s associated with that number. Including, other nicknames and aliases.
Phone Number History
If the phone number has been passed around a lot or is a landline number, then the report might include a past history of the number and people associated with it.
If the number is associated with an actual person, then you might get current or past location data. If you don’t recognize where this number is coming from, then it could be a scam, or simply the wrong number.
If the phone number is tied to an actual person, then you may be able to get in-depth background information about that person.
Most people search reports will provide a ton of background information, like:
- Education and job history
- Criminal record
- Social media profiles
- And more
How SMS Spoofing Works
With SMS spoofing, the person sending the message will be either hiding their identity or using a network to send a message pretending to be someone else entirely.
The reasons for doing SMS spoofing aren’t always negative, it depends on the person who’s sending the message in the first place and their reasons for doing so.
For example, a friend could be using an SMS spoofing service as a prank. Or, someone could be sp\ending a spoofed message for a more dangerous purpose.
There are online services that allow users to send spoofed text messages, but scammers who are doing SMS spoofing schemes will typically have a more robust network setup.
What’s an SMS Spoofing Service?
There are a ton of online services that allow people to send spoofed text messages, some allow you to use Android and iPhone apps.
If you want to send an anonymous SMS text, then you can use an SMS service to send spoofed messages.
All you need is the phone number of the person you want to contact. However, a lot of cellular providers are starting to ban these services, because they operate in a grey area and can be used for spam purposes.
Can Spoofing Ever Be Legitimate?
Yes, there is sort of a grey area. But, it depends on the sender. For example, text message marketing is an area of marketing that continues to grow in popularity.
In this case, you’ll have legitimately given your phone number to a company. They’ll send out regular alerts, or notifications of upcoming events like webinars. In this case, a company could change the name to the name of their company, so you’ll know what the notification is about, and won’t take it as a spam message.
Here are a few other additional legitimate uses of an SMS spoof:
Official Announcement Messages
Sometimes organizations that need to get in touch with a large number of people, they’ll use text messages as a way to deliver updates. For example, a cell carrier who is announcing a new plan.
They’ll use spoofing to replace the number with the name of their company, so you actually know who the sender is.
Bulk Messaging Messages
A bulk messaging service is a service that will send out SMS messages to multiple people at once over a computer network. Here they’ll use spoofing so you can identify who the sender is.
For example, if you signed up for a webinar or another online program, you might opt to get alerts via text message, so you don’t miss the event.
In this case, they’ll use spoofing, so you’ll recognize the name of the sender.
When Identity Protection is Important
In cases where protecting the identity of someone is of paramount importance, like a journalist protecting a source, or a whistleblowing event, then a spoofed SMS can be used to communicate anonymously.
Is Spoofing Always Malicious?
Not always. Sometimes spoofing can be nothing more than a harmless prank. It can be used for less ethical reasons, but on occasion, it can be used for fun, or even reasons where you feel more comfortable communicating in private.
Spoofing can also be used to protect your own identity in situations where you want to remain private, and don’t want your personal information to be given out, like:
- Communicating with Uber or Lyft drivers
- Communicating with someone that you’ve met online
- Selling items via Craigslist
- And more