Smishing: New age phishing
According to fraud prevention body Cifas, identity fraud has reached ‘epidemic levels’. Statistics show that 89,201 cases of identity fraud were registered from January to June this year, the highest total ever. Identity fraud is changing, but victims may be unaware of new avenues beyond e-mail and calling. A growing method for obtaining personal information is SMS-phishing, or smishing, says Andy Gent, CEO Revector.
What is smishing?
Smishing works in much the same way as contemporary phishing e-mails, or vhising (voice phishing) calls, except for the scam being sent by Short Message Service (SMS) messages. The main aspect of the strategy is not technical; it is psychological.
Scam artists prey on people’s panic and sense of urgency, sending time-sensitive text messages. By pretending to be close friends, employees or even officials from their banks, victims are made to believe the text is genuine and needs immediate action. Personal and potentially damaging information is given freely, and fraudsters can steal thousands of pounds.
How does smishing work?
In smishing, the scammer’s goal is to do one of three things: get a victim to reveal personal information (account numbers, passwords, etc.); get victims to click a link that grants access to their personal information; receive a reply to a text that charges a fee.
While one-time fees incurred through texts do occur, scammers primarily look to steal an identity. Access to a victim’s personal information is primarily obtained through time-sensitive threats such as immediate arrest by police or the freezing of an account. However, new innovations are being used to make smishing more subtle.
Number spoofing is being used to make text messages appear real by being sent from a trusted contact. In such cases, requests for personal information are more likely to receive responses, as a communication channel has already been opened.
The scam is difficult to defend against, but even harder to prove. In March, three Santander customers lost a combined total of £36,300 (€41345.31) to a smishing scam. The victims’ fraud claims were refuted by their banks, as it was argued security details were given willingly to a third party.
What can be done?
According to Experian, texting is the most common use of smartphones. Adult mobile users aged 18-24 send more than 2,022 texts per month – 67 per day – and receive 1,831. With such a large potential pool of victims, users need to be aware of potential scams. Yet, while people know of phishing scams through e-mail, many mistakenly assume their smartphones are more secure.
Mobile users can defend themselves in various ways: set up two-factor authentication; use multiple passwords; stay aware that banks will not ask for personal information such as a PIN number. However, the best defence against smishing is doing nothing. A fraudster is unable to do damage if the victim takes no action on the text, other than blocking a suspicious number. By being aware of the risks and knowing what to look out for, a major new form of identity fraud can be prevented.
The author of this blog is Andy Gent, CEO Revector