Beware “bill has been paid, here’s a gift” scam text messages
Scam text messages are thanking recipients for paying their phone or utility bills by claiming to offer them a “little gift” in a social engineering trick designed to lure recipients to spoof websites.
SCAM
Type of Scam: Social Media Phishing
Attack Type: Link to Phishing Website
Social Engineering Technique: Free gifts or prizes
The text messages will appear to come from a well-known company, for example AT&T, Verizon or T-Mobile. An example of such a message is below.
Free Msg: Your bill is paid for March. Thanks, here’s a little gift for you. LINK REMOVED
The suspicious messages are very similar to another text scam that claimed to offer “little gifts” as way of an apology for coverage or signal issues.
In both cases the links in the text messages direct recipients to spoof phishing websites. These websites are designed to look like the legitimate websites of the company the scammers are pretending to be messaging the recipient from.
So if the “little gift” message appeared to come from T-Mobile, for example, then the link will direct to a spoof website designed to look like the T-Mobile website.
But in reality these spoof websites are owned by crooks, and any information entered into them – such as for example your login username and password – is sent straight to the crooks, allowing them to access your online account.
Sponsored Content. Continued below...
And from there the crooks can glean personal information about you, potentially allowing them to open up new phone or utility contracts in your name or to commit other forms of identity fraud.
How to avoid these “little gift” text scams
When it comes to links in text messages, online messages or emails, the advice is always the same. Don’t click them. This way you can avoid the vast majority of phishing scams that will come your way. If you’re not sure a message is legitimate, you can contact the relevant company directly – for example by logging into your online account directly (without clicking links) or contacting them using their contact details you already have.
If you do believe a message is legitimate and you click the link, the next step is to check the web address (URL) at the top to see if it’s the web address of the company. We have more information on spotting fake web addresses that you can read here.
Also be aware of common social engineering tricks used by crooks to lure recipients into clicking links. Text messages or emails offering freebies, prizes or that otherwise seem too good to be true (as well as messages that appeared to be designed to panic you) are always likely to be scams. Read more about avoiding SMS phishing scams in our article here.
Finally, you can report scam texts by forwarding them to 7726 if you’re in the UK, Canada, New Zealand or the United States.