In the US, UK, and other countries, scammers are using legit-looking text messages (SMSs) to lead users to their malicious websites. If caution is not exercised, it could lead to your identity theft and/or financial loss.
Looking at the image above, you can see iOS is providing the convenience of a preview of the link included in the text message. This opens the door to potentially serious security and privacy issue – explained below.
Receiving such text messages is not uncommon and there are no stopping scammers from sending such legit-looking messages, emails, calls, and even posts.
A recipient who suspects nothing and clicks/taps on the link, then they have opened themselves to a serious security breach.
Did you think the message was legit? If so, please visit the following the US and UK Govt issued advice on how to deal with such text messages:
However, if you suspect that a message/email you received could be a scam, you might think:
oh, it could be a scam but I do have an HSBC account, my Phone has a preview feature so I will use that to see if the link leads to HSBC.
An average user
That makes sense, right? Anyone who suspects or uses caution, when such a message is received, will want to establish whether it is a scam.
The Two Serious Issues with Tap to Load Preview
The Tap to Load Preview (and similar features in Messenger, Skype, WhatsApp, Facebook) is not helping here at all. There are two serious issues:
- It can mislead many people into thinking that previewing the link is safe – even when they believe the message is probably a scam. This is a potentially serious problem.
- When the preview is loaded and appears to be legit, the user is more likely to click the link. It can give users a false sense of safety.
What Happens When Preview is Loaded?
When a preview is loaded, it is like clicking on the link and opening it – although opening the link is more serious. In most apps, when a Preview of a link is loaded, the scammer gets to know your public IP address and some information about your device (that you are using such as phone, laptop). Also, the scammer knows you loaded a preview. In most of cases, the links sent by the scammers are unique to each recipient, therefore when you preview that link, they exactly know which mobile number (or email address) opened the link.
Note that your scammer knowing your IP address means they also know your location (at a city level at least, if not more precisely). Also, they know your contact information (mobile number of email address) and importantly that you are someone who is likely to open link previews for any future messages sent to you even when you identified the message itself as scam or malicious. The scammer could then use all that information to target you in their future messages to you. For example, in a future text message, they might include your city name in the scam message to make it look more relevant and real to you.
Remember, the more scammers know about you, the more equipped they are to gain further pieces of information about you, eventually leading to your identity theft and other quite serious problems such as stealing money from your bank account.
Conclusion
- Never load link previews when the app says ‘Click/Tap to load preview’
- Disable (auto) link previews if possible. Not all platforms and apps allow that option but contact the platform/app to get help with that.
- Immediately delete any messages that you conclude to be a scam. Don’t wait for later, otherwise, you could accidentally click on the links in the message.