I get a lot of spam texts. A lot. They’re immediately recognizable: The source number doesn’t look familiar, and is attached to a message so obviously a phishing attempt it’s insulting. But lately, I’ve noticed an uptick in a new type of spam text, typically arriving from an email, rather than a phone number, with a blank text followed by an attached PDF. Whoever is behind these spam messages wants me and other recipients to open said PDF, and to hopefully tap on whatever hyperlink might be lurking within.
If you find yourself in this same situation, please: Do not open the PDF. It’s simply not worth the risk. While I haven’t seen any reports of these types of PDFs causing harm on their own, it’s far from unprecedented. Microsoft just put out a similar fire dealing with its Follina vulnerability, a security flaw that allowed bad actors to execute PowerShell commands after a user opened a malicious Microsoft Office doc. Yes, it’s possible to attack a user’s device using only a seemingly innocuous file.
It’s not impossible to imagine a similar scenario with a malicious PDF sent via text message. If someone discovers an exploit in iOS or Android, they can design malware to can mess with your smartphone. Again, there are no reports of such an exploit, nor reports of bad actors taking advantage of it with rouge PDFs. But it’s always better to be on the safe side.
So, as a best practice: Don’t open the PDF. But, let’s say, for the sake of argument, you did (whoops). Likely, the PDF is mostly full of spammy text trying to sell you on whatever half-baked pitch they think will catch your attention. Inevitably, there will be a link for you to tap, should you be so inclined. Do. Not. Tap. The. Link.
As with all strange and scammy links, there’s no telling where exactly it will take you, or what will happen to your device or data when you get there. Again, this might be a situation where just tapping the link results in actions you didn’t intend. However, often, these links take you to fake websites designed to look like legitimate ones, keen on tricking you into downloading malware or entering sensitive personal information. Obviously, do neither.
What to do if you receive a spam PDF
The next time one of these lovely PDFs floats its way to the top of your messages, here’s what you should do. Normally, you’d report the message to your carrier via forwarding the text to 7726. But since this is a PDF, you won’t be able to forward the document. Instead, report the email address twice: The carrier is looking for the message the first time you text 7726, so you’ll need to send the email address a second time for it to fully register.
This system obviously isn’t set up to handle non SMS-based spam, but this workaround is better than nothing. Hopefully, it takes one extra scummy email address out of commission, even if there are still plenty more out there.