by Herb Weisbaum, The ConsumerMan

Last updated September 22, 2023

Like everyone else, I am bombarded with spam text messages sent by fraudsters: fake notices about package delivery problems; bank, credit card, and PayPal security warnings; Amazon purchases; plus bogus prize notices, job offers, and subscription renewals.

Listen to audio highlights of the story below:

Spam texts have become so common that it’s easy for me to spot them. But I couldn’t ignore several texts I received recently because they were strangely different.

The messages appeared to be sent from an email address, rather than a random phone number. This first, which was made to look like it was from the IRS, offered me a way to advance my career with a virtual job.

Two other scam texts, also using an email address rather than a phone number, tried to impersonate Bank of America. Notice the crooks substituted an “L” for the “i” in “America.” These messages referenced bogus debit card payments of $521.99 and $572.99.

Cybercriminals are using email to send texts to circumvent spam filters. They’re also hoping this different format will make their spam stand out from the flood of bogus messages.

“We’re all so busy throughout the day looking at our phones, so if a text comes in and we just see a random phone number, we might not pay attention to it,” said Amy Nofziger, director of victim support at the AARP Fraud Watch Network. “But if we see it has an email address attached to it, we’re more likely to sit down, look at it, and pay a little more attention to it.”

So, How Are the Spammers Doing This?

According to digital security expert Aaron Foss, creator of NOMOROBO, a well-known robocall and spam text-blocking service, criminals are using a “backdoor” created by phone companies decades ago, called “an email gateway.”

Every mobile phone number has an email address associated with it, assigned by the carriers when the account is created, Foss explained. If an email is sent using that gateway, it gets converted into a text message. The recipient sees a spoofed email address made to look like a well-known company or trusted government agency.

“There are legitimate reasons for using this email gateway, but now the criminals are sneaking in through the backdoor to evade spam filters and make their phishing attempts look legitimate,” Foss told Checkbook. “They’re looking for any advantage they can get to steal your money or your identity.”

Foss would like to see the phone companies shut down the old email gateways.

“It’s just this onramp for criminals, because all the safeguards that have been put in place in the past 10 years to stop spam text messages go out the window when the bad guys use these email gateways,” Foss said.

Clicking the Link Takes You Down a Rabbit Hole

I asked Foss to follow the links embedded with the spam texts I received. The phony IRS text took him to a fake IRS website created by the identity thieves. It offered a “chance” to apply for a tax refund payment of $1,400 a week or a one-time payment of $38,700. And, no surprise, the website asked for personal information, including my Social Security number.

The links on the bogus Bank of America notifications took Foss to a copycat website created by the crooks to steal log-in credentials.

Protect Yourself

The IRS does not send texts or email messages. When the agency needs to contact taxpayers, it sends letters via the U.S. Mail.

Financial institutions and credit card companies do send electronic communications, but they will never request your personal information.

The safest way to respond to an unexpected text or email alert, whether it’s from a bank, credit union, credit card company, shipping service (FedEx, UPS, U.S. Postal Service), or retailer is to log into your account (if you have one) or contact the company using a phone number you know is legitimate. Don’t call a number included in the text message.

New Advice

For years, we’ve been told a website with a secure connection (“https” in the URL or a “lock” symbol next to it) is more trustworthy. Most criminals, we were told, don’t bother to get security certification. But times have changed.

“That old advice that you can trust a site if you see the lock in the address bar is completely wrong nowadays,” Foss told Checkbook.

The bogus Bank of America he visited to help us with this story used a secure connection.

 “If you’ve landed on a site created by a scammer, the lock simply means the connection between your computer and the criminal’s computer is secure. It doesn’t guarantee the site is for real,” he warned.

The U.S. PIRG Education Fund has a list of the top text message scams of 2022.

More from Checkbook:

Checkbook’s Consumerpedia podcasts:

 

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.

 

Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.