UK banks and their customers have warned to be vigilant to a form of phishing known as 'smishing', which utilises SMS.
According to figures from CMO Council almost two-thirds of adults utilise text messaging, and over 90% of all text messages are opened with 15 minutes of being received. Organisations can easily see why this is becoming hot new ground for fraudsters.
It is particularly troubling considering the rise of mobile banking and the use of mobile for all kinds of payments, both personal and corporate.
Data thieves have already drained thousands of pounds from current accounts using the 'smishing' method by hijacking text message threads claiming to be from banks.
Cybercriminals trick users into downloading a virus that allows them to impersonate a bank in text message, hijacking genuine threads to steal passwords and security details.
The method is not entirely new, having been around for at least the last five years, but cases are getting more severe, and criminals are getting craftier at using new technology. Last September, a Liverpool customer of the Barclays 'Pingit' mobile payment service was conned out of £900.
And this week it has hit the news that one banking customer lost £22,700 when frausters claiming to be from Santander sent a text alerting him to suspicious activity on his account. He called the number and spoke to fraudsters who asked him for a 'one-time password' and wiped out his account.
As Lisa Baergen, manager at NuData Security explains, 'smishing', much like 'vishing' or voice phishing, are twists on the 'phishing' scam – actually an old scam that evolves each time new technology comes along.
'When banks started offering telephone services, fraudsters would impersonate a bank and call customers with criminal intent,' says Baergen. 'As banks moved to providing online services and apps, fraudsters started emailing customer statements, fake websites popped up and phishing emails started to make the rounds. These SMS smishing scams are taking advantage of the consumer’s push for more mobile-friendly and innovative ways to communicate and interact with their financial institutions.'
With this specific wave of smishing attacks, hackers fool customers into downloading their malware by posing as a legitimate, unrelated app. The malware then takes over a legitimate SMS communication between the customer and their bank to socially engineer the customer into giving away their PII information and access their account.
'Fraudsters know that it is generally easier to take over an account by phishing, spear phishing (targeting an individual) or smishing, than to open a new account using a real or stolen credentials, which is why account takeover (ATO) is alarming and, as we’ve been saying, on the rise,' adds Baergen.
It only makes sense that account takeover (ATO) has become a new favourite fraud tactic. So as we hear of yet another example of real customers being scammed of their hard-earned funds, Baergen argues it is just another blazing example underscoring the need for financial institutions to move away from PII as the relied-upon authentication method.
'With the overabundance of stolen data, access to full identities are prevalent and cheap, meaning it cannot be relied on for authentication purposes,' she says. 'Customer education can help reduce the number of times this scam is successful, but we shouldn’t rely only on placing that burden solely on customers and account holders.'
If a bank can't distinguish between legitimate users and fraudsters, even with valid credentials, it could be time they move away from static data to protect accounts, and move to behavioural analytics for authentication, giving them the ability to observe and understand how the user behaves.