Smishing is probably the cutest name for a cybersecurity attack I’ve ever heard, but that doesn’t make it any less dangerous. It’s clear to me that we’re not talking enough about this mash-up of text messaging and phishing or educating people on how to spot and respond to it.
Over the past few months, I have been the target of several aggressive smishing attacks that could be classified as a “long lost friend or acquaintance.”
These social engineering phishing attempts invariably come from various unknown phone numbers via a standard green text message on my iPhone 15 Pro Max, usually with a short, friendly, and curious message.
They come up with names like Mia, Diana, and Alyssa. Usually they claim that we’ve met before. Mia told me she found my number in her address book, which implied that we’d met, perhaps at an event, and exchanged contact information. I meet a lot of people in my field, but I rarely give out my phone number. In fact, I don’t even carry business cards. I tell people to Google me, and they’ll know how to contact me soon enough.
Sometimes these smishers pretend we’re passing each other in the hallway, and out of an abundance of politeness they introduce themselves and want to know my name. That was Diana’s approach, who texted me, “My name is Diana. What’s your name?”
I see you coming
My scam detection alert system is probably set higher than most people’s, so I don’t fall for these types of lures. That said, I’m not so interested in what they want (my personal information, including bank account and social security numbers), but how they want to get it.
Yet my irritation level is so high that I rarely respond in a way that leaves the door open for further communication. To Diana I said, “You texted me. If you don’t know, we have nothing to talk about.”
Diana was undeterred and told me she didn’t know either. She wrote, “I saw this number when I was going through my address book (as you do, I guess), but there was no name. Have we had any business conversations before?”
Still grumpy, I replied, “I have no idea. I don’t know who you are.” This led to the best part: a photo of Diana with the message, “Now you know who I am.”
The funny thing is that if you line these people up long enough, they all produce images that are strikingly similar in some ways: they all show young, appropriately dressed Asian women in utterly banal settings.
The image of a woman of Asian descent appears to be a combination of a real person with an AI-generated head sitting in an inconspicuous and carefully cropped location. What’s particularly funny about this is that if you string any of these people together far enough, they all produce images that are strikingly similar in some ways: all young, suitably dressed Asian women in utterly banal settings.
I replied to Diana, “No, that doesn’t ring a bell.” Diana, however, was adamant: “What’s your name? Maybe you can share a photo with me.” When I didn’t respond, Diana sent a “Hello.” Days later, I responded with a photo that had been sent to me by another smisher. Diana took a while, but eventually said I looked Chinese and called me a “beautiful lady.”
She eventually asked me in Chinese to add her as a WeChat contact. Another smisher I kept on stringing along also eventually lapsed into Chinese when he asked to see a photo of me.
A growing problem
While the whole thing seems funny, there are some pretty big risks associated with dealing with these people. A 2022 FTC study found that text-based SPAM text attacks cause $330 million in losses. Of course, that number is likely much higher now. And while spam messages from fake banks, fake Social Security, fake FBI, and fake Amazon may be easier to spot because of the phone numbers they ask you to call and links they want you to follow, these new “connection smishes” may be even more devious, and ultimately more dangerous. They play on people’s loneliness, poor memory, civility, and need for connection.
It doesn’t escape my attention that all of these smish attacks seem to be coming from women, and the images are of young and relatively attractive people. It’s almost a text-based form of catfishing. If someone can break through and convince you to actually connect with a Diana, Mia, or Alyssa, you may soon be sending them money to help pay their bills, and you both make plans to “meet in real life” sometime in the distant future.
What should you do?
Cell phone companies can help you block certain spam messages and, as Verizon notes, automatically block billions of spam text messages before you even see them. Yet they seem less effective at blocking this kind of smishing activity. In the US, you can also report them to the Federal Trade Commissionbut because they usually use temporary or spoofed phone numbers, there’s little the FTC can do about it. That means it’s up to you.
I understand that it’s not always easy to tell the difference between a real friend or contact who is just reaching out and one of these attackers. When Alyssa reached out to me, the first message was a playful “Guess who I am😆.”
“No idea,” I replied, wondering if this was a friend I just hadn’t marked with a name in my address book.
“I’m Alyssa, have you forgotten me?”
This gave me pause. I know an Alyssa who I haven’t chatted with in ages. Could it be her?
“Alyssa? Alyssa who?” I asked. (Another sign of this kind of scam is how long it takes the middle-aged, bloated guy sitting in a basement outside Beijing, China, to come up with the perfect text message response.)
In situations like this and other scam attempts, it’s best to keep interactions to a minimum.
The next message eventually appeared with a photo of a young Asian woman sitting next to a bouquet: “We exchanged numbers earlier at the reception. Have you forgotten me?”
The scammer hopes that I will think of an event I recently attended and then rack my brain trying to figure out who I spoke to and whether one of them was “Alyssa.”
In situations like this and other scams, it’s best to keep the interaction to a minimum. If they know you, it will be obvious; otherwise, every bit of the conversation will miss crucial information as the scammer tries to get you to divulge personal details. One of them asked me where I lived, as if I were going to give them my home address.
The other action you can take is to click the info button next to the phone number and block the caller. This will end the call, or at least that call, immediately. Unfortunately, you will probably get more of these smishing attempts. All I can tell you is to reiterate that you should not respond and block calls, and perhaps tell your friends and family members to do the same.