Smishing Scams – Logistically Speaking

Many companies that deliver goods use text messages to keep consumers informed of attempted deliveries. Unfortunately, not all the text messages will be genuine. Scam text messages are not a new threat – they have been with us for many years, but recently a new level of scams have risen in the form of smishing.

SMS based phishing (sm-ishing) has been one of the biggest digital threats to consumers and brand holders in the last two years. According to the FBI, smishing scams costs Americans more than $50 million in 2020 alone. Cybersecurity experts Proofpoint says that mobile phishing attacks in North America increased more than 300% in the same three-month period in 2020 when compared to 2019. In the United Kingdom, consumer affairs organization Which? reported a 700% increase in reported scam messages in the first half of 2021 when compared to the same period in 2020.

It isn’t just delivery companies that have been targeted. Fraudsters have adapted their business models, understanding that quantity rather than quality is the way forward. Fraudsters have bombarded consumers with requests for payment for undelivered parcels, and fines for social media transgressions. They have even jumped to exploit Covid testing, vaccination queues and all such variants. Many of the texts are poorly written with spelling and grammatical errors, while some use URLs that are clearly not right. Those scammers are reliant on the less informed recipients, who may not realize what they are doing.

The motivation for the fraudsters who attack through smishing scams is financial gain. Even if there is no request for payment or money, the chances are that somewhere, someone will profit from the action. That may be simply confirming that the mobile number is genuine and can be sold to another fraudster, or that there has been a download of malware onto the recipient’s computer or mobile device. This in turn could be used to gain resalable or reusable personal and financial information. In worst case scenarios, personal medical information could be shared. If shared, this is incredibly valuable to fraudsters.

Technology has made it far too easy for fraudsters to develop smishing scams. Earlier in 2021 police in Manchester, United Kingdom, raided a hotel room and arrested a man in possession of equipment used to send over 26,000 text messages in a single day. In the messages, he claimed to be from a well-known logistics firm, and asked for payment to re-arrange a delivery. This type of text scam has been on the rise in recent months. Fraudsters ask for a small payment, usually under $2, in the hopes that it will not raise any concerns. However, the small payment is only the start of a bigger scam, as the fraudsters then have personal and financial information they can exploit even further.

Not only did the arrested individual have equipment capable of creating the fraudulent text messages, but he also had 44,000 mobile phone numbers ready for more smishing scams. While this was a major success for the police, it is only the tip of the iceberg. There are likely still hundreds of similar individuals operating similar operations, creating havoc on a daily basis.

Implementing a brand protection strategy is key to mitigate the reputational damage that smishing scams can cause. Domain names used for smishing tend to have a short shelf life – they are registered and used quickly for one scam before they are either shut down or are “retired” by the fraudsters. Therefore, implementing an early warning system is vital so that action can be taken before any revenue or reputational damage can be done.

OpSec’s Early Warning System (EWS) is a proprietary prevention measure that alerts brands daily to any suspicious looking domain name registrations that features trademarks, brand names or those similar. In addition, the report highlights any Secure Sockets Layer (SSL) certificates that have been issued, using the same terms.

Once a suspicious domain has been detected and validated as a phishing website or one that is hosting malware, OpSec’s fraudcasting system shares the details with ISPs, browsers, email providers and security vendors so they can block the malicious website within minutes, or remove the malicious software if it is in a network environment. If fraudsters are able to send the smishing scams, the URLs identified will be blocked, rendering their attempts to steal personal and financial information useless.

Smishing scams are a relatively low-cost, high impact scam and rely on tricking the victims into a believable situation, such as paying a small fee for the redelivery of an item that they think is genuine. However, left unchecked, the problem will exponentially grow and erode trust in the brand. This ultimately impacts revenues and reputation. A brand protection strategy with an early warning system allows companies to be part of the solution rather than being the unintentional center of the problem.