The problem is that scammers have adapted. They have taken an old attack and reshaped it into something that blends into habits we barely think about, such as passing a CAPTCHA or completing a two-factor step.

This newer version of the ClickFix scam feels routine, which is exactly why it works. As a computer repair business, we are seeing it more often, so here is a clear explanation of how it works and how to avoid it. 

The older ClickFix method was easier to spot

The original version relied on fear. A website would loudly claim your computer had a fault. It would then mention corrupted files or pretend your system was failing, then guide you to open a powerful system tool using a keyboard shortcut that only IT professionals usually touch. Tools such as Command Prompt, PowerShell, and Terminal were never meant for everyday use, which is why the instructions stood out.

Once the tool was open, the page would display a block of characters for you to paste in. It never looked readable, just a jumble that appeared technical enough to trust. Pressing Enter quietly downloaded malware from a criminal server, and you never saw a pop-up or progress bar. The command was encoded so the real action was hidden from view.

READ MORE:  How Using the SLAM Method Can Improve Phishing Detection

Over time, people learned to ignore dramatic error messages. The scare tactics stopped working, so the scammers changed tactics.

The new version hides inside fake verification steps

Now, the scam appears inside something that feels legitimate. Instead of warning you about problems, the website pretends it needs to verify that you are a real person. It might look like a Cloudflare check, a Google-style CAPTCHA, or even a verification screen on a site that appears related to a hotel or booking service you actually use. Some victims even reach these pages through links sitting at the top of search results.

Everything looks normal until the page tells you to complete the verification by copying a code into Terminal, Command Prompt, or PowerShell.

Because we are used to extra login steps, the request feels like a mild inconvenience rather than a warning sign. That single line of encoded text is the attack. Once you paste and run it, the computer silently contacts a malicious server, downloads malware, and installs it without any visible sign.

Why this new approach works

People trust verification steps. CAPTCHA and two-factor checks appear on nearly every major site now, so they feel familiar, and scammers use that trust to their advantage.

Many people believe they are safe as long as they avoid suspicious downloads. This attack sidesteps that habit entirely, as you are not downloading a file yourself but running the command that fetches it for you.

Because the text is encoded, it looks harmless. Random characters do not raise suspicion. Your computer also treats the action as something you chose to do, which makes it harder for security tools to block.

What the malware does once installed

The malware that arrives through these commands usually aims to steal information. It can pull saved passwords from your browser, capture authentication cookies, or add remote access tools that allow someone else to connect later. Some versions turn your computer into part of a larger network used for other attacks.

READ MORE:  How to Spot Hidden Malware on Your Devices

Most victims notice nothing. Their computer behaves normally while sensitive information leaves in the background.

Where these fake pages appear

The links to these fake verification pages often come from places that seem trustworthy. Some arrive through hacked hotel or booking accounts containing real reservation data.

Others appear in ads at the top of search results or in routine-looking messages and emails. The scam spreads because the doorway into it feels familiar.

The simple rule that protects you

You do not need to memorize any technical details. Just remember this.

If a website tells you to open Terminal, Command Prompt, or PowerShell and paste in a code, close the page immediately.

No legitimate website will ever ask a normal user to do that as part of a CAPTCHA or verification step.

If you think you may have done this

Do not panic, but take action. Stop using the computer for banking or shopping until it has been checked. Change your passwords from another trusted device, then contact us so we can inspect the system properly and remove anything harmful.

The sooner we look at it, the easier it is to fix.

Hopedale Technologies can help keep you safe

We can scan your computer for hidden issues, adjust your settings for better protection, and provide simple guidance to help you avoid attacks like this. If something ever looks unusual, you can contact us before acting on it.

If you want your computer checked or need a general security cleanup, we are here to help. 

1. Polymorphic Malware
   Polymorphic malware is a type of malware that changes its code every time it replicates. This makes it hard for antivirus software to detect because it looks different each time. Polymorphic malware uses an encryption key to change its shape and signature. It combines a mutation engine with self-propagating code to change its appearance continuously and rapidly morph its code.

This malware consists of two main parts: an encrypted virus body and a virus decryption routine. The virus body changes its shape, while the decryption routine remains the same and decrypts and encrypts the other part. This makes it easier to detect polymorphic malware compared to metamorphic malware, but it can still quickly evolve into a new version before anti malware detects it.

• Criminals use obfuscation techniques to create polymorphic malware. These include:
• dead-code insertion
• subroutine reordering
• register reassignment
• instruction substitution
• code transposition
• code integration

These techniques make it harder for antivirus programs to detect the malware. Polymorphic malware has been used in several notable attacks, where it spread rapidly and evaded detection by changing its form frequently. This type of malware is particularly challenging because it requires advanced detection methods beyond traditional signature-based scanning.

2. Fileless Malware
   Fileless malware is malicious software that works without planting an actual file on the device. Over 70% of malware attacks do not involve any files. It is written directly into the short-term memory (RAM) of the computer. This type of malware exploits the device’s resources to execute malicious activities without leaving a conventional trace on the hard drive.

Fileless malware typically starts with a phishing email or other phishing attack. The email contains a malicious link or attachment that appears legitimate but is designed to trick the user into interacting with it. Once the user clicks on the link or opens the attachment, the malware is activated and runs directly in RAM. It often exploits vulnerabilities in software like document readers or browser plugins to get into the device.

READ MORE: 5 Red Flags of Phishing Emails: Think Before You Click!

After entering the device, fileless malware uses trusted operating system administration tools like PowerShell or Windows Management Instrumentation (WMI) to connect to a remote command and control center. From there, it downloads and executes additional malicious scripts, allowing attackers to perform further harmful activities directly within the device’s memory. Fileless malware can exfiltrate data, sending stolen information to attackers and potentially spreading across the network to access and compromise other devices or servers. This type of malware is particularly dangerous because it can operate without leaving any files behind, making it difficult to detect using traditional methods.

3. Advanced Ransomware
   Ransomware is a sophisticated form of malware designed to hold your data hostage by encrypting it. Advanced ransomware now targets not just individual computers but entire networks. It uses strong encryption methods and often steals sensitive data before encrypting it. This adds extra pressure on victims to pay the ransom because their data could be leaked publicly if they don’t comply.

Ransomware attacks typically start with the installation of a ransomware agent on the victim’s computer. This agent encrypts critical files on the computer and any attached file shares. After encryption, the ransomware displays a message explaining what happened and how to pay the attackers. If the victims pay, they are promised a code to unlock their data.

Advanced ransomware attacks have become more common, with threats targeting various sectors, including healthcare and critical infrastructure. These attacks can cause significant financial losses and disrupt essential services.

4. Social Engineering Malware
   Social engineering malware tricks people into installing it by pretending to be something safe. It often comes in emails or messages that look real but are actually fake. This type of malware relies on people making mistakes rather than exploiting technical weaknesses.

Social engineering attacks follow a four-step process: information gathering, establishing trust, exploitation, and execution. Cybercriminals gather information about their victims, pose as legitimate individuals to build trust, exploit that trust to collect sensitive information, and finally achieve their goal, such as gaining access to online accounts.

5. Rootkit Malware
   Rootkit malware is a program or collection of malicious software tools that give attackers remote access to and control over a computer or other system. Although rootkits have some legitimate uses, most are used to open a backdoor on victims’ systems to introduce malicious software or use the system for further network attacks.

READ MORE: New Gmail Threats Targeting Users in 2025 (and How to Stay Safe)

Rootkits often attempt to prevent detection by deactivating endpoint antimalware and antivirus software. They can be installed during phishing attacks or through social engineering tactics, giving remote cybercriminals administrator access to the system. Once installed, a rootkit can install viruses, ransomware, keyloggers, or other types of malware, and even change system configurations to maintain stealth.

6. Spyware
   Spyware is malicious software designed to enter your computer device, gather data about you, and forward it to a third-party without your consent. Spyware can monitor your activities, steal your passwords, and even watch what you type. It often affects network and device performance, slowing down daily user activities. Spyware infiltrates devices via app install packages, malicious websites, or file attachments. It captures data through keystrokes, screen captures, and other tracking codes, then sends the stolen data to the spyware author. The information gathered can include login credentials, credit card numbers, and browsing habits.
7. Trojan Malware
   Trojan malware is a sneaky type of malware that infiltrates devices by camouflaging as a harmless program. Trojans are hard to detect, even if you’re extra careful. They don’t self-replicate, so most Trojan attacks start with tricking the user into downloading, installing, and executing the malware. Trojans can delete files, install additional malware, modify data, copy data, disrupt device performance, steal personal information, and send messages from your email or phone number. They often spread through phishing scams, where scammers send emails from seemingly legitimate business email addresses.

Protect Yourself from Malware
Protecting yourself from malware requires using the right technology and being aware of the risks. By staying informed and proactive, you can significantly reduce the risk of malware infections.

How does this Facebook scam work?

A friend asking for help

The scam usually starts with a message from someone on your friend list. It could look like they need help recovering their Facebook account or logging in on a new device. They tell you that Facebook will send a verification code to their friends, and they need you to share that code with them.

READ MORE: Time to Review Your Facebook Settings Again

The message comes from someone you know, and they’re asking for help. It seems harmless, maybe even urgent, and who wouldn’t want to help out a friend in need?

The real danger behind the code

The big problem is that the requested code isn’t meant for their account. It’s the code to access your Facebook account. When Facebook sees someone trying to log in from an unfamiliar location or device, it sends a code to the account owner to confirm that it’s really them trying to log in. This code could be sent via text or email, as part of Facebook’s two-factor authentication process.

The scammer posing as your friend is actually trying to get into your Facebook account by tricking you into giving them this code.

Where it gets even trickier

This scam can feel especially convincing for a couple of reasons. First, the person reaching out might be using a fake account that looks exactly like your friend’s, with the same name and profile picture. However, in many cases, the scammer might actually be using your real friend’s account. They managed to compromise your friend’s account first, and now they are using it to trick more people – like you. It’s a chain reaction, where each hacked account leads to more and more victims.

How to protect yourself from this scam

Verify before you act

If a friend messages you asking for a code to help them recover their account, take a moment to verify things first. Don’t feel rushed. Scammers often rely on creating a sense of urgency. Call your friend directly or message them on another platform to confirm that it’s really them.

Never share login codes

Remember, any code that Facebook sends to you is meant to protect your account. It should never be shared with anyone, not even friends. If someone asks for a code sent to you, it’s a red flag.

READ MORE: 10 Ways to Protect Yourself from the Facebook Cloning Scam

Look out for cloned accounts

If you receive an unusual request from a friend, check their profile. Look at their recent posts, photos, or activity. If anything feels off or incomplete, it could be a fake account designed to look like your friend.

What to do if you fall victim to the scam

If you’ve already shared a code and suspect someone might have accessed your Facebook account, here are the steps you should take immediately:

Change your password. Update your Facebook password as soon as possible. Make it something unique and hard to guess.
Enable two-factor authentication. This adds another layer of security to your account. You can set it up so that login attempts require a code from your phone.
Report the incident. Inform Facebook that your account may have been compromised. They can help secure your account and investigate further.

We’re here to help keep you safe online

Navigating the internet can be tricky, and scams like this are getting more sophisticated every day. If you need help securing your devices, give Hopedale Technologies a call. We’re here to look after you and make sure your online experience stays as trouble-free as possible.

Stay alert, stay safe

Remember, a little bit of caution can go a long way towards keeping your accounts and personal information safe. If you’re ever in doubt about a message or request, it’s always better to double-check. Scammers count on us to act quickly without thinking things through. Let’s not give them the chance.

These bots impersonate real users and attempt to scam unsuspecting individuals. This is one of the many scams on LinkedIn. According to the FBI, fraud on LinkedIn poses a “significant threat” to platform users.

Identifying Fake LinkedIn Sales Connections

Social media scams often play on emotions. Who doesn’t want to be thought of as special or interesting? Scammers will reach out to connect. That connection request alone can make someone feel wanted. People often accept before researching the person’s profile.

Put a business proposition on top of that, and it’s easy to fool people. People that are looking for a job or business opportunity may have their guard down. There is also an inherent trust people give other business professionals. Many often trust LinkedIn connections more than Facebook requests.

How can you tell the real requests from the fake ones? Here are some tips on spotting the scammers and bots.

Incomplete Profiles and Generic Photos
Fake LinkedIn sales bots often have incomplete profiles. They’ll have very limited or generic information. They may lack a comprehensive work history or educational background. Additionally, these bots tend to use generic profile pictures, such as stock photos or images of models.

READ MORE: Beware of Fake Meeting Requests

If a profile looks too perfect or lacks specific details, it could be a red flag. Genuine LinkedIn users usually provide comprehensive information. They do this to establish credibility and foster trust among their connections.

Impersonal and Generic Messages
One of the key characteristics of fake sales bots is their messaging approach. It’s often impersonal and generic. These bots often send mass messages that lack personalization. They may be no specific references to your profile or industry. They often use generic templates or scripts to engage with potential targets.

Legitimate LinkedIn users, typically tailor their messages to specific individuals. They might mention shared connections, recent posts, or industry-specific topics. Exercise caution If you receive a message that feels overly generic. Or one that lacks personalization. Be sure to scrutinize the sender’s profile before proceeding further.

Excessive Promotional Content and Unrealistic Claims
Fake LinkedIn sales bots are notorious for bombarding users. You’ll often get DMs with excessive promotional content and making unrealistic claims. These bots often promote products or services aggressively. Usually without offering much information or value.

They may promise overnight success, incredible profits, or instant solutions to complex problems. Genuine professionals on LinkedIn focus on building relationships. They try to provide valuable insights and engage in meaningful discussions, instead of resorting to constant self-promotion.

Be wary of connections that focus solely on selling and that don’t offer any meaningful content or engagement.

Inconsistent or Poor Grammar and Spelling
When communicating on LinkedIn, pay attention to the grammar and spelling of messages. You may dismiss an error from an international-sounding connection, but it could be a bot.

READ MORE: 5 Red Flags of Phishing Emails: Think Before You Click

Fake LinkedIn sales bots often display inconsistent or poor grammar and spelling mistakes. These errors can serve as a clear sign that the sender is not genuine. Legitimate LinkedIn users typically take pride in their communication skills. They try to maintain a high standard of professionalism.

If you encounter messages with several grammatical errors or spelling mistakes, exercise caution. Investigate further before engaging with the sender.

Unusual Connection Request and Unfamiliar Profiles
Fake LinkedIn sales bots often send connection requests to individuals indiscriminately. They may target users with little regard for relevance or shared professional interests.

Be cautious when accepting connection requests from unfamiliar profiles. Especially if the connection seems unrelated to your industry or expertise.

READ MORE: How to Stay Safe While Being Social

Take the time to review the requesting profile. Check their mutual connections, and assess the relevance of their content. Legitimate LinkedIn users are more likely to have a connection. They typically send connection requests to others with shared interests or professional networks.

Need Training in Online Security?
Spotting fake LinkedIn sales bots is crucial for maintaining a safe online experience. By being vigilant, you can protect yourself from potential scams.

Need help with personal or team cybersecurity training? Hopedale Technologies can improve your scam detection skills.

Few of us are big fans of change. It can be easier to keep going down that same path or use that same computer software; it’s comfortable and familiar. However, as of January 10, 2023, Microsoft has stopped providing support for Windows 8.1, which means you need to change.

It’s time.

If you’re still on Windows 7, you are long overdue. Microsoft stopped providing security updates and technical support for that in January 2020. Microsoft did launch an extended service update (ESU) period for Windows 7, but that’s over, and there’s no ESU program for Windows 8.1.

Microsoft recommends moving to a new device that can run Windows 11. They warn against “performance and reliability issues” with older, unsupported operating systems. Another option? Upgrade your current device and install a newer operating system on it.

READ MORE:Should I Upgrade or Buy a New Computer?

You might be suspicious, thinking, “They just want more of my money,” but the manufacturer has already supported these tools for ten years. Plus, computing is changing enough that they must keep up with new iterations of Windows. Then, they focus on keeping the latest releases updated and secure.

Benefits of Upgrading to Windows 11

Statcounter data in 2023 shows that Windows 11 is only on 15.44 percent of Windows systems. Windows 10 has the majority (over 70 percent), but if you’re one of just under 10 percent of users still on Windows 7, make the change now.

Cybercriminals know that people will wait to make the change, and they find ways to exploit the weaknesses of unsupported software. You are particularly vulnerable when relying on Windows 7 or Windows 8.1.

READ MORE:End of Windows 7:  Protect Yourself From Tech Support Scams

Windows 11 is the latest Microsoft offering. They have worked to reduce risk from the latest cybersecurity threats. With Windows 11, you can better protect your files and cut the risk of today’s viruses and malware.

The new operating system is built to be more efficient. Microsoft has tweaked the Windows layout and navigation to help users find what they need and perform tasks more efficiently.

READ MORE:Cool Windows 11 Features That May Make You Love This OS

Not sure what version of Windows you’re using? In the bottom left of your screen, click the Start Menu and press the Windows button on your keyboard. Then, type “system.” Click either the System or System Information icon. Your Windows version is listed at the top of the open window.

Upgrading to Windows 11 from 7 or 8 isn’t free. Only Windows 10 users can upgrade at no cost. Also, to upgrade to a Windows 11-compatible device, you’ll need to get a security chip called TPM 2.0. You’ll unlikely find that chip on a computer over four years old.

Hopedale Technologies stocks desktops and laptops with the newest chip technology. We also can special order just what you need from our suppliers.

Deepfake has gone mainstream. You’ve probably seen a movie or TV show with a character complaining about images or videos that look real. You should also be wary of deepfake voice scams.

Deepfake is a mashup of the words deep learning and fake. The technology uses artificial intelligence and machine deep-learning algorithms. This can create convincing representations of people for special effects or silly videos, but these fake videos or images can also be more dangerous.

Malicious deepfakes spread false information or can defame or scam people. We’d like to discuss that in more detail here: Deepfake voice scams.

This type of scam manipulates synthesized speech to convince you someone is saying something they didn’t actually say. This increasingly common scam tricks you into providing sensitive information or sending money.

Criminals first record a voice sample from their victim. They might use speeches, TikTok or YouTube videos, podcasts, or phone conversations. Then, they turn to a tool such as ElevenLabs, Resemble, Overdub, ReadSpeaker, or Voice.ai. These platforms analyze speech patterns and create a voice mimicking the original. The bad actors can then generate a new speech that sounds like the original speaker said it. They script it, and the Ai voice says it.

READ MORE:  Don’t  Be Scammed by Smishing

Examples of deepfake scams include creating a voice that mimics a family member. They’ll script a request for help in an emergency. Or you might get a call from a lawyer claiming to need payment to help defend a family member.

You might also hear from a celebrity who wants you to donate to their charity. The fake voice might also ask for sensitive information such as banking details. After all, who wouldn’t trust Liam Neeson if he called personally?

READ MORE:  4 Simple Tips for Safe Internet Banking

A tech support scam is another common one. The scammer creates a voice for a customer support rep from a prominent company. They request remote access to your computer to “fix” a non-existent problem. Instead, they’ll steal sensitive information such as login credentials or install malware.

How to defend against deepfake scams?

This technology does a good job, and the scam can be very convincing. Be cautious of unexpected requests for personal information or money made by phone. Be especially suspicious if the request appeals to you emotionally to act now.

READ MORE:  6 Ways to Combat Social Phishing Attacks

Confirm before you share sensitive data or transfer money. For example, if you’re asked to pay a lawyer to help out your grandson in an accident, check in with him first. Or, if someone calls from your internet service provider, use a trusted phone number to confirm their authenticity.

We can help you combat deepfake scams. We can install email and web filtering, multi-factor authentication (MFA), and endpoint protection. Hopedale Technologies can also watch networks for signs of attack and respond to cut potential damage. Call us today at 508-478-6010.

Cybercrime research shows the season “dramatically impacts” the volume of phishing attacks. Phishing attacks “spiked to more than 150% above average” the week before Christmas. After the holidays, the number of attacks dwindled significantly.

Why would hackers target a business during the holidays? Because they know things can slow down and people aren’t paying the same diligent attention. They’re already mentally out the door sipping eggnog and planning where to do last-minute shopping. Oops! They click on a malicious link or fill out a form seeking sensitive information. Learn how to stay safe shopping online this holiday season.

Or they expect you’re overwhelmed, trying to get everything done before the holidays. Purchase orders, bills, and emails are flying around. They bank on people overlooking details.

The Basics of Phishing

Do you know the 5 red flags of phishing? Phishing uses social engineering to expose security weaknesses and leverages potential vulnerabilities. The hacker dupes someone into responding to a fake request from a bank, vendor, or colleague. They are hoping to get a nibble from unsuspecting employees who don’t think to:

• check the spelling of the URLs in email links;
• be wary of URL redirects to fake sites made to look legitimate;
• question why Jamie in HR needs their access credentials;
• contact the sender of a suspicious email for confirmation before responding.

During this season at the office, everything can feel urgent, and employees are more likely to fall for emails telling them to do something right now. They might not notice that the invoice from a usual supplier has a new bank account number, or they could fall for something dumb because they are distracted or too busy.

Top email subject lines that target employees for phishing attempts include:

• “Undelivered mail”
• “HR: Your Action Required”
• “HR: Download your W2 now”
• “Microsoft Teams: Rick sent you a message.”

It’s easy to imagine how someone would click on those without thinking twice.

What to Do About Phishing

You can communicate with employees about the dangers of phishing and educate them about prevention. Also, reiterate policies around payment, wire transfer, data sharing, and sending confidential data. 

Other preventative measures include:

• Make sure all security updates are current and installed to patch known vulnerabilities. Check out why Windows Updates are more important than ever.
• Set up automated filters to check the safety of links in inbound emails before they get to the user.
• Test your infrastructure to identify any weak points.

Finally, if you hire any temporary staff to handle a holiday crush, be sure to limit their access. Then, when their contracts expire, immediately revoke their systems and network access.

If your business is too busy to focus on phishing prevention, we can help.

The number of digital buyers is steadily climbing. In 2020, according to Statista, more than two billion people purchased goods or services online. During the same year, e-retail sales surpassed $4.2 trillion U.S. dollars worldwide.

Retailers are embracing the change in consumer behavior. But, do you know who else is taking advantage? Cybercrooks. Before you buy, consider these strategies to stay safe.

#1 Question that great deal

If a deal looks “too good to be true,” it probably is. You’re not going to get a new Apple laptop for $29.99 or the latest Beats headphones or Xbox gaming console for under $20. Anyone offering that price is trying to lure you to their site to enter your payment details, so don’t be surprised when your product never arrives!

#2 Review seller feedback

While scrolling social media, you see ads for perfect gifts for someone on your list. And it’s so easy to click the link and buy! Still, before purchasing, take the time to research the seller.

Read the feedback from other buyers on independent sources. It adds only a few moments to check sites such as Yelp and Google.

#3 Research the business domain

Think about it: who are you more likely to trust with your sensitive data? Someone who has been in business ten years or someone who set up shop ten days ago? Quickly check how long a business website has been around. Enter the URL into the Internet Corporation for Assigned Names and Numbers’ lookup tool.

#4 Watch out for email scams

Before clicking on any offer links in emails, check the URL. You can hover over the link before actually redirecting there and check the target. Double-check that the address is to the site you’re expecting.

Also, slow down and be sure that the address doesn’t have any typos or atypical endings. You don’t want to confuse www.nike.com with www.n1ke.co and end up a victim of identity theft instead of the proud owner of the latest Air Max.

#5 Check payment site security

There are several ways to verify the security of a payment site. These include:

• verifying that the site uses an SSL certificate – it will start with “HTTPS” instead of “HTTP”;
• checking for a physical address and phone number – call the contact number to confirm it’s not fake;
• reviewing the Terms and Conditions and Return and Privacy policies – any reputable brand has these!

#6 Pay with Online Payments

When you do decide to buy, prefer to pay using PayPal or another online payment tool. You won’t be giving the seller your credit card details. If you can’t take this approach, use a credit card from a credit account rather than debit. You will have more protection this way. You can start a chargeback through your credit card company when the item isn’t as advertised, and the seller’s customer service doesn’t help.

Before online shopping, at any time of the year, update your operating system, and keep your antivirus software current, too.

Smishing is high up on the list of words that do not sound as intimidating or threatening as they should. Smashing the word fishing together with the “SM” for short messaging service (aka text), smishing is a cyberscam.

Especially with online shopping skyrocketing during the pandemic, delivery smishing has gained traction. Don’t fall victim to this type of cyberattack.

What does smishing look like?

You’ll get a text message that appears to be from a shipping company. You’re told you have a package coming but that more information is needed to ensure delivery. You’ll squeal, “a package!” OK, maybe you won’t squeal, but you’ll feel the anticipation and click on the link to help deliver that package to your door.

You might already be expecting a package. After all, as recently as June 2021, PWC was describing a “dramatic shift” toward online shopping. According to its most recent consumer survey, in the last twelve months:

• 44% of those surveyed bought online using a mobile phone or smartphone;
• 42% used smart home voice assistants to shop online;
• 38% used a tablet for online shopping;
• 34% bought something online via PC.

So, you might not think twice about clicking on a link appearing to be from a major delivery service.

Don’t do it!

What happens next?

You click on the link and are asked for personal information, even a credit card number or password. Otherwise, clicking on the link will download malware onto your phone. The bad guys use their access to snoop and/or send your sensitive data to its servers without you knowing it.

The smishing scam is a global one:

• March 2021 saw a 645% jump in Royal Mail-related phishing attacks, equating to an average of 150 per week.
• UPS warns about this type of fraud on its website.
• FedEx has tweeted the reminder, “We do not send unsolicited texts or emails requesting money, packages, or personal information. Suspicious messages should be deleted without being opened and reported to abuse@fedex.com.”

Package delivery isn’t the only common smishing tactic either. You might also see:

• urgent messages saying your bank account is locked;
• a warning from your credit card company about a fraud alert;
• something promising that you’ve won a great prize;
• an unusual activity report from a company where you have an account.

All that would get your attention, right? So, what do you do about smishing? That’s covered next.

Protect against smishing

Avoid getting drawn in by the urgency or emotional appeal of the SMS. Don’t click the link, and don’t call the number in the message either. Instead, look through your bills or go online into your account for information on contacting that company.

Reputable mail carriers and financial institutions won’t send text messages asking for credentials, credit card numbers, ATM PINs, or banking information.

Look at the sender more closely. A message from a number with only a few digits was likely sent from an email address, which can flag that it’s a scam.

Also, don’t store personal banking or credit card information on your mobile phone. That way, the criminals can’t access it, even if they get you to download malware onto your phone.

You can help others not to fall victim to smishing as well. Report any attempts to your wireless carrier.