Skip to content   Skip to footer navigation 

Flubot text scammers trying new tricks

Got a text that asks you to tap on a link to find out more? Just don’t do it. 

flubot_text_scam
Last updated: 08 November 2021
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Need to know

  • Scammers sending texts about missed calls, voicemails or deliveries are now sending new fake messages that include company logos 
  • The ACCC had received over 16,000 reports of the Flubot scam as of early October 
  • $851 million was lost to scammers in 2020, but the tally will likely be worse in 2021

As of early October, the Australian Competition and Consumer Commission's (ACCC) Scamwatch platform had received over 16,000 reports about text messages alerting people about missed calls, voicemails or deliveries.

The calls, voicemails, and deliveries, of course, do not exist and never did. 

It's called the Flubot scam, named after the malicious software it aims to infect your phone with if you tap on the link that comes with the message. It began to show up in early August, and by now you've probably either received some variety of the scam message or know someone who has.

You can receive one of these malevolent messages whether you've got an iPhone or an Android phone (any phone that's not an iPhone), but Android phones are the devices at most risk since they can download apps directly from the scam text. With an iPhone, you have to go to the app store to download and install files. (Opening the Flubot link on an iPhone can still damage your phone, however.)

Android phones are the devices at most risk ... Opening the Flubot link on an iPhone can still damage your phone, however

The link generally has a series of five to nine random letters and numbers at the end, which may help differentiate it from other legitimate texts you might receive.

In earlier versions of the scam, the link also had deliberate misspellings, the scammers' way of bypassing security filters. Newer text messages may not have spelling errors, although the older version is still circulating.

At a time when parcel deliveries are a regular occurrence and a lifeline for many people, the missed delivery alert can be especially tempting, but consumers are strongly advised not to tap the links. Delete the text instead without pressing anything. Better yet, don't open links in any text message, just to play it safe.

flubot_infection_message_on_smartphone_screen

As of early October, the ACCC had received 16,000 reports of the Flubot text scam from consumers.

An evolving scam

After the initial wave of generic missed call/voicemail/delivery texts, the scammers got creative and moved on to fake Zoom invitations, Google verifications, photo uploads, and 'thank you' messages from medical clinics. And the names and logos of specific couriers, retailers and telcos, such as DHL, Amazon and iiNet, were added. In all cases, you're invited to tap on a link.

In a tactic known as 'spoofing', the scammer's caller ID is often someone's real mobile phone number

If you're tempted to call the number that sent the text, don't. In a tactic known as 'spoofing', the scammer's caller ID is often someone's real mobile phone number. You'll be calling someone who has nothing to do with the scam and didn't send you the message.

If you do take the bait, you'll get a message saying your device is already infected with Flubot and you need to install a security update to get rid of it. It's when you take this second step that the malware is downloaded.

What can the malware on my phone do?

Though it's not entirely clear what happens if your phone is infected, the ACCC says the malware may be able to do the following:

  • read your text messages
  • send text messages from your phone
  • make phone calls from your number
  • access your contacts
  •  allow access to your passwords and accounts so the scammers can steal your money and personal information
  • direct other infected phones in Australia to send Flubot messages to the numbers it accesses from your phone.

My phone's infected, what do I do now?

One way to know your phone has been infected by Flubot is when people you know start telling you they've received a text message from you with a voice message or other scam identifier attached.

Here's what to do:

  • Check your bank account for unauthorised withdrawals using a different device than your phone, and contact your bank immediately if you see any.
  • Get an IT professional or a tech-savvy friend to perform a factory reset of the device (note that this will delete all of your data including photos, messages and authentication applications).
  • Do not restore from any backups created after you downloaded the malware – they'll be infected too.
  • Change your passwords once you're sure your phone is no longer infected.
  • Report the cybercrime incident to the ACCC and government's ReportCyber service.

Who's behind the Flubot scam?

As with most scams affecting Australians, it comes from overseas. In early March, Spanish police reportedly arrested four people aged 19 to 27 who are suspected of being involved with the Flubot scam. The scam has hit Spain hard since emerging there in late 2020. 

According to media reports, the Flubot malware had collected phone numbers for 11 million users as of early March, 97% of which were Spanish citizens. That's about a quarter of Spain's population.

But the scam is still very much active, and its creators apparently have yet to be caught.

Glossary

Online shopping scams

You pay for a product online but it never arrives because it wasn't a legitimate business. 

Jobs and employment scams

You pay a fee for materials supposedly needed for a non-existent 'make money fast' job or surrender your bank account details to supposedly pass on payments to a foreign company. 

Threats to life and arrest scams

You're threatened with arrest for non-existent speeding fines, overdue tax payments, unpaid bills or similar if you don't pay immediately. Newly arrived migrants and elderly people are threatened by scammers pretending to be government officials who demand fee payments. Sometimes these scams can include threats to your life. 

Dating and romance scams

Scammers gain your trust through dating websites or social media before requesting money or banking details needed due to a health or other financial emergency or to pay for travel expenses to visit you. There are many varieties of this scam. 

False billing scams

The most common form of this scam is payment redirection, in which scammers impersonate a business or its employees via email and request an upcoming payment be redirected to a fraudulent account.

Investment scams

By far and away the costliest scam for consumers overall, investment scams take many forms but generally involve people being tricked into putting money into investment opportunities that don't exist. Cryptocurrency, especially bitcoin, is often involved.

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE