Wednesday 9 March 2016

Our guide to smishing

Our guide to smishing

They’ve tried cold calling and phishing emails; now the scammers want to steal your personal details via text message. David Crookes explains what you’re up against

What is smishing?


Most of us have heard of phishing, which involves criminals sending emails that trick you into giving away personal data such as a credit card number or password. SMiShing, meaning SMS phishing and henceforth referred to in this article as smishing (for clarity’s sake!) is the text message equivalent and is currently on the rise.


What do smishing scams look like?


Various forms of smishing have been doing the rounds. Texts claiming that the recipient had won an free gift card, asking for their name, address, date of birth and more to allow the person to stake their “claim”, were once common. Currently, UK bank customers are being targeted by bogus alerts about suspicious activity in their accounts. Some of the scams are so sophisticated that individual losses are running into thousands of pounds.

How do they work?


In the case of banking scams, fraudsters are increasingly able to make their text messages look like they’ve come direct from financial institutions. These texts fool users into downloading malware that allows the criminals to impersonate the customer’s bank, which means - rather chillingly - that scam messages appear in the same conversation thread as those from a genuine bank. As you can imagine, with the added stress of being told you have to act quickly, this can cause great confusion. Even savvy web users have fallen prey.

What do the texts ask you to do?


Typically, they ask you to click a link to a fake website or, in a growing number of cases, make a phone call which will be answered by the scammer. In either case, fraudsters are looking to grab passwords and security details as well as build up a strong picture of the person they are targeting.

Are bank customers the only victims?


No, scammers are also using smishing to gain access to email accounts. Armed with a person’s email address and mobile phone number, the fraudsters reset victims’ passwords using the verification codes many providers now send to mobiles. The scammers immediately send their own text to fool the account holder into revealing the verification code they’ve been sent, then use it to gain control of the victim’s email account.

How many people are being caught out?


Exact figures are difficult to estimate, but security company Cloudmark (www.cloudmark.com) reported that incidences in the US had trebled in September 2014, and all types of social-engineering fraud have resulted in global losses of £675m.

We have been hearing of many individual cases. For example, last October a Barclays customer who was transferring a large sum of money to his daughter via the Pingit service (pingit.com) received a message in his usual Barclays SMS thread relating to bogus Direct Debit that had supposedly been set up. The victim called the given number and found it was a recording asking for his bank details. Thankfully, he grew suspicious and hung up.

Why are scammers using text messages?


An increasing number of people are using their phones for financial transactions and fraudsters know that we tend to be more receptive to texts than most other forms of communication. Studies show that a third of us check our handsets up to 50 times a day, which means we’re more vulnerable to falling prey to text scams and responding almost instantly. All the fraudster needs once a victim calls the fake number is some persuasive patter.

How do they make the texts appear authentic?


The beauty of text messages – aside from the low cost of sending them – is their simplicity. By directing people to make a phone call, the scammers don’t have to spend a lot of time creating authentic websites or worrying about people performing the usual phishing checks (looking at URLs, studying email addresses, checking to see if their name is included in the email and so on). As long as the spelling and grammar is correct (and even if it’s not, recipients may put it down to the sender abbreviating their message), there is a good chance they can fool someone. All it takes is 20 or so words and the job is half-done.

Can’t the scammer be traced at the number they call from?


Scammers tend to be savvy and cover their tracks using services such as Burner to produce a disposable number. These companies market themselves as offering privacy and shielding their users’ identities, so finding the person behind the calls and texts becomes near impossible.

Are specific age groups being targeted?


Although younger people tend to send and receive more texts, there is a higher chance of older folk having a good sum of money saved in their account. Experts also suggest that there has been a rise in the number of bank-related smishing attempts because current accounts have higher than usual interest rates these days (although not in this country, sadly!), which makes them rich pickings for cybercriminals.

Can I use protective software on my phone?


Unlike the highly effective spam filters that work wonders with email-based scams, it’s difficult to stop texts coming through. There are some apps you could use including the free LINE Antivirus for Android (bit.ly/line392), which has a dedicated anti-smishing feature. You can also try to block the number to prevent repeat smishing texts coming through.

What’s the best course of action?


It pays to be on high alert at all times. Banks say they will never ask for personal details or passwords – whether one-time or permanent – via the phone, email or SMS. Nor will they ask you to transfer funds. The best advice if you receive such a text and you’re worried your money may be at risk is to call your bank on the number provided on your statement. You should also report the matter to Action Fraud (actionfraud.police.uk) on 0300 123 2040 if you find that the message is bogus. Additionally, you can forward rogue texts to 67726 if you’re a Vodafone user, 7726 if you’re on O2 or EE and 37726 if you use Three.


TYPES OF SMISHING SCAM


Fake subscriptions
The fraudster sends a message thanking you for signing up to a monthly subscription, stating the amount you’ll be paying. There is a web link or phone number in the SMS that can be used to “cancel” it, but this will only lead to attempts to grab your personal details.

Financial institutions
Bogus messages are sent from a reallife bank or credit union, alerting you to an urgent situation that must be resolved without delay. Perhaps your card is going to be cancelled, or your account has been compromised or will be locked. Only by handing over your financial information will the “emergency” be resolved.

Competition winner
Congratulations are in order: you’ve been randomly selected to win a prize in a contest you never even knew existed. To claim your £1,000 you’ll be asked to tap the link and enter your financial details, allowing the money to be “safely” transferred. Don’t forget to include your PIN and your mother’s maiden name for “security”!