Home News Don’t Click! That Meal Delivery SMS Might be Malicious

Don’t Click! That Meal Delivery SMS Might be Malicious

Fraudsters are sending smishing messages disguised as offers from legitimate meal-kit services like HelloFresh and Gousto.

Smishing attacks

COVID-19 has impacted nearly every industry. Despite the restriction of movement during the pandemic, e-commerce and food delivery services boomed. While the demand for DIY meal kits surged, impersonation scams saw a spike as well.  Recently, cybersecurity firm Tessian warned consumers to be vigilant about the evolving meal kit delivery frauds. Scammers are tricking users by sending phishing messages (Smishing) that appear as offers from legitimate meal-kit delivery services like HelloFresh and Gousto in the U.K.

In smishing attacks, fraudsters send a specially crafted message (SMS) provoking the user to click on a malicious URL hidden in the text.

Tessian’s researchers claimed that the meal-kit phishing campaign is targeted at unwitting consumers, who receive malicious SMS and WhatsApp texts asking them to give feedback to win a prize. The malicious URL within the message leads users to a bogus site designed to pilfer sensitive financial information and account credentials.

Capitalizing on Consumer Trends

From fake vaccines, test results to fraudulent job offers, threat actors are fully capitalizing on the pandemic. The intent behind these scams is to drive users to a phishing site – in any way possible – and trick them into entering their personal data.

Smishing Message from Attackers

Source: Tessian

“Throughout the pandemic, we’ve seen cybercriminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information,” said Tim Sadler, CEO and Co-founder of Tessian.

Smishing messages often contain eye-catching phrases like “you’ve won a lottery” to grab users’ attention. Most of these messages are riddled with spelling mistakes.

“Spelling errors are a tell-tale sign that it is not from a legitimate source; brands will rarely make such mistakes in their marketing campaigns. Also, keep an eye out for business and customer messages from unknown numbers or numbers starting with a local area code such as +44, as these are regularly associated with scam texts. These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data. A general rule of thumb is that, if you’re ever not sure if something is a scam, then assume it is. You can always verify a message’s legitimacy with the company directly,” Sadler added.

Mitigation Measures

Tessian also recommended certain security measures to prevent smishing attacks. These include:

  • If you receive a text requesting that you follow a link, ignore it — at least until you’ve confirmed whether or not it’s legitimate by contacting the company in question via another channel of communication.
  • Inspect the sender’s phone number — unknown numbers or 11-digit long numbers starting with a local area code, such as +44, are often associated with scam texts. Large institutions will generally send text messages from short-code numbers.
  • Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors.
  • Visit the company’s social media channels to see they have warned their customers about potential scams that have been circulating, and research whether other customers have received the same message.

“SMS-based scams are incredibly convincing and are growing in frequency. More and more companies are relying on SMS as a marketing channel to reach their customers and update them about online orders. Given that nine in 10 people open their texts, it’s likely the message will be read. So, while you might not be expecting a delivery, scammers will still try their luck. Often impersonating a legitimate brand, and using sophisticated methods like including a shortened, legitimate-looking URL or an urgent call to action, they’re hoping their targets have signed up to some form of home delivery service, will click the link and fall for the scam,” said Charles Brook, threat intelligence specialist at Tessian.