Scam Bucket: Latest Russian Phishing Scam

The Russian cyber offensive against the West finally hit last week and it was a pretty weak phishing scam.

Across the US reports were coming in of text messages, sometimes identified as the user’s own phone number, claiming “Your bill has been paid” and offering a “free gift” that could be claimed by clicking a random link, which is the first clue that it was fraudulent. Cyber Protection Magazine has determined that the source of the plan was cybercrime groups supporting the Russian war effort and was little more than a phishing campaign.

TLDR: Don’t click on the link. Back to our story

Most reports on this scam, going back to February, limit the scam to Verizon users. Verison reported they applied a fix. AT&T and T-Mobile reported to the New York Times as late as early April that they had no reported occurrences. However, Cyber Protection Magazine has talked to dozens of users on both services and learned that a variant has popped up to get around the anti-spoofing tech by spoofing numbers in group texts.

AT&T denied receiving any reports or what they called “bulk reflective spoofing,” even though several AT&T customers reported to the magazine of receiving an “unending flow” of the texts for several weeks. A T-Mobile media representative said since they talked with the Times they have updated filters to block the texts.”We began to see this happen across the industry as group texts to T-Mobile and other wireless provider customers in the last several days.”
The representative urged users to be cautious in engaging with unknown senders or unexpected messages and recommended reporting them by forwarding the message to 7726 (SPAM). That same number works for all cellular carriers.


This author received 32 separate texts all from hundreds of spoofed numbers, all in group texts. He deleted the first three and reported the next two, but curiosity got the better of him as they kept coming. Setting all security parameters on high and using a VPN with an old Chromebook, he typed in the link, entered false information about his identity and eventually came to the “prize”. It turned out to be Russian state propaganda about the Ukraine war. Hence our pronouncement of a Russian cyber attack.

Related:   Black Friday - Deals, Hacks and Scams Aplenty

Note: Cyber Protection Magazine does not recommend trying to duplicate this experiment, especially if you don’t know what you are doing.

The goal of the scam is twofold. First, find naive users in the west and collect data on them and, second, spread false information. But the execution is sloppy and obvious.

This is an annoying scam at best. Victims have probably had their personal information on the darknet for some time. So the hackers are not getting anything new.

What you can do

Beyond forwarding texts to the carrier as mentioned above, by all means, DO NOT respond with STOP. If you do scammers know they have a valid number, which feeds phishing scams using mobile phones,

To help know when a scammer is texting you, legitimate texts from companies come from four-, five- or six-digit numbers. Scam texts typically come from phone numbers that are 10 digits or longer. The texts themselves have two defining traits that can be present in one form or the other.

The messages often have grammatical and spelling mistakes. That is by design to get around carrier spam filters. Second, instead of a web link with the name of a company, they use sentences, phrases or nonsense. This is called URL masking and helps acquire personal information.

Lou Covey

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *