Need to know
- Scammers sending texts about missed calls, voicemails or deliveries are now sending new fake messages that include company logos
- The ACCC had received over 16,000 reports of the Flubot scam as of early October
- $851 million was lost to scammers in 2020, but the tally will likely be worse in 2021
As of early October, the Australian Competition and Consumer Commission's (ACCC) Scamwatch platform had received over 16,000 reports about text messages alerting people about missed calls, voicemails or deliveries.
The calls, voicemails, and deliveries, of course, do not exist and never did.
It's called the Flubot scam, named after the malicious software it aims to infect your phone with if you tap on the link that comes with the message. It began to show up in early August, and by now you've probably either received some variety of the scam message or know someone who has.
You can receive one of these malevolent messages whether you've got an iPhone or an Android phone (any phone that's not an iPhone), but Android phones are the devices at most risk since they can download apps directly from the scam text. With an iPhone, you have to go to the app store to download and install files. (Opening the Flubot link on an iPhone can still damage your phone, however.)
Android phones are the devices at most risk ... Opening the Flubot link on an iPhone can still damage your phone, however
The link generally has a series of five to nine random letters and numbers at the end, which may help differentiate it from other legitimate texts you might receive.
In earlier versions of the scam, the link also had deliberate misspellings, the scammers' way of bypassing security filters. Newer text messages may not have spelling errors, although the older version is still circulating.
At a time when parcel deliveries are a regular occurrence and a lifeline for many people, the missed delivery alert can be especially tempting, but consumers are strongly advised not to tap the links. Delete the text instead without pressing anything. Better yet, don't open links in any text message, just to play it safe.
As of early October, the ACCC had received 16,000 reports of the Flubot text scam from consumers.
An evolving scam
After the initial wave of generic missed call/voicemail/delivery texts, the scammers got creative and moved on to fake Zoom invitations, Google verifications, photo uploads, and 'thank you' messages from medical clinics. And the names and logos of specific couriers, retailers and telcos, such as DHL, Amazon and iiNet, were added. In all cases, you're invited to tap on a link.
In a tactic known as 'spoofing', the scammer's caller ID is often someone's real mobile phone number
If you're tempted to call the number that sent the text, don't. In a tactic known as 'spoofing', the scammer's caller ID is often someone's real mobile phone number. You'll be calling someone who has nothing to do with the scam and didn't send you the message.
If you do take the bait, you'll get a message saying your device is already infected with Flubot and you need to install a security update to get rid of it. It's when you take this second step that the malware is downloaded.
What can the malware on my phone do?
Though it's not entirely clear what happens if your phone is infected, the ACCC says the malware may be able to do the following:
- read your text messages
- send text messages from your phone
- make phone calls from your number
- access your contacts
- allow access to your passwords and accounts so the scammers can steal your money and personal information
- direct other infected phones in Australia to send Flubot messages to the numbers it accesses from your phone.
My phone's infected, what do I do now?
One way to know your phone has been infected by Flubot is when people you know start telling you they've received a text message from you with a voice message or other scam identifier attached.
Here's what to do:
- Check your bank account for unauthorised withdrawals using a different device than your phone, and contact your bank immediately if you see any.
- Get an IT professional or a tech-savvy friend to perform a factory reset of the device (note that this will delete all of your data including photos, messages and authentication applications).
- Do not restore from any backups created after you downloaded the malware – they'll be infected too.
- Change your passwords once you're sure your phone is no longer infected.
- Report the cybercrime incident to the ACCC and government's ReportCyber service.
Who's behind the Flubot scam?
As with most scams affecting Australians, it comes from overseas. In early March, Spanish police reportedly arrested four people aged 19 to 27 who are suspected of being involved with the Flubot scam. The scam has hit Spain hard since emerging there in late 2020.
According to media reports, the Flubot malware had collected phone numbers for 11 million users as of early March, 97% of which were Spanish citizens. That's about a quarter of Spain's population.
But the scam is still very much active, and its creators apparently have yet to be caught.
Online shopping scams
You pay for a product online but it never arrives because it wasn't a legitimate business.
Jobs and employment scams
You pay a fee for materials supposedly needed for a non-existent 'make money fast' job or surrender your bank account details to supposedly pass on payments to a foreign company.
Threats to life and arrest scams
You're threatened with arrest for non-existent speeding fines, overdue tax payments, unpaid bills or similar if you don't pay immediately. Newly arrived migrants and elderly people are threatened by scammers pretending to be government officials who demand fee payments. Sometimes these scams can include threats to your life.
Dating and romance scams
Scammers gain your trust through dating websites or social media before requesting money or banking details needed due to a health or other financial emergency or to pay for travel expenses to visit you. There are many varieties of this scam.
False billing scams
The most common form of this scam is payment redirection, in which scammers impersonate a business or its employees via email and request an upcoming payment be redirected to a fraudulent account.
By far and away the costliest scam for consumers overall, investment scams take many forms but generally involve people being tricked into putting money into investment opportunities that don't exist. Cryptocurrency, especially bitcoin, is often involved.