I get a lot of spam texts. A lot. They’re immediately recognisable: The source number doesn’t look familiar, and is attached to a message so obviously a phishing attempt it’s insulting. But lately, I’ve noticed an uptick in a new type of spam text, typically arriving from an email, rather than a phone number, with a blank text followed by an attached PDF. Whoever is behind these spam messages wants me and other recipients to open said PDF, and to hopefully tap on whatever hyperlink might be lurking within.
If you find yourself in this same situation, please: Do not open the PDF. It’s simply not worth the risk. While I haven’t seen any reports of these types of PDFs causing harm on their own, it’s far from unprecedented. Microsoft just put out a similar fire dealing with its Follina vulnerability, a security flaw that allowed bad actors to execute PowerShell commands after a user opened a malicious Microsoft Office doc. Yes, it’s possible to attack a user’s device using only a seemingly innocuous file.
It’s not impossible to imagine a similar scenario with a malicious PDF sent via text message. If someone discovers an exploit in iOS or Android, they can design malware to can mess with your smartphone. Again, there are no reports of such an exploit, nor reports of bad actors taking advantage of it with rouge PDFs. But it’s always better to be on the safe side.
So, as a best practice: Don’t open the PDF. But, let’s say, for the sake of argument, you did (whoops). Likely, the PDF is mostly full of spammy text trying to sell you on whatever half-baked pitch they think will catch your attention. Inevitably, there will be a link for you to tap, should you be so inclined. Do. Not. Tap. The. Link.
As with all strange and scammy links, there’s no telling where exactly it will take you, or what will happen to your device or data when you get there. Again, this might be a situation where just tapping the link results in actions you didn’t intend. However, often, these links take you to fake websites designed to look like legitimate ones, keen on tricking you into downloading malware or entering sensitive personal information. Obviously, do neither.
Leave a Reply
You must be logged in to post a comment.