Bound phone number red envelope winning?

I just received a text message:

恭喜您抽中「綁定手機門號」紅包8元已入帳，活動內容請至財金公司官網(https://www.fisc.com.tw)查詢。

Sounded like a Scam, but someone actually put 8NT$ into my account:

image949×343 56.3 KB

Any idea what this could be?
Anyone received something similar?

Seems like a ‘test probe’ to verify that your account exists, and is associated with your phone number. Not quite sure how that would play out, but you might want to change your passwords and PIN numbers just in case someone has ‘harvested’ your data from somewhere and has something lined up.

If you actually opened that SMS you have possibly allowed them to access the data on your phone - aka - a phishing SMS, just like an email.

There seems to be a widespread SMS scam about ‘parcel delivery’ doing the rounds too, with a similar outcome. Google treats it as spam, open it at your peril.

So it would be wise to start changing passwords and PIN numbers immediately, check your Bank and balances etc.

It’s legit. FISC is a quasi government agency. Is your mobile number bound to a bank account?

Also from the company’s website:
https://www.fisc.com.tw/TC/HOME/EVENT?CTID=308f7ab8-4fa2-42b8-8dce-86e124614667

Could be that I set up something like that some time ago. Guess I can use my “winnings” to get half a tea egg at 711 now

But yeah - the way they set this up really makes it appear a bit fishy…

Ooookay mixing up lots of things here. As far as I can tell, all of this is wrong. Someone correct me please, I’d be happy to learn more about evil SMS that allow attackers to “access my data”:

1. SMS are “only” text. Thus it’s not possible by simply receiving or reading an SMS to “get hacked” (as in: get some malicious code introduced and executed on your phone, which is necessary to “access my data”). Trouble is possible only if you actively do stupid stuff yourself based on what the SMS tells you. Like following links in the SMS, downloading stuff, installing apps, …

2. This is distinctly different to email, which can contain all kinds of data in the body and especially in Attachments. That opens up many ways to exploit vulnerabilities in email programs etc., or at least trick the user into opening the attachment without having to do any intermediate action like “follow links to download malware” - like with SMS.

3. Phishing is of course possible through SMS. Again, it involves active user stupidity.

Note: MMS is similar to SMS, but can contain some multimedia data types as attachment. There have been cases known where for example old android versions were vulnerable to maliciously crafted MMS - even without having to read the MMS, simply by receiving them. To protect against this, keep your phone updated, and disable automatic download of MMS. Noone reasonable uses those anyway nowadays. Here is how to disable MMS download on Android:

In android when they say your SMS is spam, trash it, block the number. Same for phone calls.

Yup, very useful this Google spam detection function. You need to activate it first, though - and possibly switch to the Google apps for phone/SMS first, if your android phone doesn’t automatically use them:

The Google SMS spam function is a bit hit and miss though. I get on average one SMS a week from Far East (FET) my mobile provider (different numbers each time even), advertising promotions. Google classifies that as Spam though while a pest, its not there to scam.

Only about 6 people know my number, and as many Government agencies (NHI, 1922, NIA and a couple of Hospitals). Unless its obvious who is sending it, I delete, though don’t mark it as spam unless I consider that it is.

SMS standard is more complicated than many think and implementation is buggy on many phones.

Pegasus can use SMS as an attack vector (uses malicious link). But also can exploit buggy SMS software as iMessage on iPhones.

As usual in software, if you start digging, you will find bugs.
And with addition of RCS the modern phones have bigger area of attack.

Yep evil SMS that cause malfunctions (or eviler SMS-Replacement service messages that cause anything) are not unknown. Fortunately, even the CCC and Pegasus, as far as I understood, don’t show SMS that can inject and execute malicious code by receiving or reading - without user stupidity. Or did I miss something?