By Will Oremus
Two years ago, I got a text message from a number with a Las Vegas area code. “Thanks for visiting our site!” it read. “Claim your $100 Gift card at www.topgiftsnow.com. Gift Code: 13Z76F. To end reply STOP.” Annoyed, I typed “STOP” and hit send. The next day I got another one. “STOP,” I typed again. Then came the deluge. “Clearance pricing on new cars!” my phone buzzed. “Start a career in law enforcement!” “You have 1 unread message from your secret crush!” At first they were all from Las Vegas. Then they were from Oregon, Idaho, and Nebraska. Every buzz meant another text message charge on my bill.
I ignored some, replied “STOP” to others, and even tried calling back in the vain hope of confronting my tormentors. I reached only recordings. The worst part was that it was my own fault. As I belatedly realized, a reply of any kind confirms to cellphone spammers that they’ve reached a working number—which they can then sell to other spammers. I’ve long known not to click the links in spam emails, but 10 years of spam-free cellphone ownership had lulled me into complacency when it came to texts.
Text spam used to be rare in the United States because, compared with the email equivalent, sending texts was expensive. There were ways around the charges, like sending the spam messages from the Internet rather than a mobile phone. But that method was easily stymied, because wireless companies can separately track and filter such messages. The past three years, however, have brought a proliferation of cheap, prepaid cellphone plans with unlimited text messaging. That has opened the floodgates.
In 2009, Americans received some 2.2 billion text messages that they identified as spam, by the estimate of Richi Jennings, an independent market analyst. By 2011 that had doubled to 4.5 billion. But even that figure doesn’t capture the biggest boom, which has come in just the past few months, according to Cloudmark, a San Francisco-based firm that provides messaging security for major wireless carriers. “Six months ago, when I would tell people I work for an anti-spam company and work on mobile spam, they’d all wonder, ‘What’s mobile spam?’ ” says Mike Reading, Cloudmark’s director of technology for the Americas. “Now, I’d say most people have been exposed to it themselves.”
If you haven’t, you will be soon. Spammers’ lists of numbers have been multiplying as they shift their focus from email to mobile phones to take advantage of cellphone companies’ weaker spam filters. The volume of text spam remains comparatively small, because those spammers who are just trying to sell a product—Cialis, say, or fake Rolexes—have largely stuck to email, which remains the cheaper option. It’s the phishers who are making the switch.
Mobile-phone spam messages are often an invitation to be scammed at sites like this one
Courtesy of Cloudmark.
The latest wave of text scams is a cut above your typical Nigerian bank fraud. Orchestrated by a sprawling network of mainly U.S.-based e-crooks and semi-legal websites, these swindles use confusing privacy notices and fine-print consent forms to lend a veneer of plausibility to attempts to separate you from your personal and financial information. Consider a text that invites you to “Test & keep unreleased iPhone5!” Follow the link and it will admit that some “testing and participation” is required before you claim your prize. It first asks you to confirm your email address, then requests your name, date of birth, phone number, and mailing address. A few clicks later, you’re asked to enter your credit card number so they can charge a small $8.99 shipping fee. By the time you notice you never received your iPhone 5, the website will be gone, and your name, phone number, and credit card number will have entered the vast and lucrative underground market where such information is traded.
Your surest defense is to avoid replying to any mobile spam and to hold off on typing in your cellphone number on websites you don’t fully trust. That won’t guarantee you immunity, since legitimate sites can be hacked for customers’ personal information, but it’s your best bet.
For those that have been targeted, the good news is that the major wireless carriers offer a litany of potential fixes. The bad news is that, in all likelihood, they won't do you any good.
The recommended steps are the same whether you visit the carriers’ websites, consult the Federal Communications Commission, or read the New York Times. They go like this: 1) Report spam to your carrier by forwarding the offending message to 7726 (that's SPAM on alphanumeric keypads), then copy the phone number it came from and send that along as well. 2) Report the spam to the FCC. 3) Tell your wireless carrier to block messages from the Internet. 4) Have your carrier block messages from the specific phone numbers that are spamming you.
Reporting spam does help the carriers and government agencies identify patterns of spam messages over time. But don’t imagine that your tip is going to spur anyone to hunt down the scoundrel that spammed you and bring him to justice. The spammers aren’t just sitting on a couch somewhere typing messages one by one into a handset. (Damn you auto-correct, I meant “free Wal-Mart cards,” not ”free walnut cards!”) Rather, they use customized computer programs to generate and send hundreds of messages in a matter of minutes, varying the wording, capitalization, and punctuation to evade the phone companies' rudimentary spam filters. And thanks to a fiendish device called a SIM box, the spammers can plug dozens, even hundreds, of SIM cards—each representing a different mobile phone number—into a single phone. By the time you’ve received a text and reported the number, there's a good chance it has been used hundreds of times and discarded.
Blocking messages from the Internet is also unlikely to cut down on the volume of spam you receive. Sending texts from the Web used to be a popular method for mobile spammers, who could try endless random combinations of numbers in hopes of a few hits. But unlimited texting plans made that approach less attractive to spammers, who know that such messages can easily be blocked. Though it’s still worth doing, don’t expect a magic bullet.
To really put a dent in text spam, the mobile phone companies need to upgrade their spam filters. That’s expensive, and it takes time. A cynic might note that the wireless providers have little incentive to expend that effort, since it costs them essentially nothing to transmit the data, and they actually profit from spam messages received by people who don’t have unlimited texting plans. Spokespeople for Verizon and AT&T insisted to me that they’re doing all they can, and noted that the volume of mobile spam remains tiny compared to email spam. Verizon, for its part, has managed to track down and sue some 20 spammers over the years.
Cloudmark, the message-security company, says domestic wireless providers may not have always made mobile spam their top priority, but they are making a genuine effort to respond now that unwanted messages are spiking stateside. The cost of fielding complaints from exasperated customers outweighs any revenue the wireless companies get from spam messages, Cloudmark’s Reading reckons. (To ensure that’s the case, follow up your spam reports by calling up your wireless provider and asking to have the relevant text-message charge removed from your bill.) Reading tells me his company’s latest spam filter has the capacity to identify and block most of the current wave of mobile scams before they reach customers. Several wireless providers are in the process of deploying it.
If he’s right, perhaps mobile spam will be held down to the level of a minor annoyance for most. But there’s also a possibility the problem will get much worse before it gets better. For a grim picture of the future, one has only to look to China, where unlimited text plans have been widely available much longer. By some estimates, a third of all text messages in China today are spam.
It’s also worth asking why the U.S. wireless carriers didn’t look to China several years ago and start preparing for the deluge. They knew unlimited texting plans were in the pipeline. They should’ve known that unlimited plans mean seemingly unlimited spam.