We live so bombarded by scams that many of us look at any email, message or call with distrust. We immediately distrust and that, beyond an obvious precautionary situation on our part, is a problem: we no longer trust the tools and processes that were important before.
In that perpetual state of alert in which we have to swim between scams day in and day out, a few days ago I faced a surreal situation: I almost missed a train trip because I didn’t trust an SMS that Renfe sent me.
The SMS. I had the WorldOfSoftware prizes with my ticket safe and everything was ready when, a couple of days before, I received an apparently normal SMS. It was Renfe, saying that something about my trip had changed. The first thing I did was enter the link because it seemed legitimate (I didn’t see alternative characters or letters that pretended to be others). Within it I was asked to fill in my information and, I think when it asked for my ID or email, I closed.
Verification. Everything indicated that it was on the Renfe website, but… I closed it. Instinctively. Here it may be my bias being informed about the huge number of scams out there, but I closed it because I thought “well, I have a way to check if this is true.” I had not linked my physical ticket to the Renfe website, so I did and, sure enough, the seats that appeared on my new digital ticket were those indicated in the SMS. Story with a happy ending.
It stands to reason. It seems like a joke and you can tell me I’m exaggerating, but I don’t think the same. Discussing the play with a teammate from WorldOfSoftware, we both agreed that, although I may have been a little cautious, it was totally normal. I’m not going to mention all the cases because it wouldn’t end this year, and I’m certainly not going to go into all the scams, but SMS scams are serious.
Bank scams that tell us to enter our data to access the account, because there is a problem or for whatever reason, have been with us for a long time. The problem comes when scammers are able to mix their messages with those of a real entity, all so that you click on a link and fall. There are ways to detect these practices and take action, but these scams are a headache.
Dangerous mistrust. If I am from La Caixa and I receive a message from BBVA from a sender that is a mobile number, it is logical that I will not fall for it. But if I am from La Caixa and someone who pretends to be La Caixa, with that name appearing in the header, tells me something about my account, even though I know I don’t have to click, a little itch runs down my spine. I am clear that nothing is happening, or that I do not have a lost package or an unpaid violation, but there are people who do fall into this, and it is not their fault.
In my case, this usual distrust was mixed with the fact that I had a trip and that Renfe sent me an SMS. It is a dangerous distrust because, on the one hand, there is the danger that someone more confident clicks on a supposedly official message, but also that someone more careful does not click on an official message thinking that it is a scam.
Maybe too much? No, I think not. The proof is that these scams are the order of the day because, as we say, there are those who fall for them. There are oversights, confidence that the institutions we have been able to trust in the past are not going to deceive us (even if they are not really them), and generational gaps.
The latest example of this is in generations like Gen Z. According to statistics, only 33.2% of people in this age group pay attention to warnings. In the case of those over 65 years of age, the statistic increases to 66%. And, despite all the campaigns and warnings, other statistics show that only 57% of respondents between 18 and 29 years old acknowledge having little knowledge of cybersecurity.
Typical recommendations, but they work. As they say, the best protection is common sense. Sometimes this means that we are overly cautious (as is my case), but we have tools to detect this type of scam:
- You have to read the message carefully and trust that it is legitimate at first.
- If there is a shortened link, bad. Why is BBVA going to hide its URL address?
- Check the characters. In the URL, they can make us fall by replacing an “i” with an “l” or an “o” with a “0”, for example.
- Be careful with subdomains. Your bank will have a URL like https://nombredetubanco.comand that’s it. But maybe the bad guys do something like https://nombredetubanco-com.nombrededominio.io.
If you still have doubts, you can always call or go to your bank/service’s app to see if there is any notice that way.
serious measures. But is nobody going to do anything? Well, you try. A few months ago, the Ministry of Digital Transformation and Public Service presented a plan to combat fraud from SMS and calls. Let’s hope it turns out better than the anti-spam measures, which were worth very little.
In this way, the plan contemplates that operators can block calls and SMS that use numbers not assigned to services, operators or clients. Also banning the use of mobile numbers for business calls, making legitimate businesses use 800 and 900 numbers for customer service. There are already precedents for success with these measures, with Finland being an example of having reduced identity theft scams by almost 90% since its government implemented similar actions.
a minefield. And the dangers are everywhere, be careful, not only in WhatsApp, Telegram, email or SMS. In recent months there have been many YouTubers who have seen their channels spoofed because, in some cases, they have unconsciously downloaded or clicked on links that they shouldn’t have. The well-known YouTuber Domingo Gomes, whose channel was previously called Newsesc, commented precisely on this situation recently.
In the video he says that his editor downloaded a video to use a fragment for informative purposes in content, but in addition to the video, he downloaded an application. This app was accidentally opened and they managed to access the editor’s Google account. He says he hasn’t recovered yet.
It’s a bummer. Practically every day I deal with a scam: with a robocall telling me that Amazon has just released a cryptocurrency and that I should get it now that it is cheap, the offer of a lifetime on WhatsApp and Telegram or the very annoying spam calls. I have already gotten used to hanging up as little as possible, but with links and emails, things change. You can’t trust anything, you have to carefully check the URLs, images, addresses and, even if you think that the site is legitimate, when they ask for sensitive information such as your ID or date of birth, you are left with resentment.
Is it really the place it says it is? The easiest thing is that yes, if Renfe sends me a message saying that they have changed my seat on a train at a specific time when I have that train, that day and at that time, it is legitimate. But the fact that, for a moment, my first feeling is to distrust is a huge trust problem. And I think not so much for me, because I have options to check if the message is true, but for the companies and institutions that are being impersonated every day.
In a few words? All this is a bummer. And exhausting.
In WorldOfSoftware | We should not trust any QR code we see out there. The Qrishing scam is growing at a dangerous rate
