December 4, 2025
Smishmas: free points, pricey pain
SMS phishers pivot to points, taxes, fake retailers
Holiday scammers bait with 'free points' and tax cash; commenters roast SMS and Big Tech
TLDR: Scammers are pushing “free points” and tax refund texts, then hijacking cards by tricking people into sharing bank codes to enroll them in Apple/Google wallets. Commenters split between banning SMS for finances and blaming Big Tech for weak safeguards, with big empathy for seniors and holiday panic confessions.
It’s officially Smishmas, and the comments are on fire. Security researchers say China‑based crews spun up thousands of fake reward sites aimed at T‑Mobile and AT&T, blasted via Apple’s iMessage and Google’s RCS (Google’s texting system). Victims hand over card details, then a one‑time code from their bank—only for scammers to enroll that card into Apple/Google mobile wallets they control. urlscan.io shows the avalanche, plus stealthy fake shops that only turn malicious at checkout.
The mood? Equal parts panic and pitchforks. s_kierkegaard laments the “diabolical” impact on older folks, with readers swapping stories of playing tech support for grandma. adriand’s tale of “Purolator panic cardio” (running outside after a fake delivery text) became a meme—“Headphones too loud, wallet too quiet.” Meanwhile, charcircuit comes in hot: Why don’t Apple and Google add passcodes to wallet enrollment? That sparks a brawl with nharada’s camp yelling: Stop using phone/SMS for money—period.
Drama escalates as people debate blame: Big Tech for frictionless wallets, carriers for spammy pipes, or just our collective holiday FOMO. The “Points Ponzi” and “Textpocalypse” jokes hide real fear: those slick fake shops advertised on Google and Facebook feel legit, and folks only realize weeks later when the package never arrives. Trust is the first item not delivered.
Key Points
- •China-based phishing groups are deploying kits to mass-create fake e-commerce sites that harvest card data and enroll cards into Apple/Google mobile wallets.
- •Thousands of new domains spoofing T-Mobile rewards points were registered and promoted via iMessage and RCS; similar infrastructure targets AT&T.
- •Phishing sites load only on mobile, request personal and card details, then solicit a bank one-time code to complete wallet enrollment.
- •Security researcher Ford Merrill (SecAlliance) says points redemption lures, common in EU/Asia, are now being directed at U.S. consumers.
- •Fake e-commerce stores are advertised on Google and Facebook, fetch malicious code only at checkout, and are harder to detect by mass scanning.