NOTE: We've been hearing rumors that these "package is waiting for you" text messages are somehow connected to human trafficking. They are not. They're just a regular old phishing scam.
In the most recent chapter in the annals of SMS phishing scams, aka "smishing," we have the saga of the fake Apple iPhone 12 giveaway.
Sophos' Paul Ducklin (opens in new tab), an information-security luminary in his own right, wrote about this smishing attempt recently on his employer's Naked Security blog. It seems someone on the Sophos team got a text message stating that a package for them — actually, someone with a different name — was waiting for them to pick it up.
- New iPhone 12 release date, price, specs and leaks
- The best password managers to keep your online accounts safe
- Plus: Want protection for cheap? See if a free iPhone VPN has you covered
Ducklin walks the reader through the scam, from the first click on the link in the SMS message, to a website where a phony chatbot says that you have been selected to get a free Apple iPhone 12, to the survey you have to take, and finally to the point where you can "claim" the iPhone reward.
But of course, you'll have to provide an email address, password and credit-card number first. And, of course, the iPhone 12 doesn't yet officially exist. It likely won't be announced by Apple until mid-October.
Sound familiar? We've been getting these texts too, along with a whole lot of others touting fake Viagra and CBD oil. In fact, the screenshots on this page are not from Sophos, but from your correspondent's own phone. (Our particular scammer couldn't seem to decide whether we were supposed to get an iPhone 11, 11 Pro or Xs.)
The lure of a new iPhone isn't that alluring to me, as I'm an Android fan, but going through the steps of this scam is a fun little exercise. Ultimately, this is just a phishing scam that wants to harvest your username, password and credit-card information.
You may wonder for which online service the username and password the username are supposed to be for. The answer is that it doesn't really matter.
So many people (yes, we've all done it) reuse passwords for so many different websites that almost any username-password combination is bound to be useful to crooks. To avoid becoming the latest victim, be sure to use one of the best password managers.
These miscreants feed the phished credentials into automated "credential stuffing" algorithms that hammer websites like Facebook, Google or PayPal with thousands of credentials an hour. They're bound to get into more than a few times.
So how do you protect yourself from such (frankly obvious) scams? First, remember that if it sounds too good to be true, then by dadgum, it is.
Second, never give away any passwords or credit card numbers to any website that you are brought to by a text message or instant message. Would you give the same information to a random stranger who stopped you in the street?
You can't really stop these scam texts, unfortunately. The numbers they're texted from aren't real, and blocking the numbers will do no good. All you can do is not respond to them and hope the scammers move on to greener pastures.