Anatomy of a text message phishing scam
The growth of text-based phishing scams hit close to home for Axios last week when several employees got fake text messages claiming to be from company president and co-founder Roy Schwartz.
The big picture: We dug into the recent campaign targeting Axios employees to learn more about how these scams operate — especially as reports about text message scams continue to outpace reports about email scams this year for the first time, per the Federal Trade Commission.
What's happening: Last Friday, several employees shared screenshots in a company Slack channel of the suspicious texts they had received.
- The messages targeted employees across the country and across departments, and each one was addressed to the specific individual.
- Several employees admitted in the Slack channel that they replied to the first message because it seemed legitimate — but so far, no one appears to have engaged with the scammers beyond that initial reply.
- At least one employee said they received the message twice in the week: One from Roy and another pretending to be CEO and co-founder Jim VandeHei.
- Not everyone received the message — neither I (a new employee) nor my editor (a veteran) did.
How it works: I showed the messages to Chester Wisniewski, a researcher at cybersecurity firm Sophos, and he immediately recognized them.
- The scam, he explains, aims to get people to buy gift cards and send back photos of the cards' barcodes. That provides scammers with free, hard-to-trace money.
- This scam has been running for years, but Wisniewski says this is the first example he's seen where the scammers targeted several employees at the same company at once.
- Scammers likely obtained previously leaked phone numbers and employment history about Axios employees and then automated the first text message to a portion of people on the list — which costs little to nothing to do, Wisniewski tells Axios.
- Once someone replied, a human would take over the conversation to make it more believable.
The intrigue: The messages started coming in shortly after Axios announced it was going to be acquired by Cox Enterprises.
- But Wisniewski doubts the scam was tied to the sale — if it had been, the first message would have mentioned the news to get employees engaged.
Threat level: The growth of text-based scams is part of a larger trend of hackers targeting people's phones instead of their email inboxes.
- Teenage hackers gained access to the Twitter accounts of former President Barack Obama, then-presidential candidate Joe Biden and several others in 2020 after calling Twitter employees, pretending to be fellow employees and asking for login credentials.
Be smart: If you receive a similar message or a phone call asking for sensitive company information, don't engage and report the incident to your company's IT pros.