A subset of Three UK users have received an SMS message warning them about text message-based spam – complete with a shortlink and textual urgings to click it and learn more.
The definitely-not-smishing-honest message was received by Reg reader Chris, and he was not very chuffed with it. He told us:
"They send an unsolicited out-of-the-blue SMS which asks you to 'click' (not tap) on a link. When checked out in a sandboxed environment this goes to an insecure http-only page which warns of suspicious text messages and a video telling recipients not to tap on any links. Awesome!"
The offending message is reproduced in all its glory below:
This message has all the hallmarks of a smishing (SMS phishing) message. As UK.gov-backed website Get Safe Online explained, such messages "instruct you to either go to a website or make a phone call to a specified number… They play on your basic human emotions and needs, such as trust, safety, fear of losing money, getting something for nothing, eagerness to find a bargain or desire to find love or popularity/status."
As even Three itself warns, you really shouldn't pay attention to smishing messages: "If you've received a suspicious message, don't click on any links. Get in touch with the company it's supposed to be from, first. They'll let you know if it's genuine or not. Until then, don't click on any links or follow any of the instructions."
The cautious telco added: "Would the supposed sender really contact you like this?"
Message sender names can easily be spoofed, as one-time Lulzsec chap Jake Davis explained when UK.gov started bombarding innocent Britons with SMS messages about the pandemic earlier this year.
A mildly irritated Three spokesperson told us: "We regularly and proactively contact our customers with guidance on how to avoid smishing fraud. This includes linking to a genuine website where we communicate about our safety measures. We inform all our customers that the website links we use, and are therefore safe to click on, are 3.uk and three.co.uk. More than 500,000 customers have read the guidance and now have a better understanding of how to protect themselves as a result.”
In fairness, the website does say that 3-dot-uk is one of their own domains. But for cautious consumers it doesn't really seem right.
A few years ago some well-meaning-but-thoughtless British police sent out a ransomware warning link that went to a file called ransomware.pdf. ®