SMS phishers pivot to points, taxes, fake retailers

https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/

Comments

adriandDec 5, 2025, 12:10 AM
I’m super cautious with these messages like I’m sure we all are but on Monday I ordered a printer from Amazon. They said it would arrive on Wednesday. On Wednesday I was working from home and I got a text from “Purolator” saying they’d tried to deliver my package and failed. Shit! I’d been listening to beats too loud to hear the knock on the door! I ran outside to see if the delivery guy was still on my street. No one was around…and then I realized, damn, they got me (to dash outside, anyway).

These things can fail 99.99% of the time but when they land on someone at just the right moment, it’s so easy to just go on autopilot and do the dumb thing.

anitilDec 5, 2025, 1:45 AM
I had an issue on the toll payment device on my car, so I was expecting some 'pay now or you get a fine' message. I got one on my phone, but when I logged in directly to the toll company website my account was in the green. I was _so_ close to following the link I just got lucky that I prefer using my laptop for admin rather than my phone.
donmcronaldDec 5, 2025, 1:50 AM
Anecdotally, I swear I see an increase in those messages when I have a package on the way. It seems like too much to be a coincidence.
zzyzxdDec 5, 2025, 2:01 AM
Exactly. Once I was connecting to my VPN in AWS and was totally prepared for 90% of the websites to throw human verification at me. Then a faked cloudflare one almost got me. It was 3AM and my brain was barely functioning. (it didn't work, only because it instructed me to run a PowerShell command and I was on macOS).
SoftTalkerDec 5, 2025, 1:16 AM
Yep when a scam randomly aligns with something you’re expecting it’s much easier to fall into the trap.
s_kierkegaardDec 4, 2025, 11:52 PM
This type of stuff is diabolical for old folks who just weren't inoculated to these scams. I feel terrible for them. Get calls often asking me to help interpret.
Terr_Dec 5, 2025, 1:35 AM
A few weeks ago I told them: "I will never be offended or hurt if you ask suspicious questions to check my identify if I suddenly need sketchy wire-transfers or a pile of Amazon gift cards."

Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.

In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.

SoftTalkerDec 5, 2025, 12:06 AM
Keep it very simple: never give an SMS authentication code to anyone on a phone call, in response to a text message or email, or as part of any checkout or purchase. They are only to be used when logging in to an online account. Anything else is a scam.

Even that may be too complicated, now that I read it back.

asnyderDec 5, 2025, 12:41 AM
Unfortunately there are many companies that actually rely on SMS confirmation codes in real-time, which include reading it back to them.

A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.

bobbiechenDec 5, 2025, 1:48 AM
I got this interesting pair of messages from Schwab recently - not sure if any other companies do this

On login:

Schwab Watch out for scams. DON'T share this security code with anyone, EVEN IF THEY CLAIM to be from Schwab. Your code for online login is XXXXXX

And then on a later phone call with an agent:

Schwab: XXXXXX is your Schwab security code to confirm your identity with the agent.

This is a nice touch, though I'm not sure how much it would help in a real scam situation for say, my grandma.

rolphDec 5, 2025, 12:52 AM
yeah someone that gets paid a lot needs to talk to someone whos pay depends on implementing that IT consultants directives.

relaying security codes by voice is how the bad guys do it, dont train your users to think its normal.

its probably not a bright idea to have your phones camera pointed at your screen while 2FA-ing or password resetting, or else someone will watch you login, and will see your codes, and use automation to authenticate with your digits faster than you can move a cursor and click.

SoftTalkerDec 5, 2025, 1:01 AM
Probably safe if you call them at a well-published number. If they call you, absolutely not.
toast0Dec 5, 2025, 1:24 AM
> or as part of any checkout or purchase.

Hope you don't have to do 3D-Secure for a purchase, I guess.

SoftTalkerDec 5, 2025, 4:43 AM
Never had to do more than CC# and 3-digit security code on the back for an online purchase.
nharadaDec 5, 2025, 1:04 AM
I think we're at the point where both phone and SMS are such insecure and easily spoofed channels that we should basically not be using them for anything related to business or money. Maybe even for communication, given how easily scammers can fake a loved ones voice and phone number.
toast0Dec 5, 2025, 1:23 AM
The screenshots don't show spoofed SMS. Who is going to spoof a +212 or a +27 phone number when sending to the US. It's not that easy to get spoofed SMS to the US anymore. But it doesn't matter if sending from an international number works just fine. Same thing with email, but often worse ... DMARC makes it hard to spoof email, but most email clients only show sender name and not sender address, so it doesn't matter.

Phone call caller ID is getting harder to spoof, with stir/shaken, but I'm not sure that's fully rolled out either... and calls from a 'random' number still get answered, so spoofing isn't needed for normal scams.

charcircuitDec 5, 2025, 12:31 AM
Why don't Google and Apple adopt passcodes to avoid this scam from working? Their operating systems already support passcodes.
ianburrellDec 5, 2025, 1:22 AM
What do you mean? How would passcodes help phishing?

The solution is passkeys, which prevent phishing and more secure than passwords. I like how they replace SMS codes. But they are a pain to use and not that many sites support them. Every site that does 2FA should support them.

charcircuitDec 5, 2025, 11:11 AM
Yes, I meant passkeys.