Much like a fisherman using realistic bait to attract fish to their hook, fraudsters capture people’s attention with a variety of tactics designed to engage without arousing suspicions. Fraudsters are taking advantage of the chaos caused by two years of a global pandemic and an impending recession to steal personal information or spread malware under the guise of legitimate companies.
This is particularly alarming given the use of SMS messages for important updates and authentication. Infobip research recently found that 69% of respondents used SMS text messages for authentication or one-time passwords and 44% said billing updates are the types of texts they regularly receive. With SMS phishing on the rise, such a key platform being at site of fraud is a very present and looming threat.
Back to basics
Smishing is simply the SMS equivalent of phishing in that the ‘bait’ message is delivered by SMS rather than email. Effective smishing attacks rely on a recipient taking an action that they would not otherwise have done. This could simply be clicking on a link in an SMS message or submitting private information by return SMS or via a fake landing page.
There are mainly three types of smishing attacks:
- Copycat marketing
In the grey area of the law, a business may contact a person pretending to be, or simply suggesting that they are a well-known brand that the person already knows and trusts. The victim is then deceived into viewing a product or offer that they would not otherwise have paid any attention to. You could receive a message like you’ve won a competition! – that you never entered.
2. Malware attacks
This type of attack is malicious but has limited sophistication. Recipients are fooled into believing that the message is from a legitimate source, but this time the link they are encouraged to click on will download malware onto the device that could infect it and potentially distribute itself automatically via the phone’s contact list.
All modern smart phones will have security features that stop the silent downloading of malware, but these features are far less effective when users voluntarily download something or share their personal data
- Fake landing pages
The most brazen, sophisticated, and costly form of smishing is where fraudsters mimic messages from legitimate businesses to their customers, encouraging them to visit a fake landing page where they are instructed to enter personal information and login credentials which are then stolen and used to access the real accounts.
The most successful smishing attacks will also incorporate social engineering tactics. Harvested information will often be stored and used in a later attack. After sufficient time has passed the victim will not put two and two together and realise they’ve been scammed
For a smishing attack to occur, you may ask how did fraudsters get my mobile number in the first place? Here are 3 ways:
- Data breaches: When hackers gain access to an organisation customer database, the information they steal could include anything from login and password details to addresses, and of course mobile phone numbers.
- Website scraping: Your phone number may be listed in multiple legitimate places on the internet, from old social media profiles to clubs that you once belonged to. Fraudsters use software that continually scans the internet looking for combinations of numbers that look like phone numbers.
- Saved form data on your browser: Depending on your browser settings, when you fill out a web form the information that you enter can be saved in memory so that the browser ‘remembers’ your details the next time you fill out a similar form. If this data is not locked down by the browser, it can be found and extracted by malware that then transmits it to external third parties.
So, how can we stay alert? The onus is on telecom providers
As the sophistication of smishing attacks grows, it becomes even more difficult to recognise them; the onus is on telecom operators to take charge. It is actually in their best interest to take a proactive approach. A successful attack will erode confidence in application to person (A2P) messaging, causing customers and the brands they buy from to move away from SMS and onto other messaging platforms.
Mobile operators should not fear, they have an ally in partnering with the right vendor. SMS firewall, defends mobile networks against all SMS-based messaging attacks. All messages are routed through the firewall are analysed. This technology can help secure their mobile eco-systems. The right provider with a rich set of tools can provide:
- Links to a continually updated database of malicious URLs that can be automatically blocked in real-time
- Proactive threat detection which uses machine learning to preempt attacks
- Automated responses to identified threats
- Detection of MSISDNs that are not “real customers” based on SIM box detection that can provide MSISDN reputation analysis
With all that’s going on, in a time where consumers are particularly weary, and competition is fierce in the messaging space, telecom providers need to remain dependable. Using SMS messaging for any form of alert, whether big or small, should be simple. With the powers of SMS firewall, telecom providers can be an aid and make one part of life just that little bit easier.