What to Do When Spam Feels Like Phishing

Spam and phishing can feel similar, but you should delete both—even if you think they really have something for you. Read what I mean.

Spam and phishing can feel similar, but you should delete both—even if you think they really have something for you.

It started innocently enough on September 29:

How stupid, I thought. Typical text message spam, with a trio of errors in the first sentence and a gibberish URL. Delete!

But then this one, two weeks later:

My name’s not Michael, but hmm: I had started a new “eating plan” just a few days earlier. (My mother-in-law is a professor of nutrition and she’s got my wife and I trying a “well formulated ketogenic diet,” under her direction.)

But how did they know I was interested in losing weight? (Or, “loosing” weight, as the earlier message promised, whatever.) Seems bogus. Delete!

Just three days later, another:

Yeah, 80 pounds in 3.5 weeks sure was unbelievable! (And I’m still not sure where I’m loosing it.) But I start to wonder: how do they know I’m interested in weight loss?

Was it the fact that I had downloaded and started using the MyFitnessPal app a week ago? This was starting to seem less like spam and more like phishing—like somebody was targeting me, personally. Still, that link. Delete!

Now, dammit, just two days later:

Maybe I should click? I mean, clearly, they know what I’m after. But then I notice the time stamp: why am I always getting these really early in the morning? I wonder what the time difference is to Russia? C’mon Tom, you know better than this. Delete!

And yet they keep coming, two or three a week, some offering an opt out, the number of pounds I might lose (or loose) constantly changing, never the same URL. Here’s a GIF showing the five more I received:

And because I’m human and I want to make sense of this, I keep looking for explanations.

Maybe it’s not weight loss after all. Maybe “they” knew I was in the midst of giving a month-long series of talks about identifying phishing, smishing, and social engineering and this is just an ongoing taunt, a provocation to see if I’ll take the bait.

I don’t take the bait, I promise … but I sure understand how this kind of crap can drive you a little crazy.

Making Sense of It All

There was just one lingering question in my mind after a month of this: were these messages actually designed for me?

If they weren’t, if these messages just reached me as part of a month-long spam campaign designed to get people to buy some sketchy diet pill (like one that promoted “instant ketosis”), they would definitely be spam: unsolicited bulk communications, in this case sent via SMS or text message (they also exist as email and regular mail). There’s only one reasonable way to handle it: delete it. (There’s also an unreasonable way: you can waste your money.)

But if they were for me—if they knew something about my life and my interests—then maybe they were phishing, which looks an awful lot like spam but actually represents an attempt to obtain banking credentials, passwords, credit card information, or something else of value.

Spam is annoying, but phishing is dangerous. Spam wants me to spend a little money; phishing wants more money, more access, more data.

But both spam and phishing use the same hook: something we want, or conversely, something we don’t want. Maybe it’s a way to accelerate weight loss or strike it rich, or it’s the threat of all your personal data being exposed if you don’t click this link.

And why do we think that such offers would find their way to us? Because this digital world we live in is so interconnected. Ads appear in our browsers that are EXACTLY what we are after, and Amazon suggests items that we really do want to buy. Why wouldn’t these same offers come as text messages?

These days sometimes even the implausible seems, if not plausible, at least attractive enough to check it out. And if we’re feeling sad or lonely or vulnerable—maybe if we’re concerned that we’re never going to lose weight fast enough—we just might decide to follow that link.

A Little Skepticism Goes A Long Way

Here’s where we have to stop indulging our magical thinking and find that skeptical part of ourselves. Because it doesn’t matter if these messages were spam or phishing! The content of the messages—the exaggeration, the errors, the bizarre links, the sheer absurdity of their claims—tell you everything you need to know. There’s only one thing to do with such messages: delete them!

Beyond deleting, you can use your phone to block messages from that number, and you might use your carrier’s tools to try to block all such messages or even use an app that purports to do this.

The important thing to realize is this: spammers will find their way through. They don’t care about laws against spam, and they’ll figure out ways to evade the tools to block them.

You and your delete button are the best tools to stop spam and phishing. It’s as simple as that.

To Learn More

Want to learn more about spam and phishing (and the often subtle differences between them)? You might start here:

CONFESSIONS OF AN AWARENESS NERD

Like What You Read?

Check out more content from Tom Pendergast on his blog Confessions of an Awareness Nerd.

Explore the Blog

Share this Post

;