Smishing – the next generation of phishing
Earlier this year we wrote a blog post on how A2P messaging is growing yet fraud is endangering consumer’s trust in the platform. We thought we’d revisit this topic with a specific focus on ‘smishing’ – a particular kind of fraud that is once again hitting the headlines.
What is smishing?
It’s a combination of two things, SMS + phishing = smishing. A way of fishing for personal information, passwords, data, etc. via SMS or chat apps whilst masquerading as a trustworthy or known source to the recipient. Smishing messages will always include a link to click on or a phone number to call. The call to action is, of course, fraudulent and an attempt to violate the recipient’s privacy.
In their 2017 report, MEF suggests that there are 13 different types of fraud, of which smishing is only one. MEF identified in this report that more than a quarter of subscribers receive an unsolicited SMS message every day, with 33% of subscriber claiming that they had received a smishing message aiming to trick them into disclosing personal data. MEF estimates that smishing contributes an estimated $680 million to the $2 billion global annual fraud cost.
The problem is exacerbated by the fact that SMS is one of the most trusted communications channels around, people expect to receive spam and fraudulent emails, but they don’t expect SMS to be used in the same way. In fact, SMS remains the most trusted channel of communication, with 35% of consumers surveyed in the MEF report saying as much. For the fraudsters, it’s just a matter of grabbing that low hanging fruit and taking advantage of something that people trust.
How does smishing work?
It’s a string of socially engineered messages designed to trick the user into revealing personal data about themselves and thereby allowing the attacker to get control of someone’s mobile phone and ultimately access to something like the victim’s bank account. The attacker sees the SMS they send out almost like a sales opportunity, the criminal starts out by suggesting a relationship already exists between themselves (posing as someone else) and the recipient. A smishing text message might read something like this:
This is the HMRC. Our records indicate that you have paid £1,897.12 more tax than due for the year ending 2016. Please call us on XXX or click here to provide us with your bank details.
Messages might also read ‘This is Lloyds Bank. We have detected suspicious activity on your account. Please call us on XXX to confirm your transactions’ or ‘This is Apple, your account has been locked due to suspicious activity please click here to verify your account or face account deletion.’ These messages have one thing in common (apart from being fraudulent), they have a call to action – they dangle a carrot to increase the chances of someone taking a bite. People can be somewhat naive when it comes to being offered something that will benefit them. They might click or call without thinking about the origin of the message, which unfortunately is surprisingly easy to forge, trusting the sender without question.
Once the bogus link is clicked on or the phone number called, the attacker instantly begins gathering personal information or infecting the handset with malware potentially opening up a whole world of trouble for the user.
All an attacker needs is a few bits of information to help them on their way. Don’t forget that a lot of personal information is available as a matter of public record – full name, date of birth, address, maiden name etc., all of which can help attackers seem to be the genuine article when they contact the bank to change a few passwords or move some money around.
How can enterprises protect their customers against smishing?
Whilst there is no substitute for using common sense when it comes to acting on smishing messages, effective protection can be easily employed by Enterprises with just a little thought and some training:
- Educate customers, let them know what they will and will not be asked for in a legitimate message
- Communicate company short codes clearly with customers so they know what numbers to expect messages from
- Introduce more specific security questions that cannot be answered by performing a simple Google search
- Provide awareness training for all those who come into contact with customers so that potential fraud can be more easily identified
- Monitor customer complaints about spam messages, particularly if they correspond to specific campaign deliveries. Then investigate thoroughly asking questions like who sent the messages, does the message contain a suspicious URL etc.
How can individuals protect themselves against smishing?
- When something sounds too good to be true it usually is
- Be skeptical that a message is from the company or government department it claims to be unless you were a) expecting the message or b) often receive messages from this company
- If you are suspicious, don’t phone number listed in the content of the message. E.g. if it's your bank, use the bank phone number or website you usually use to call them and confirm
All of the above suggestions certainly have the potential to protect customers, but where does the ultimate responsibility for protection lie? How can this environment be regulated? In their report, MEF proposes some guidelines that are certainly worth considering:
- The creation of a national and international register of enterprise, brand and associated short codes
- The creation of a database of known suspicious and fraudulent messages
- The development of a global standard, automated cross-MNO method of reporting and sharing information about suspicious and identified fraudulent messages
Using a combination of the suggestions above for Enterprises and Individuals and looking to MEF for guidance on how to self-regulate the environment will hopefully result in smishing becoming a thing of the past, just like spam emails – they’ll get relegated to the trash.
Interested to find out what the 12 other forms of fraud are? Check out the full MEF report here and read more about smishing while you’re there. First published by CLX Communications