Smishing is probably the cutest name for a cybersecurity attack I’ve ever heard, but that doesn’t make it any less dangerous. I realize we don’t talk enough about this mashup of SMS messaging and phishing, and we don’t educate people enough about how to spot and respond to it.
Over the past few months, I have been the target of several aggressive smishing attacks that could be classified as “long-lost friend or acquaintance.”
These social engineering phishing attempts invariably come from various unknown phone numbers via standard green speech bubble SMS on my iPhone 15 Pro Max, usually with a short, friendly and curious message.
They come with names like Mia, Diana and Alyssa. They usually claim we’ve met before. Mia told me she found my number in her address book, which suggests we may have met at an event and exchanged contact information. I get to know a lot of people in my job, but I rarely give out my phone number. In fact, I don’t even carry business cards. I tell people to google me and they’ll quickly find out how to reach me.
Sometimes these smishers act like we just met in the hallway and, out of exaggerated politeness, they introduce themselves and ask my name. That was Diana’s approach, who texted me: “My name is Diana. What’s your name?”
I see you coming
My fraud detection system is probably set higher than most people’s, so I don’t fall for these bait-and-switch offers. However, I’m not so interested in what they want (my personal information, including bank account and social security numbers) but how they plan to get it.
Still, my anger is so great that I rarely respond in a way that leaves the door open for further communication. With Diana, I replied, “You sent me a text message. If you don’t know, we have nothing to talk about.”
Diana was undeterred and told me she didn’t know either. She wrote: “I saw this number when I was looking through my address book (as one does, I suppose), but there was no name. Have we had any business conversations before?”
Still grumpy, I replied, “I don’t know. I don’t know who you are.” That led to the best part: a photo of Diana with the message, “Now you know who I am.”
The image of a woman of Asian descent appears to be a combination of a real person and an artificial intelligence-generated head, sitting in an inconspicuous and carefully cropped spot. What’s particularly funny about this is that if you line these people up long enough, they all produce images that are strikingly similar in some ways: all of them show young, appropriately dressed Asian women in completely mundane settings.
I replied to Diana, “Nope, it doesn’t mean anything to me.” Diana persisted, however, saying, “What’s your name? Maybe you can send me a photo.” When I didn’t respond, Diana sent a “Hi.” Days later, I responded with a photo that another smisher had sent me. Diana took a while, but eventually said I looked Chinese and called me a “beautiful woman.”
Eventually, she asked me in Chinese to add her as a WeChat contact. Another smisher I had been stringing along also ended up speaking in Chinese when he asked to see a picture of me.
A growing problem
While the whole thing seems comical, dealing with these people comes with some pretty serious risks. A 2022 FTC study found that text-based spam attacks cause $330 million in losses. Of course, that number is likely much higher now. And while spam texts from fake banks, fake Social Security, fake FBIs, and fake Amazons may be easier to spot because of phone numbers asking you to call and links to follow, these new “connection smishes” could be more diabolical and ultimately dangerous. They play on people’s loneliness, bad memories, politeness, and need for connection.
It hasn’t escaped me that all of these smish attacks seem to be coming from women, and that the images are of young and relatively attractive people. It’s almost a form of catfishing via text. If someone manages to convince you to really connect with Diana, Mia, or Alyssa, you might find yourself transferring money to them soon to help them pay their bills, and the two of you make plans to “meet in person” sometime in the distant future.
What to do
Cell phone carriers can help you block some spam texts. As Verizon notes, they automatically block billions of spam texts before you even see them. Still, they seem to be less effective at blocking this type of smishing activity. In the US, you can also report them to the Federal Trade Commission, but since they mostly use temporary or fake phone numbers, there’s little the FTC can do. That said, it’s up to you.
I understand that it is not always easy to distinguish between a real friend or contact who randomly reaches out and one of these attackers. When Alyssa contacted me, the first message was a playful “Guess who I am😆.”
“I don’t know,” I replied, wondering if this was a friend I simply hadn’t marked with a name in my address book.
“I’m Alyssa, have you forgotten me?”
That got me thinking. I know an Alyssa who I haven’t chatted to in ages. Could it be her?
“Alyssa? Alyssa who?” I asked. (Another telltale sign of these scams is how long it takes the bloated, middle-aged guy to come up with the perfect text message response.)
The next message finally appeared with a photo of a young Asian woman sitting next to a bouquet of flowers: “We already exchanged numbers at the reception. Have you forgotten me?”
The scammers hope that I will think of an event I recently attended and then rack my brain about who I spoke to and if any of them were “Alyssa.”
In situations like this and other scams, it’s best to keep interaction to a minimum. If they know you, it will be obvious to you; otherwise, every part of the conversation will be missing important information as the scammer does their best to get you to give out all sorts of personal information. One of them asked me where I live, as if I was going to give my home address.
You can also click the info button next to the phone number and block the caller. This will end the call, or at least this one, immediately. Unfortunately, you will probably experience more such smishing attempts. My only advice is to keep repeating not to respond and block calls, and maybe tell your friends and relatives to do the same.