Aug 26, 2022 - Technology

Anatomy of a text message phishing scam

A compilation of text messages from a text phishing scam
Screenshots of scam texts sent to Axios employees. Illustration: Annelise Capossela/Axios

The growth of text-based phishing scams hit close to home for Axios last week when several employees got fake text messages claiming to be from company president and co-founder Roy Schwartz.

The big picture: We dug into the recent campaign targeting Axios employees to learn more about how these scams operate — especially as reports about text message scams continue to outpace reports about email scams this year for the first time, per the Federal Trade Commission.

What's happening: Last Friday, several employees shared screenshots in a company Slack channel of the suspicious texts they had received.

  • The messages targeted employees across the country and across departments, and each one was addressed to the specific individual.
  • Several employees admitted in the Slack channel that they replied to the first message because it seemed legitimate — but so far, no one appears to have engaged with the scammers beyond that initial reply.
  • At least one employee said they received the message twice in the week: One from Roy and another pretending to be CEO and co-founder Jim VandeHei.
  • Not everyone received the message — neither I (a new employee) nor my editor (a veteran) did.

How it works: I showed the messages to Chester Wisniewski, a researcher at cybersecurity firm Sophos, and he immediately recognized them.

  • The scam, he explains, aims to get people to buy gift cards and send back photos of the cards' barcodes. That provides scammers with free, hard-to-trace money.
  • This scam has been running for years, but Wisniewski says this is the first example he's seen where the scammers targeted several employees at the same company at once.
  • Scammers likely obtained previously leaked phone numbers and employment history about Axios employees and then automated the first text message to a portion of people on the list — which costs little to nothing to do, Wisniewski tells Axios.
  • Once someone replied, a human would take over the conversation to make it more believable.

The intrigue: The messages started coming in shortly after Axios announced it was going to be acquired by Cox Enterprises.

  • But Wisniewski doubts the scam was tied to the sale — if it had been, the first message would have mentioned the news to get employees engaged.

Threat level: The growth of text-based scams is part of a larger trend of hackers targeting people's phones instead of their email inboxes.

  • Teenage hackers gained access to the Twitter accounts of former President Barack Obama, then-presidential candidate Joe Biden and several others in 2020 after calling Twitter employees, pretending to be fellow employees and asking for login credentials.

Be smart: If you receive a similar message or a phone call asking for sensitive company information, don't engage and report the incident to your company's IT pros.

Go deeper