By Scott Sykes, CISO, Asurity

Scam texts have grown more popular with cybercriminals in recent years as consumers have shifted away from traditional email and laptops and are instead doing more with their phones. 

Let’s take a look at a common text scam that has been popular lately.

Here is an example of a very convincing text scam.

Notice the 3 red flags:

1. It’s creating a sense of urgency. Always take a step back when you feel pressure to “act now”.
   1.  “Must settle within the next 12 hours”. 
   2. “This is your final notice”.
   3. “Pay Now:”
   4. “This is your last opportunity”
2. The sender’s address is edao66@icloud......... Always pay attention to the sender’s identity. This certainly is not an ID that would be associated with the EZPass service.
3. Notice the clever link, https://ezpassva.com-wjtq.win/us.  It’s written to make you think it’s an ezpassva.com web address. But look carefully. The domain is actually “.win” with a subdomain of “.com-wjtq”.  The “/us” is a path indicator that is just thrown in to help make it look more authentic. There is no telling what kind of website this fake url will land you. It’s best to steer clear of it.

Scammers often use shortened web addresses (URLs) that look harmless but secretly redirect you to malicious websites. For instance, a link starting with "tinyurl.com". Detecting these fake links in text messages is especially difficult because, unlike in emails, you usually can't hover your mouse over the link to see the real web address before clicking.

In 2024, the FTC reported that package-delivery scams were the most common text scams. Cybercriminals impersonate shipping companies (like UPS or FedEx) or major retailers (like Amazon), falsely claiming delivery issues (e.g., payment or address problems). Other prevalent text scams included fake job offers, bogus credit fraud alerts, and unpaid toll scams as illustrated above.

Regardless of the scammer's pitch, the end goal is always to get the target to hand over money or cryptocurrency, banking or credit card information, login credentials for online accounts or personal data like their Social Security number.

Follow These Two Simple Rules to Avoid Scams:

1. Never Click on Links in Unexpected Texts: Even if a text message appears to be from your bank or a familiar business, don't tap the link. Instead, visit the company's official website directly through your browser or app.
2. If You Didn't Start It, Don't Share: If someone contacts you (by phone, text, or email) and you didn't initiate the interaction, do not give them any personal information. Always reach out to the company or service through their official contact methods that you know are genuine, rather than trusting unsolicited requests.