Watch Out: This Verizon Smishing Scam Is Crazy Realistic

A Slashdot reader shared a warning from the editor-in-chief at How-To Geek about a "shockingly convincing" scam: The scam text message says, "Your Verizon account security needs validation" and invites you to tap a link to "validate your account." Once you do, you end up at a phishing website that looks almost exactly like Verizon's real website. The fake website asks for your My Verizon mobile number or user ID and password. After you provide those, it'll ask for your account PIN. Finally, it requests all your personal details to "identify yourself."

For smishing scams, this is convincing work. The website looks real and authentic — if you don't look too hard at the address, which isn't actually Verizon's actual website... At the end of the process, the phishing website thanks you for providing your information and "redirects you to the home page." For maximum deception, the phishing website actually redirects you to Verizon's real website at the end of the process. If you don't look too close, you might be deceived into thinking you were on Verizon's website the whole time.

What's the game? We didn't provide real Verizon account details, so we can't say for sure. The scammer will probably try to take over your Verizon account, order smartphones on credit, and stick you with the bill.

Smishing? What is that?

[Anonymous Coward]

As we realize each and everyone of us is Shakespeare, we make up words for the article, and hair raises on our arms at the awe inspiring moment of self-realization. And then our leg hairs rise thereafter realizing that we--the editors--now hold the keys to so much information as the audience scratches its head and clicks away to our competitors.

~EditorDavid~

Re:Smishing? What is that?

[Opportunist]

Sounds like a fairly cromulent word.

Re:

[freeze128]

It's similar to a "Man in the Smiddle" attack.

Re:

[HiThere]

https: //searchmobilecomputing.techtarget.com/definition/SMiShing https://searchmobilecomputing.... [techtarget.com]

Re:Smishing? What is that?

[dgatwood]

Stop trying to make "SMiShing" happen. I mean, the site is totally fetch, but whatevs.

Re:

[Malays Bowman]

I never heard of that word either, and reading the summary, this loos like another *PH*ishng scam. I know it's cool to make up words, but not when you have people wondering what the fuck you are talking about.

Just discovered phishing?

[Bobrick]

Right from the start, there's nothing "realistic" about receiving such a message and having to click such a link. Sounds like the reporter just discovered phishing. And this part: "The website looks real and authentic — if you don't look too hard at the address, which isn't actually Verizon's actual website..." what a fucking moron. Big news right here!

Re:Just discovered phishing?

[transporter_ii]

> if you don't look too hard at the address, which isn't actually Verizon's actual website

Yeah, and welcome to the mobile world, where the URL is now mostly hidden. And google, which wants it hid on the desktop, too.

I have a long history of loving tech, but I find myself increasingly irritated by tablets and phones. If I had to work on a tablet all day long, I would chunk it across the room and go to work for a garbage company.

I'm not real hot on even being asked to make things mobile friendly. Everyone always goes to the desktop version, anyway. It's mostly a waste of my time. Mostly.

Re:

[Darinbob]

Anyone doing any sort of financial transaction on a mobile device is already being dangerously insecure. If you even remotely care about your money, then take the time to use your computer or visit the other party in person.

Re:

[mattyj]

Please explain (and cite references) on why a computer is somehow more secure than a mobile device.

Re:

[Darinbob]

You can mouse over URLs for one. Add some secure plugins to turn off scripting. Etc.

Re:

[Malays Bowman]

"Anyone doing any sort of financial transaction on a mobile device is already being dangerously insecure. If you even remotely care about your money, then take the time to use your computer or visit the other party in person."

I trust my phone more than my computer for this, and I refrain from installing HotBoobiesCandySmash.apk on my device. Still I feel like I am living on the edge because of the endless possible device exploits and man in the middle attacks.

Re:

[vbdasc]

I refrain from installing HotBoobiesCandySmash.apk on my device.

Please explain how does this protect from phishing.

Re:

[Anonymous Coward]

Yeah, we'll need screenshots...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rew]

With a clever "google hack" you can get your website with contact info to apear above the real results.

Someone went into the FBI and told them: I hacked the FBI's phone system. No you didn't that's impossible.
Well, just call their public phone number and I'll show you. So the guy looks up the public phone number, calls the number and is greeted by the real receptionist. But the guy had set up a call forwarding with recording at the "inserted" fake number....

Re:

[antdude]

Yep. I can't stand touch and small screens like on tablets. Give me an old fasuion computer even if it is a very old slow netbook!

Re:

[Malays Bowman]

It does not help that Unicode can be used to make a URL look like something it's not, or that and I and an l (eye and el) looks almost exactly the same in popular type faces. I had to look very closely and study the glyphs to tell the difference between the two as I am writing this post! If you have less than perfect vision, forget about it.

Re:

[Mashiki]

Can't wait for them to discover SIM-swapping thefts. Then they might actually be onto something new and exciting.

Re:

[Bite The Pillow]

Here's why you're wrong:

https://www.theguardian.com/te... [theguardian.com]

And here's why you're ignorant: People don't see the world the way you do. You need to understand that, and how they interact with their world, which is not your world. People don't know what a url is or why it is important. It's just noise, and browser makers are just reducing the noise.

Remember AOL keywords? We might need something like that to help the unwashed masses.

Re:

[fermion]

For the casual user, with limited critical thinking skills, these emails are effective, especially as a fraction percent of success is enough. This is why the fake virus ads are still prevalent

The old scams are often the best, and reminds the newbies that they still work is useful. It is easier than ever to clone a site, get a domain, .

Re:

[Jane Q. Public]

While you and "Bite the Pillow" are correct, as far as that goes, as a society we really need to concentrate on teaching these minimal skills to "everyday people" so they don't get lost or exploited in this digital age.

Things like detecting phishing, scanning for malware, and using https (and why) are all important skills today.

While I am sure there are people around who would be unable to grasp the fundamentals, I think that's a small minority. The vast majority of people should be able to learn thes

Re:

[Bite The Pillow]

There's too many people using "tribal knowledge", where kids learn from other kids and they just do what they have always done. There is no way to reach everyone.

Make URL parsing part of the standard curriculum in every country? With homework assignments to teach tour parents? There's no solution. My employer has mandatory training on the subject, but it is selective about its employees. Most employers won't. It's not solvable.

Re: Just discovered phishing?

[sectokia]

Even if there is...: just learn how to read urls....

Re:

[tlhIngan]

And this is where a password manager helps.

After all, if you go to a website and it asks for your ID and password, the damn thing should be auto-filled for you. If it isn't, then something is screwy. (And of course, the annoyance of having to go to your password manager and look up the password manually should be a trigger that something is wrong).

But I suppose the other thing is how we're losing touch with "the old ways" - if your account is locked for suspicious activity, most providers will try about a b

Re:

[The New Guy 2.0]

Ever since I signed for cable-requiring Roku channels, Xfinity keeps sending me texts with a code number every time Roku needs to verify I still have service.

Did the writer never use online banking?

[Opportunist]

Because if that's news to Verizon, they have been living in a very sheltered universe. That's basically the staple of online banking scams and has been for decades.

Re:

[The New Guy 2.0]

Banks have serious lawyer departments and day-to-day updates in Quicken or Mint... Verizon on the other hand doesn't have as many safeguards. Seems like they to block the bad user, and enforce anti-scam measures a little more.

Remember, back in the day, official messages on Prodigy and AOL had the company logo next to them.

Re:

[Opportunist]

Banks also have pretty well staffed and funded security department.

Indeed, it's the only place I EVER have worked in where "it's for security" is a surefire way to get anything approved. Ponder for a moment what people would do if they get to hear time and again that Bank X has been the successful target of security breaches with all of their personal info exposed.

in other geeky news...

[GillBates0]

my poops all runny today

perhaps for medical geeks

yawn

Raising the price of .COM

[OrangeTide]

Yet we'll still have phishing websites with plausible sounding domain names.

It's only crazy realistic

[Rosco P. Coltrane]

for those who don't know you shouldn't click on links in emails. All the others know it's a scam and discard the message.

First time encounter

[WoodstockJeff]

Most people seem to think that phishing emails are easily detectable, probably because they've only seen the worst of them, when their friends send them, "Can you believe people fall for THIS?!?" screen shots.

The local college sent out a real notification of required training, after announcing they would be repeating their previous phishing email "test". I returned it to their security department with a list of "phishing flags" it contained, ending with a declaration that we were to visit a non-college site and enter our college credentials when prompted.

When they got around to sending the "sample phishing email", it was SO poorly done that, yes, if anyone fell for it, they were far too trusting of internet.

For a decade, the half-way decent phishing emails have duplicated the look and feel of their targets, right down to using the logos directly from the real sites. It's not new, unless you weren't paying attention before.

Identity theft as the real cost of email?

[shanen]

Can't even decide if you deserve an Insightful mod for that comment. Certainly more substantive than the other mention of email, but overall not too clear.

The summary on Slashdot is clearly lacking in insight. Seems quite obvious to me that taking over a Verizon account has little to no value in comparison to the value of identity theft. The validation of such an account is merely a convenient one-stop shop for collecting the useful data.

My take on the problem is that "free email" has become quite cancerous

Re:

[WoodstockJeff]

My original comment shouldn't be "insightful". But I don't think /. has a "Captain Obvious" ranking to apply to it.

But yes, the real value to taking control of an email account is what you can do afterward.

The users who fall for it probably fall into the "credential re-use" mindset, so you can take over other accounts. If they use their email address on accounts where they did NOT re-use credentials, you can confirm a "reset password" request faster than the original owner.

My approach to all of that is that

Re:

[shanen]

You are changing the direction of the discussion in yet another direction. I was just trying to to go more broadly with phishing in general and then upwards to the broken economics.

As it applies to the original story, the threat you are discussing now would be affecting people who use their Verizon password in other places, possibly including for their email account. However, that is a general threat for all phishing scams. The unusual aspect of this particular threat is simply that so many potential victim

Re:

[vbdasc]

My take on the problem is that "free email" has become quite cancerous.

Free email still plays an important role for many people. And it isn't Free email's fault that some people have come to depend too much on email for their security needs while being gullible and inept. And also it isn't Free email's fault that some "innovative" and "courageous" internet software developers are dumbing down their email and web client software by removing things which the dumb user doesn't need or understand, like the ability to easily see what URL you've just opened in the browser.

Re:

[Retired ICS]

How do you put a logo on an e-mail message?

Oh, you are talking about Web Pages over SMTP, not e-mail. Sorry, carry on.

what year is this?

[EkriirkE]

Wtf is smishing, what happened to phishing? Copies of official websites have always been the defacto phishing method. Duh?

Re:

[tsqr]

According to this, [webopedia.com] Short for SMS Phishing, smishing is a variant of phishing email scams that instead utilizes Short Message Service (SMS) systems to send bogus text messages. So if it's in an email message, it's not smishing. The author got it wrong. What a shock.

What is the point of these terms?

[BAReFO0t]

By extension, using the same "logic", we could legitimately call all "smishing" that starts with "hello" by the new special term "hellishing".
Nobody knows why. Nobody knows how it matters, what the point is, over just calling it "phishing", but aren't we fancy! Much better than you troglodytes that don't use that word we recently made up to revel in our own imaginary superiority!

Signed, S. Nob van Snobson, Lord of Snobchestershire (pronounced Shobshurr, cause we're just /that/ superior!)

Re:

[Paradise Pete]

Nobody knows how it matters, what the point is, over just calling it "phishing", but aren't we fancy!

You seem quite comfortable with the word "phishing", which itself is relatively new and one can imagine quite a few other people saying the same thing about that.

Re:

[Retired ICS]

Isn't "phishing" what males do when hunting for a female to fuck?

Re:

[Paradise Pete]

So if it's in an email message, it's not smishing. The author got it wrong. What a shock.

In the article it originated with an SMS, so the author wasn't wrong about that. However, the author also seems to be impressed by "Like a real account sign-in page, it even checks the information you’re entering. If you leave your name blank, it’ll ask you to enter a name before you continue."

Holy crap that's some high-level deviousness.

Re:

[Aighearach]

Wtf is smishing, what happened to phishing?

It is just the reason the author doesn't understand security. He thinks it is sometimes OK to click on shit, depending where he thinks it came from. So things end up with different words.

If you understand not to click on links, then it all makes sense because it is all the same and it only needs one word.

No, there is a dead giveaway

[Anonymous Coward]

'Text message says, "Your Verizon account security needs validation"'

Right away this is how you know it's a scam

Re:

[The New Guy 2.0]

Thing is, there's no way for Joe User to tell if a billing overdue SMS is really from Verizon or not.

Re:

[Anonymous Coward]

there's no way for Joe User to tell if a billing overdue SMS is really from Verizon or not.

But there are clues:

• Its a text
• It is on a cellphone
• It asks you to enter information
• It claims to come from Verizon

Even if it really came from Verizon, I would not trust it.

I don't thing we are in the 1990's anymore, Toto. Even the cellphones themselves are scams.

If it is on a cellphone and it asks you to enter information, its a scam and even if it doesn't ask for information, its probably a scam. Didn't gr

Re:

[Retired ICS]

Of course there is. If you do not have an account with Verizon, it is obviously fake. If you last payment cleared, it is obviously fake. The only way that it might possibly be valid is if your billing is overdue.

Aaaah, good times

[Pig Hogger]

Back in the times, whenever I came accross a phi5h1ng site, I would look at how it works, and I woudl write a script that would fill it up with bogus information The joke was to find out which one would last the longer; one lasted 10 days!

Amateurs versus professionals

[shanen]

Three possibilities:

(1) Incompetent scammer actually shut down the phishing website.

(2) Competent spammer noticed your annoying script and blocked your IP address.

(3) You made a more competent scammer.

How is this "Crazy Realistic"?

[thepacketmaster]

First, never click on a link that comes through a text message. No company is doing that, only scammers. If you think there is an issue with your account, just go to the known web site, never click a link in email or text. Second, it mentions the web site looked identical but the URL wasn't right. You can usually copy a link and examine it without even opening it. So why go to a web site that isn't the real one? Just visiting the site could mean you end up with malware installed on a vulnerable computer

OK, EditorDavid

[oneiron]

What the fuck?

Re:

[NuAngel]

+100. This doesn't belong on slashdot. This is "news" for normies. Not "news for nerds."

"If you don't look too hard at the address."

[BAReFO0t]

I'm sorry, what?

It doesn't say Verizon! How do you fuckin' miss that?
vwireless.xyz? Even granny would tell ya to GTFO and not be a dummy!

Sorry, natural selection has decided you aren't allowed to be THAT dumb.

Re:

[WoodstockJeff]

Sad to say, even legitimate notifications contain "weird" domain names, concocted for tracking who clicks on what links within an email. USBank, for example, sends their marketing emails through "email-rpslifecycle.com". Links in an email from Chrysler Financial go to "scfinanceusa.com".

The big problem is that real emails can look just as fake as fake ones, because the senders don't have a clue.

The secret is to never use the links in the email.

Re:

[Retired ICS]

Those are fake e-mail messages. If they want to contact me they can use this new-fangled device called a telephone, or snail mail. And be prepared to deal with the security challenges. Otherwise, they can fuck off.

Re:

[syn3rg]

I insist that all the companies I do business with use a plant-based alternative to email.

That's just typical phishing

[the_skywise]

The REAL scary phishing messages were ones I got via email this last Christmas from "Best Buy" and "Apple" telling me my packages were having delivery troubles and I needed to login to confirm the shipping address.

I wouldn't have clicked the link from the email to begin with - but the emails looked exactly like the typical emails you would get from Apple or Best Buy as part of shipping notifications and my first inclination wasn't "phishing scam" but "Did I order something and forgot about it?" followed im

Huh?

[dmitch33]

How does this rank any higher than other fake e-mails? Possibly the person who received it is a moron?? Nothing here.

never click on a "verify your account" email link

[v1]

it's just that easy

well, maybe with a dash of "we will NEVER contact you and ask for your password".

and for good measure, "and if we DO need to contact you, we will address you by your full name, not 'dear customer'"

Re:

[Anne Thwacks]

and if we DO need to contact you, we will address you by your full name, not 'dear customer

Unfortunately, no body remembered to tell customer support or marketing about this.

My share dealing company sends me emails that claim to be from "Admin". I phoned them to tell them this was exactly what scammers do. Two years later, they are still doing it.

I have heard people say "If you are so clever , why aren't you rich?" - well, the answer is obvious - almost all the rich people appear insanely stupid!

Re:

[LenKagetsu]

I remember back in my Gaia Online days people fell for phishing scams on the regular, even though the site beat it into your head that they will never ask for your password, complete with massive banners saying the exact thing in every private message window. Regardless, idiots still fell for it, one newfag had the stupidity to fall for one from the user "Banning Manager", and upon falling for it, he threw a tantrum about how the site "shouldn't allow admin names". It's very typical for idiots to blame ever

Its not a scam! It's the NEW VERIZON PLAN !

[Bob_Who]

This is the new Verizon business plan to increase iPhone sales and up sell services. You get charged twice the price for the same thing T-Mobile gave you for half the price, before they swallowed Sprint. Now with just 3 carriers left in the market, Verizon needs to up the ante and raise the cost beyond double by simply asserting a new policy where they make all of the purchasing decisions for the user, once they enter their credentials. Duh you /. zombies - don't you understand how true capitalism works

Why does this happen?

[AndyKron]

And nobody know who owns the fake website or has the balls to stop this?

Re:

[rew]

The fake website usually runs on "https://small-bakery-in-the-middle-of-nowhere.com/stuff/paypal/". So the hackers got access to the small site, created a subdirectory ("stuff") and below that the name of the company they are targeting. If you look quickly, you'll see the name of the targeted company.

The small bakery in my example, doesn't have a security team. They don't even have a person responsible for their website. They hired a local teenager to setup their website for them. That's why they got hacked

Re:

[vbdasc]

The answer to this is that (almost) nobody is too excited to play the game of whack-a-mole.

I expect smarter posts on Slashdot

[NuAngel]

The internet's tech news site for over 20 years, I don't think "clicking on a link" and seeing a URL that isn't Verizon's but looks similar comes off as "CRAZY REALISTIC." It's the dumbest and most basic form of phishing that has ever been. Okay, I'm fine that someone wrote that article for some main stream site, but the fact that it got put on Slashdot is immensely disappointing.

Also, just for the record, I don't believe "smishing" is a brand new word, either. "Phishing" was "ph" just like "phreaking" beca