Two years ago, I got a text message from a number with a Las Vegas area code. “Thanks for visiting our site!” it read. “Claim your $100 Gift card at www.topgiftsnow.com. Gift Code: 13Z76F. To end reply STOP.” Annoyed, I typed “STOP” and hit send. The next day I got another one. “STOP,” I typed again. Then came the deluge. “Clearance pricing on new cars!” my phone buzzed. “Start a career in law enforcement!” “You have 1 unread message from your secret crush!” At first they were all from Las Vegas. Then they were from Oregon, Idaho, and Nebraska. Every buzz meant another text message charge on my bill.
I ignored some, replied “STOP” to others, and even tried calling back in the vain hope of confronting my tormentors. I reached only recordings. The worst part was that it was my own fault. As I belatedly realized, a reply of any kind confirms to cellphone spammers that they’ve reached a working number—which they can then sell to other spammers. I’ve long known not to click the links in spam emails, but 10 years of spam-free cellphone ownership had lulled me into complacency when it came to texts.
Text spam used to be rare in the United States because, compared with the email equivalent, sending texts was expensive. There were ways around the charges, like sending the spam messages from the Internet rather than a mobile phone. But that method was easily stymied, because wireless companies can separately track and filter such messages. The past three years, however, have brought a proliferation of cheap, prepaid cellphone plans with unlimited text messaging. That has opened the floodgates.
In 2009, Americans received some 2.2 billion text messages that they identified as spam, by the estimate of Richi Jennings, an independent market analyst. By 2011 that had doubled to 4.5 billion. But even that figure doesn’t capture the biggest boom, which has come in just the past few months, according to Cloudmark, a San Francisco-based firm that provides messaging security for major wireless carriers. “Six months ago, when I would tell people I work for an anti-spam company and work on mobile spam, they’d all wonder, ‘What’s mobile spam?’ ” says Mike Reading, Cloudmark’s director of technology for the Americas. “Now, I’d say most people have been exposed to it themselves.”
If you haven’t, you will be soon. Spammers’ lists of numbers have been multiplying as they shift their focus from email to mobile phones to take advantage of cellphone companies’ weaker spam filters. The volume of text spam remains comparatively small, because those spammers who are just trying to sell a product—Cialis, say, or fake Rolexes—have largely stuck to email, which remains the cheaper option. It’s the phishers who are making the switch.
The latest wave of text scams is a cut above your typical Nigerian bank fraud. Orchestrated by a sprawling network of mainly U.S.-based e-crooks and semi-legal websites, these swindles use confusing privacy notices and fine-print consent forms to lend a veneer of plausibility to attempts to separate you from your personal and financial information. Consider a text that invites you to “Test & keep unreleased iPhone5!” Follow the link and it will admit that some “testing and participation” is required before you claim your prize. It first asks you to confirm your email address, then requests your name, date of birth, phone number, and mailing address. A few clicks later, you’re asked to enter your credit card number so they can charge a small $8.99 shipping fee. By the time you notice you never received your iPhone 5, the website will be gone, and your name, phone number, and credit card number will have entered the vast and lucrative underground market where such information is traded.
Your surest defense is to avoid replying to any mobile spam and to hold off on typing in your cellphone number on websites you don’t fully trust. That won’t guarantee you immunity, since legitimate sites can be hacked for customers’ personal information, but it’s your best bet.
For those that have been targeted, the good news is that the major wireless carriers offer a litany of potential fixes. The bad news is that, in all likelihood, they won't do you any good.
The recommended steps are the same whether you visit the carriers’ websites, consult the Federal Communications Commission, or read the New York Times. They go like this: 1) Report spam to your carrier by forwarding the offending message to 7726 (that's SPAM on alphanumeric keypads), then copy the phone number it came from and send that along as well. 2) Report the spam to the FCC. 3) Tell your wireless carrier to block messages from the Internet. 4) Have your carrier block messages from the specific phone numbers that are spamming you.
Reporting spam does help the carriers and government agencies identify patterns of spam messages over time. But don’t imagine that your tip is going to spur anyone to hunt down the scoundrel that spammed you and bring him to justice. The spammers aren’t just sitting on a couch somewhere typing messages one by one into a handset. (Damn you auto-correct, I meant “free Wal-Mart cards,” not ”free walnut cards!”) Rather, they use customized computer programs to generate and send hundreds of messages in a matter of minutes, varying the wording, capitalization, and punctuation to evade the phone companies' rudimentary spam filters. And thanks to a fiendish device called a SIM box, the spammers can plug dozens, even hundreds, of SIM cards—each representing a different mobile phone number—into a single phone. By the time you’ve received a text and reported the number, there's a good chance it has been used hundreds of times and discarded.