This morning, I was woken up at dawn because of an IT emergency. My mother had received a text from the FOD Financiën, telling her she owed them 11,50 for which they’d sent a debt collector. She sort-of-feared that this text message was real but also expected it to be an SMS scam. You can see the text she received below.
Since I was up anyway, I decided I would deconstruct the scam. And if I have to get up early, you get to suffer with me so I’m writing this blog post.
Of course it’s an SMS scam
Our government agencies don’t use SMS to communicate and there are plenty of reasons to believe this is a scam. The domain name gave it away, because our government doesn’t use .com domains. And I’m sure they won’t be sending a debt collector over €11.
1. The domain name
The domain name for this scam is financien-overheid.com as you can see in the text. That allows us to lookup where the domain name is registered. I prefer using https://who.is to found out who the registrar of a domain name is, mostly because it’s so easy to remember.
This taught me that the domain name has been registered with Namecheap. I used that information to file a complaint with Namecheap about the domain. We’ll see what they do with that information, but I’ve done my job.
2. The hosting company
To find out where the website is hosted, we have to take a look at the IP address.
Finding the IP address is pretty simple. You open your Command prompt or terminal and ping the domain name. Doing so will teach you what IP address the domain points to. In this case, the IP address is 18.104.22.168
Now, we need to find out who that IP address belongs to. To do that, I’m going to https://whatsmyip.com and use their IP WHOIS tool. You can find this tool here:
This teaches me that the IP address belongs to a German hosting provider, Combahton GMBH. Since I just filled in a long form for Namecheap and web providers are notoriously unwilling to cooperate I just call them out on Twitter instead of trying to figure out how to file a complaint. Yay, slacktivism!
3. The website
You should never, ever visit a website of a subspect scam mail unless you know what you’re doing. Don’t let this section trick you into believing that it’s safe to do so!
I was curious about the website of the scammers, so I gave them a visit (using Tor and a Linux VM, of course). Unfortunately, there wasn’t much to see. It appears that the URL they provided through the URL redirects you to a real website of the FOD Financiën – a page that returns a 404 error anyway.
So I ended up learning nothing about the scam website. Or perhaps I’m not smart enough to figure out why they’d redirect people to a real website. That’s also an option.
4. The phone provider
Finally, I wanted to find out who the phone provider was. Our scamming friend appears to be sending his messages from a mobile phone number which belongs to Mobile Vikings. Since I have been a satisfied customer of those guys for ages, I contacted them on Twitter. They immediately forwarded the complaint to the proper department. Now that’s customer service!
But you might be wondering how I found out that the phone number belongs to Mobile Vikings. It’s pretty simple! Just Google “lookup phone carrier” or the equivalent for your language and you should find websites that’ll allow you to lookup phone carriers.
In my case, I ended up on the website https://www.crdc.be which pointed me in the right direction.
What can you do?
As you can see, it’s not that hard to deconstruct an SMS scam. There’s plenty of information that you can find. The next step is to then report the scammer with all the providers they are using. That might not be as easy as finding the information, so you’d need to have some patience.
However, even more important is to educate your user(s). Sure, I might have been woken up earlier than I wanted, but my mother had the right reflexes:
- Not clicking the link
- Contacting someone more tech savvy than herself
Teach the people around you these skills. Learn them to be suspicious about text messages, mails and links that they’re receiving. Even if that means they’ll be asking you to verify every single link, I can assure you that it’ll cost you less time and give you fewer head aches to do so than to deal with the aftermath of a scam they fell for.