Receiving a Scam Text… From My Own Phone Number

Throughout my years working in the IT security and compliance field I have had the opportunity to learn about dozens of different social engineering attack strategies that malicious actors will utilize to achieve their goals. This past weekend, I had the unique opportunity to witness an attempted social engineering attack that I had never encountered before – and I was the target!

I received a strange looking SMS text message that was written in a format similar to messages I had previously received from Verizon (my carrier). It began with an introduction that read “Free Msg:”, while similar and legitimate Verizon SMS texts have begun with “Verizon Msg:”, “VZ Msg:”, etc. The message went on to thank me for paying my recent bill and offer me a “little gift” with a link that followed. What was most puzzling is that my phone indicated that the message originated from my own phone number, although my phone only had record of the message being received and not sent from my device.

While I have received more than enough training here at Compass IT Compliance to know not to click any unfamiliar or suspicious links, I must admit that this scheme was a little more convincing than others I had encountered in the past. The format closely resembled several other legitimate texts I had received from my carrier, it seemed to originate from my own number which I assume my carrier would be capable of, and it occurred on the day of the month that my Verizon bill is typically sent to me. I can recall receiving phone calls on our home phone as a kid that claimed they were calling from our own number, and I know all about phone number spoofing from my time working at Compass, but I had never received an unexpected text on my cell phone originating from my own number (though I have received my fair share of scam texts from random numbers). While the offer of a “little gift” sounded a bit suspicious, I also recently received legitimate marketing emails from my internet provider offering me rewards simply for being a customer, so the idea of my phone carrier attempting something like this did not seem impossible. I ultimately decided that it was not worth taking the risk of clicking the link to see where it went. I brought it up with a few of the top cybersecurity minds at Compass IT Compliance when I returned to work on Monday. After chatting and determining that my device, Apple ID, and SIM card were not compromised, it was surmised that it was likely a phone number spoofing scam. They evaluated the fraudulent link, but it was no longer active. I looked through some of my older texts and I had also received two other very similar messages from different numbers over the past few months, both claiming to be from Verizon and one including my name (both of which I had ignored).

Fast forward four days to today and news outlets across the nation are reporting on this smishing scam targeting Verizon customers – I was not the only affected individual. Several of my coworkers have now also received similar texts since I first received mine. According to a statement from the carrier, “Verizon is aware that bad actors are sending spam text messages to some customers which appear to come from the customers’ own number… Our team is actively working to block these messages, and we have engaged with US law enforcement to identify and stop the source of this fraudulent activity. Verizon continues to work on behalf of the customer to prevent spam texts and related activity… we have no indication that this fraudulent activity is originating in Russia… We believe this activity is being generated from external bad actors with no direct tie to our company” Verizon spokesperson Rich Young told The Verge by email. Several individuals have reported that the link directed them to Channel One Russia, a Russian state media network (our team confirmed this in one example).

In the end, what mattered most was the security awareness training I had been offered at my current and previous employers, with continuous updates on the latest threats and tactics. Even with all that training, I must admit that this particular scam caught my attention and made me contemplate if it could be legitimate. It will be interesting to see what revelations might come out in the coming days as to the origin of the attack and how it was conducted. But regardless of the details, this incident serves as a reminder to all of us that malicious actors will continue to develop new and innovative methods of deceiving their victims.

Update – As I was uploading this blog, I received another fraudulent text from my phone number: