The wireless carrier Verizon blamed “bad actors” on Wednesday for thousands of spam text messages recently received by its customers and said it was working with federal law enforcement agencies to try to identify the source.
The telecom giant confirmed in a statement on Wednesday that its customers had been targeted by the rogue texts offering them a free gift, which were reported on Monday by The Verge, a technology news website. Some users had reported being forwarded to Russian state media sites when they clicked on links in the texts, but Verizon was treating the texts as a more typical phishing scheme aimed at defrauding consumers.
“As part of a recent fraud scheme, bad actors have been sending text messages to some Verizon customers which appear to come from the customers’ own number,” the statement said. “Our company has significantly curtailed this current activity, but virtually all wireless providers have faced similar fraudulent activity in recent months.”
The scheme highlighted a steady rise in the number of complaints filed with the federal government by consumers who said they were the victims of spam text messages.
In response to follow-up questions on Wednesday, a Verizon spokesman said that the company believed that several thousand of its customers had received the texts as part of a broader scheme affecting major wireless carriers.
The spokesman, Rich Young, said that Verizon had blocked one of the numbers that sent some of the messages, but that the source was continuing to use other numbers to spam customers.
There was no indication, Mr. Young said, that the messages came from Russia, which has become suspected of carrying out cyberattacks amid that country’s ongoing invasion of Ukraine.
According to Verizon, it was working with the FBI and the US Secret Service to identify the source of the texts, which enticed recipients to click on a link offering them a free gift. Security experts generally advise against clicking on links sent from strange or unrecognized accounts.
The intent of the fraudulent solicitations is to get people to enter their credit card information, Mr. Young said. Clicking on the link would not have likely exposed those customers’ cellphones to malware, he added.
The FBI declined to comment on Wednesday. The US Secret Service did not immediately respond to requests for comment.
T-Mobile said in an email on Wednesday that it had found no evidence of its customers receiving the text messages, but that it had added the known links identified as part of the fraud scheme to its spam-blocking filters.
AT&T did not respond to an inquiry from The New York Times.
In 2021, the Federal Trade Commission said it received 377,840 reports of fraud stemming from text message solicitations, with losses totaling $ 131 million. The median amount lost was $ 900, according to the commission.
Cellphone users can report suspicious text messages by copying messages and forwarding them to the number 7726, which spells SPAM, a reporting service that was created by the GSMA, a wireless consortium whose members include Verizon.
Most smartphones include features for blocking unwanted calls and text messages. To try to keep telemarketers and other solicitors at bay, consumers can also add their numbers to a federal do-not-call registry.
But those barriers haven’t stopped fraudsters from trying to bait cellphone users to relinquish financial information and other personal data with offers that include free gifts. Some fraudulent texts invite the recipients to click on links with tracking updates for fictitious shipments.
Suspect text messages should be treated with the same heightened vigilance as suspect emails, one cybersecurity expert said on Wednesday.
“Do not click on the links, especially if something does not seem right,” said Tim Weber, security services director for ADNET Technologies in Rocky Hill, Conn. “On the surface they seem to be like phishing emails.”
Mr. Weber advised people to use built-in security features on smartphones to prevent them from being compromised, including biometric locks – those using thumbprints or facial recognition – and two-factor authentication.