Tech scams are evolving faster than we can fight back. Here’s why.

Dubious text messages from unknown numbers were multiplying before my eyes. More worryingly, they were starting to evolve.  

I’m not talking classic phishing strategies (the IRS is trying to reach you; you need to verify your bank account; you’ve just won a contest); these were easy for even the most distracted, low-IQ version of my brain to spot. It was too easy to junk a message from any unknown sender that offered a URL. After a while, the unknown senders seemed to know it.

My first hi, who is this? text with no link slowed me a little — it is at least plausible that an old acquaintance lost all their digital contacts and found my number written down somewhere. But wouldn’t they also introduce themselves? I deleted those too, repeatedly on every Apple device, because iMessage isn’t sophisticated enough yet to let us rid ourselves of scam texts on iPhone, iPad and Mac with a single tap/click. 

Then I received a text from a New York number with a single alarming sentence: What’s wrong with you? Probably a scam, I reasoned, but still the hairs stood up on the back of my neck. What have I done?, said a small voice in the fear center of my brain, the rest of which supplied so many possible answers that the fear voice continued: How did they know? 

The calmer, more amused part of my brain almost wanted to congratulate the scammer. We’re social creatures, and science tells us we’re wired to worry about rejection and disapproval. So I did something I’d never done before, the one thing we should never do: I wrote back. 

OK, I’ll bite, I texted. Who is this? 

What’s wrong with us

Compared to everything else wrong with the modern world — democracies in danger, a pandemic that won’t quit, climate change-driven floods and fire and famine — scam artists getting all up in our technology business may seem a trivial problem. But they’re not. A stunning $137 million was reported lost in the U.S. in 2021 from frauds that started with scam texts, according to the FTC. The median loss: $1,000 a person.

There’s every reason to believe the 2022 number will top that, by a lot. According to the experts and services that monitor this stuff, scam robocalls are down – not gone, but significantly down, because who under the age of 50 answers their phone any more? 

Meanwhile, robotexts are up. Way up. In 2020, according to a report from Robokiller, an app that aims to block spam texts, U.S. residents received a record 4.5 billion spam texts a month. By July 2022, that number had soared to 12 billion. (It dipped slightly in August, to 10.8 billion; perhaps even scammers need vacations.) 

Dig into the details, and a troubling trend emerges. The species of scam are starting to fit seasonal niches. Travel-based texts rise in the summer, often linked to fake booking websites and fake customer service numbers. We’re primed to expect flight cancellations, which are more frequent now than in the Before Times — and with the weather getting weirder, it’s only going to get worse. 

In the holiday season, when we’re all expecting packages, scammers switch to their most popular category overall: delivery scams. “Your Fedex package is waiting for you to set delivery preferences,” says one common text, playing on our fears that we were so distracted we forgot to check some box or other on the order page. Increasingly, the scammers know the name associated with any given phone number, so they’ll add that for a personal touch.

Robokiller estimates we’ll end the year with 13 billion delivery scam messages in the U.S. alone, more than double the 2021 total. 

Where is the FCC, the agency said to protect us from all this nonsense? It’s catching up, but at the speed of bureaucracy. Just this week, after a one-year delay, FCC commissioners voted 4-0 on a proposal that … seeks comment from cellphone providers on whether they should be required to block texts from known fraudulent numbers.

In other words, the horse has bolted, and the government is asking stable manufacturers what they think about making doors that sorta maybe close.

The name’s Likely. Scam Likely. 

It’s not that our leaders can do nothing. A stalled U.S. Congress actually managed to pass bipartisan legislation on robocalls, the TRACED act, in 2019. A communications technology framework called STIR/SHAKEN was introduced in 2021, requiring carriers to alert us to calls from spoofed numbers. (You really want to know what it stands for? Okay, here goes: Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using toKENs. Glad you asked?) 

This is why AT&T users have started seeing Spam Risk on certain calls (but not all scams, natch.) If you’re on T-Mobile or Sprint, this is why you’ve been getting calls from someone who sounds like a character in a Dickens novel: Spam Likely. 

Despite its thirsty James Bond acronym, STIR/SHAKEN has barely scratched the surface of the robocall problem. Robokiller says we’re still on track for 86 billion spam calls in the U.S. in 2022, because there are plenty of people who still pick up their phones – and many of them can be quite easily cajoled or scared.

To get a taste of how easily we can be taken in by a vast criminal money-laundering network pretending to be Homeland Security or the IRS, check out “Scam Likely” – also the name of season four of the popular podcast Chameleon.  

Scammers as friends, friends as scammers

Even the most tech-savvy of parents can see online social life in a different, old-school, more sincere way than their cynical kids. My British mum had a moderately popular Instagram account consisting of nothing but flowers, and always felt the need to reply with a polite thank-you note to every comment and DM.

That’s how she fell victim to a Russian hacker who got her to hand over her account password on the promise of a blue check earlier this year – then held it to ransom for a moderate sum that she refused to pay, on principle. Mum hadn’t set up two-factor authentication (as her remote IT technician, I blame myself). But the hacker did set up two-factor using his phone, so Instagram’s automated system couldn’t help. She was locked out for good.

Bless her, she just started another account full of flower photos; one that now has almost as many followers as the old. But she paid the price in fury, frustration, and stress. 

Often the outcome is worse. I know a handful of other folks – and have seen dozens more on Reddit – who lost access to their Instagram account thanks to a cunning scam you might call the friend chain. 

Here’s how it works. A friend DMs you: they’ve lost your phone number. In fact, it’s a fake account with a slightly different name pretending to be your friend, but since the account is using the friend’s profile photo, you don’t know that. The friend says they’re locked out of their Instagram account, and can you send them a screenshot of the link that was just texted to you? 

Sure, whatever. You’re busy. It’s a friend. Your defenses are down. And before you know it, the spoof friend has locked you out of your Insta. Now the process can start again with your contacts – only they don’t need to spoof your account this time. They’ve got the real thing, perfect for fooling your friends. And you don’t get your account back until you pay up. 

The Better Business Bureau has tried to make us aware of this Insta scam, but how many see their alerts? Meta clearly knows about it, but that particular honey badger has never cared. The war is effectively surrendered. We’re just expected to live with this sort of scam going on, like background radiation: you know it’s there, you just hope you don’t come too close to too much of it, and that your friends don’t turn into mutant copies of themselves. 

If you want a picture of the online future where we’ve pretty much surrendered to the scammers, look at email. Spam is an old, ongoing problem that we treat as background noise. Gmail’s spam filters, which annoyingly will often claim an email from a business partner or a friend, seem to be letting more through the net every day. 

Personally I spend at least 20 minutes a day trying to train my personal Gmail to recognize spam, which continually overwhelms actual legitimate messages in my inbox. (Granted, this may have something to do with my particular ongoing mistaken identity problem, but the trend is only going in the wrong direction.) 

The scammers are moving far faster than attempts to catch them. As soon as we’re used to attacks on one platform, they slide into our DMs on another. Maybe this is just one more area where we’re simply going to have to train our brains to match more patterns and become more cynical every time we unlock our phones, no matter what other attention-reducing factors are filling our lives. 

Good luck with that, everyone. 

Text exit stage left

So what happened to my texting correspondent with the “What’s wrong with you” message? When challenged, they claimed to have tried to reach me on WhatsApp, but received no response. They said they were trying to reach a business associate named “Denver.” Their assistant messed up the numbers, they said.

You talk to all your business associates like that?, I asked. 

“I sent it to my subordinates, can’t I?” came the linguistically challenged response. 

Further inquiries about the effectiveness of “What’s wrong with you” versus a simple “Hello” went unanswered. 

Bugging scammers and spammers as much as they bug us was a trope some comedians used during the 2010s, a bordering-on-cruel one (many people like Denver’s friend are just low-level foot soldiers in a large scam empire).

Besides, the foot soldiers seem to be adjusting to the timewasting tactic, too. It is a far more efficient process to withdraw when challenged, giving them more time to focus on the gullible marks. So long as enough of us provide them with a payday, the incentive remains, and scammers will continue to evolve their tactics.

Life, in short, finds a way – especially the lowlives in the shadowy corners of our always-on world.