Undoubtedly, pre-orders for the iPhone 5 are flooding in for Apple today. Will SMS scammers follow suit with a surge in iPhone 5 scams? After all, last February’s iPhone 5 release rumors spawned a pretty massive spike in iPhone 5 scams so it stands to reason the actual release of the device will have an even larger impact. While it’s still too soon to tell, here’s an overview of iPhone 5 SMS scams thus far this year.

The chart below shows the February spike and the March 2012 peak (4851 unique pitches) that occurred as a result of the iPhone 5 rumors. The number of unique pitches is telling because it indicates how much effort is being put into a specific scam (and thus serves as a possible indicator of how successful the particular scam is in netting new victims).

While the number of unique pitches isn’t necessarily indicative of total volume, we find that in most cases the higher the number of unique pitches the scammers employ, then the higher the overall volume of that particular spam run. And that’s certainly the case with the iPhone 5 scams – the volume follows a near identical trajectory.

It’s pretty obvious the scammers are closely tracking iPhone 5 launch developments. In March 2012, over 99% of iPhone 5 related SMS spam were so-called “Test & Keep” scams and only 0.81% tried to convince the recipient they had won an iPhone 5. However, thus far in September only 33% have “Test % Keep” as the hook, whereas 56% claim the recipient has won an iPhone 5.

Most telling, of the September iPhone 5 winner scams, all but 0.4% (zero point 4 percent) occurred on September 12 and 13. Which means the scammers are paying close attention to the launch and tailoring their pitch accordingly. Does that mean there will be a marked increase in iPhone-related SMS scams in the near future? Given the significant impact the February rumors had on overall volume, it’s quite likely – but of course it’s much too soon to tell. We’ll be watching.

During the first week of September, Cloudmark observed a 913% increase in the volume of SMS phishing attempts, making SMS phishing currently the single largest SMS text messaging threat. The surge appears to be the result of a single set of attacks which initially started on September 4th. Thus far, attackers have used over 500 unique pitches in the phishing scams, but the general characteristics are as follows:

Fwd:Good Afternoon .Attention Required Call.(xxx)xxxxxxx

The phone numbers victims are instructed to call include:

2012040735
2055612208
2105278888
2814920248
3124924053
3474105894
4016488505
5612357256
6164993061
6783847527
7145911051
7272162029
7739121434
8164101809
8177863304
8323086322
8645825454
8667368703
8775924747
8888408034
9738818000

Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials. These ploys range from claims of Bank of America account suspensions, Macy’s credit card collections, and even the U.S. Veteran’s Administration health services.

Victims who fall for the phishing scam and divulge their credentials risk being subjected to bank account theft, credit card fraud, and even outright identity theft. Stolen information can even be used in social engineering scams to elicit further information from unrelated accounts.

If you’ve been the recipient of this SMS phishing attempt, forward the text to short code 7726 to notify your carrier and to facilitate resolution. And remember, never divulge sensitive information to any source you have not fully vetted. When in doubt (which you always should be) contact your bank, credit card company, or health provider by known good numbers you have on file – never respond via the contact details provided in an unsolicited SMS text.

On Saturday, Mitt Romney, the Republican nominee for President, announced that his running mate was to be Paul Ryan, a congressman from Wisconsin. What has this to do with spam, you ask? Well, early Tuesday morning our SMS spam reporting service started getting reports of a new attack. It was low volume compared with the gift card or free iPad spams, and only lasted a few hours, but the contact was something new. Here’s a typical example:

Voter #37175 Paul Ryan is secretly an atheist, Don’t vote for Godlessness! Do your research Tell your friends!

The sender used typical spammer techniques to try to avoid being blocked. The voter number varied, there were variations in the wording in different messages, and each one came from a different phone number with area codes scattered all over the country.

Personally I see nothing wrong with being an atheist, but apparently it was intended as an insult. In any event it is an absurd and easily refuted attack, as Mr Ryan is a Roman Catholic. Is this a loner trying to stir things up, a left winger trying to discredit Ryan with the religious right, or a right winger trying to change the subject of the election from Medicare and taxes, and discredit the left into the bargain?

Whoever it is should remember that the penalties for SMS spam are quite severe. Heartland Automotive Services (the largest Jiffy Lube franchisee in the US) and their SMS Marketing company just agreed to a $47 million settlement for sending out 2.3 million unwanted SMS messages last year. That’s over $20 a message, which is pretty expensive advertising, but the penalty under the Telephone Consumer Protection Act could be as high as $500 per message.

Let’s hope that this was a one off event, and not a trend. Your right to political free speech does not extend to my SMS plan, thank you very much! Please help us to monitor and block all SMS spam, commercial and political, by forwarding spam messages to 7726 (that’s SPAM spelled out on your keypad).

The Cloudmark security operations team have been expecting to see the gift card SMS spammers change to an Olympic theme for some time. This weekend it happened when the following campaign was detected.

Go USA! Starbucks is giving away free gift cards as part of our London 2012 Olympics Campaign! Grab one today at our website at www.[redacted].com

It’s been a long wait, unfortunately for the spammer the Cloudmark security platforms have had protection for this particular campaign for some time.

Take a look at the terms an conditions … Is changing your broadband provider and taking out a personal loan really worth the $100 coffee reward?

Impossible to qualify? Expensive at least!

Anyone that signs up for these offers also opt-in to 10 types of additional advertising.

…You couldn’t have picked a worse person to txt spam.

SMS spam is one of the more annoying marketing practices of the mobile age.  SMSs have a sense of urgency only out prioritized by the telephone call.  This makes them hugely attractive to marketing companies in many countries, including the UK where I live.  These companies blatantly advertise massive open-rates for the SMS channel, yet fail to inform customers they that it’s one of the more annoying advertising methods.

Optical Express for example have been using SMS advertising for quite some time and we see a moderately unhealthy level of complaints to the 7726 and 87726 spam reporting services from UK mobile subscribers.

Here is a graph from the system:

3 month view, logarithmic scale

Most of the reports we see are obvious scams.  In contrast, Optical Express had the highest level of complaints among the SMS messages that appeared to be advertising a legitimate service.

At first we suspected that as Optical Express are running an affiliate program then bad policing of affiliate behavior would be the issue, as we know from past experience that spammers love to abuse affiliate programs that have poor oversight.

However, their SMS campaign targeting recently gained my undivided attention, on a quiet Sunday afternoon.  No, they didn’t spam the chief exec at Cloudmark, they spammed my wife, whilst she was snoozing.

So I decided to do some investigations into what was going on with Optical Express and to contact someone responsible to complain about the spam.

It never hurts to ask!

So earlier this week I called the optical express press office and had an eye-opener conversation.  It’s not affiliates spamming at all, it’s actually a direct advertising campaign.

Optical Express’ press officer kindly offered to find out where our number had come from however this was not my intention so I quizzed her further and she readily admitted that Optical Express’ online marketing department was sending SMS marketing campaigns to both internal leads and third party leads which are purchased from another company.  She couldn’t answer questions about that company but she  offered to put me through to the online-marketing department for further assistance.

Let me take a break and explain for a second how “opt-in” co-reg marketing works with an analogy shared with me recently:

A husband gets permission from his wife to go to the pub on certain nights of the week with his mates, then sometime later later gets divorced, re-married, and then uses the original permission as an excuse when his new partner moans about his social habits.

In truth, it’s probably worse than that because husbands could rent permissions from their ex-wives to one another too

Enter a “free prize draw” for a phone or iPad today and possibly miss the opt-out tick boxes on an insurance comparison site, and technically you give permission for direct marketing and ”partner” marketing FOREVER, where “partners” rent and sell these opt-in permissions by the lorry load, ad nauseum .  If only they made widespread opting out so easy. The same is true for insurance comparisons & extended warranty sites where marketing opt-in boxes are increasingly checked by default (or opt out boxes are unchecked by default) and often hidden behind off-page policy links.  We bought a freezer with just such an example the other day:

www.myliebherr.co.uk (DomGen) hidden opt-in example

 

” So, how did Optical Express get my number? “

The gentleman that instantly answered the phone in Optical Express’ online marketing department was hugely helpful with my inquiry and gave me details of the companies they use to drive the third party campaign:

The SMSs are sent by Dynmark, however interesting they may appear, it’s irrelevant as there are many bulk SMS providers. I mention them here in the hope they understand the method completely.

I was also told that the mobile numbers for the third party campaign sent out by Optical Express come from a company called (DMLS) Direct Marketing Lead Solutions.

One look at their website should set alarm bells ringing for anyone that dislikes spam or promotes responsible & honest messaging practices:  Lead Generation, Co-Reg, Email Appending, 50m Email Addresses, Prize Websites, Etc.

In their online brochure I found this gem : “DMLS rents millions of SMS numbers for its successful marketing campaigns.” … Hold on a second, rents? Why is this sounding like a tool hire shop? I digress…

I’m not a lawyer but the practices of lead generation companies seem technically legal in the UK from a data protection point of view to me. However,  I’m a advocate of the spirit of the law vs. the letter of the law argument in such circumstances.   As a reasonable person, if I give personal details to a company, I have a relationship with the company, and do not expect them to be generating an additional channel of revenue trading contact details to marketing firms, who then sell/rent/lend/append them onward again.  Default opt-in to 3rd (plus) party marketing is pretty unethical in my humble opinion.

Usually I’d fill this space with good advice on how to avoid opting in to these “services” by being diligent or complaining creatively, but not in this case. Should you wish to contact the ICO to complain about the use of your mobile number for SMS marketing then they have a link on their homepage and have some interesting powers.

Good luck!

Chris.

PS. “Raise hell and change the world“

The number of unique SMS scams have quadrupled over the first five months of this year – and it’s little surprise. SMS text message open rates are reportedly as high as 90% or better, with the DMA reporting SMS messaging click through rates of 14% and an 8.22% conversion rate. Conversely, email has an open rate of only 20%-25%, click through of 6% or less and a measly 1.73% conversion rate. In other words, SMS offers a better ROI (return on investment) for spammers.

So where is all the SMS spam coming from? According to an analysis of Cloudmark data, the majority of SMS text messaging spam originates from New York City, Southern California, New Jersey, and Florida. Several possibilities exist for why this is so.

1. SMS spammers prefer to live in major metropolitan areas. Indeed, if you view the infographic below illustrating the top 25 senders’ area codes, these map fairly well to the top most populated metro areas..
2. SMS spammers are targeting recipients that live in major metro areas. This theory actually doesn’t pan out. Further analysis shows that only about 36% of top sender and recipient area codes overlap.
3. Long code providers are more prevalent in major metro areas. This last theory is probably the most apt. Long codes are a virtual 10-digit phone number that enable the sending and receiving of SMS over landlines – no mobile device needed. Long codes are not only low cost and efficient, the virtual numbers are not tightly regulated as short codes are and thus provide a more hospitable environment for would-be spammers.

In fact, when viewed from a total volume perspective, spammers using short codes aren’t nearly as common – the majority of SMS spam and scams come in via long code numbers. And speaking of scams, of those unsolicited SMS text messages, about 92% of SMS spam are fraud-related scams designed to harvest personal information and/or trick the recipient into doing something costly and unwise.

If you have a smart phone with a QR reader, then you can scan the QR code below and it will prepare a text message with the text “HELP” to send to the short code 7726 (S-P-A-M).

If your mobile operator supports reporting text spam to 7726, then you should get back a text that confirms that 7726 is for spam reporting.

If you don’t have a smart phone, or a QR reader, you can still test it out.  Just type the word HELP as text message and send it to 7726.

If you don’t get a message back, it may be that your mobile provider uses a different short code or they may not have implemented spam reporting yet.  In which case, you should refer to their website to find out the recommended way to report spam.

Always remember that spam is unsolicited, unwanted messages from someone you don’t know.  If you signed up for the text messages, then you should be able to unsubscribe by replying “STOP” to any message they send you.

Cloudmark’s drive to equip users with the power to report messages they didn’t sign up for (using the 7726 (S-P-A-M) GSMA service) and protect mobile users from spammy text messages,  means that we spend a lot of time thinking about the negative content that gets sent by spammers.

So it’s nice to be reminded that text messages have a lot of power to be used for good.

I love this story from tatango’s SMS marketing blog.  The Boy Scout National Jamboree allowed parents and scouts to sign up for text message updates.  They then used text messaging to keep in touch and send updates.  They sent the scouts messages like: “As u head back, stay with the group or at least a buddy. Remember to go left at the asphalt road and head back.”

They were also able to let parents know that a tornado that touched down in DC, hadn’t impacted the Jamboree and that everyone was ok, minutes after the tornado passed through.

It’s a really nice example of the positive power of  text messaging.  You can check out the full story here: http://www.tatango.com/blog/tatango-customer-spotlight-boy-scout-troop-831/

A recent article from New Zealand indicates that Vodafone New Zealand also encourages their users to report SMS spam to 7726 (S-P-A-M). (See: http://www.theaucklander.co.nz/news/txt-for-trouble/1080298/)

“Vodafone says if a customer does receive spam they should forward the message to 7726…”

Vodafone also lets you know how to report your complaint to the  New Zealand government’s Department of Internal Affairs, so that they can take action.  It appears that New Zealand takes spam seriously.

Hopefully more and more mobile operators around the world will support reporting spam to a well known short code, so that messaging streams can be protected.  People should be able to get the messages they want and they shouldn’t have to deal with or be charged for, the messages they don’t want.

Cloudmark provides spam and abuse filtering for email, text messaging and social networking traffic.  So in addition to encouraging email senders to follow good email sending guidelines, we also want text message senders to follow good text message sending guidelines.

Over on tatango, which is an SMS Marketing Blog, they have a good write up today on making sure that your text messaging marketing is compliant with the Mobile Marketing Association’s (MMA) Consumer Best Practices. (See: Lessons Learned From Trump Mobile Alerts)

Just like in email, senders need to tell people up front and make it very clear, what they’re going to be sending people and how often they’re going to be sending it.   And senders need to check that the phone number a person signed up with is actually their phone number and not someone else’s phone number.  Just like senders should confirm that the email the person signed up with is their email address and not someone else’s.

Unlike email, some people get charged per message for each text message they receive.  Plus their phone is going to beep or buzz when the message arrives.  So senders better make sure the person wants that SMS.

Spam buttons have been available in email clients for a long time and when people get annoyed by email messages they don’t want, they often mark the email as spam.  Although many people aren’t aware of it, some mobile providers also have a system for reporting unwanted SMS text messages.  The process differs by operators but can be as easy as people forwarding unwanted SMS text messages to “7726” (S-P-A-M).

Of course, if a person legitimately signed up for an SMS message, and they trust the sender, they should be able to unsubscribe by replying STOP to the sender.  If the sender is playing by the rules, no further SMS messages should come from that sender.

Cloudmark is involved in an initiative with the GSMA to collaborate with operators globally on the war against SMS spam. See: http://www.gsmworld.com/our-work/mobile_lifestyle/spam/spam_reporting.htm for more details.

In summary, text messages senders should check to make sure they’re following all the rules and only sending to people who know what they’ve signed up for.  Because 7726 and similar services, are going to let the Mobile providers see which senders are not playing by the rules.