Share to
Earlier this year we wrote a blog post on how A2P messaging is growing yet fraud is endangering consumer’s trust in the platform. We thought we’d revisit this topic with a specific focus on ‘smishing’ – a particular kind of fraud that is once again hitting the headlines.
It’s a combination of two things, SMS + phishing = smishing. A way of fishing for personal information, passwords, data, etc. via SMS or chat apps whilst masquerading as a trustworthy or known source to the recipient. Smishing messages will always include a link to click on or a phone number to call. The call to action is, of course, fraudulent and an attempt to violate the recipient’s privacy.
In their 2017 report, MEF suggests that there are 13 different types of fraud, of which smishing is only one. MEF identified in this report that more than a quarter of subscribers receive an unsolicited SMS message every day, with 33% of subscriber claiming that they had received a smishing message aiming to trick them into disclosing personal data. MEF estimates that smishing contributes an estimated $680 million to the $2 billion global annual fraud cost.
The problem is exacerbated by the fact that SMS is one of the most trusted communications channels around, people expect to receive spam and fraudulent emails, but they don’t expect SMS to be used in the same way. In fact, SMS remains the most trusted channel of communication, with 35% of consumers surveyed in the MEF report saying as much. For the fraudsters, it’s just a matter of grabbing that low hanging fruit and taking advantage of something that people trust.
It’s a string of socially engineered messages designed to trick the user into revealing personal data about themselves and thereby allowing the attacker to get control of someone’s mobile phone and ultimately access to something like the victim’s bank account. The attacker sees the SMS they send out almost like a sales opportunity, the criminal starts out by suggesting a relationship already exists between themselves (posing as someone else) and the recipient. A smishing text message might read something like this:
This is the HMRC. Our records indicate that you have paid £1,897.12 more tax than due for the year ending 2016. Please call us on XXX or click here to provide us with your bank details.
Messages might also read ‘This is Lloyds Bank. We have detected suspicious activity on your account. Please call us on XXX to confirm your transactions’ or ‘This is Apple, your account has been locked due to suspicious activity please click here to verify your account or face account deletion.’ These messages have one thing in common (apart from being fraudulent), they have a call to action – they dangle a carrot to increase the chances of someone taking a bite. People can be somewhat naive when it comes to being offered something that will benefit them. They might click or call without thinking about the origin of the message, which unfortunately is surprisingly easy to forge, trusting the sender without question.
Once the bogus link is clicked on or the phone number called, the attacker instantly begins gathering personal information or infecting the handset with malware potentially opening up a whole world of trouble for the user.
All an attacker needs is a few bits of information to help them on their way. Don’t forget that a lot of personal information is available as a matter of public record – full name, date of birth, address, maiden name etc., all of which can help attackers seem to be the genuine article when they contact the bank to change a few passwords or move some money around.
Whilst there is no substitute for using common sense when it comes to acting on smishing messages, effective protection can be easily employed by Enterprises with just a little thought and some training:
All of the above suggestions certainly have the potential to protect customers, but where does the ultimate responsibility for protection lie? How can this environment be regulated? In their report, MEF proposes some guidelines that are certainly worth considering:
Using a combination of the suggestions above for Enterprises and Individuals and looking to MEF for guidance on how to self-regulate the environment will hopefully result in smishing becoming a thing of the past, just like spam emails – they’ll get relegated to the trash.
Interested to find out what the 12 other forms of fraud are? Check out the full MEF report here and read more about smishing while you’re there. First published by CLX Communications