If asked to describe the biggest risk brought from these last few weeks, ‘smishing scams’ might not be the first response from many. During the last few months, our roads were swamped with logistics companies, mail services, and retail shoppers. While they delivered the fruits of our online shopping during the holiday season, most of us expected to receive parcels at some point. Due to our busy schedules, we weren’t often at home to receive them. Fraudsters attempted to use this fact for their financial gain.
Many of the companies entrusted with our goods for delivery used text messages to keep us informed of the attempted deliveries. Unfortunately, not all of the text messages we received were be genuine. Scam text messages are not a new threat to us – they have been with us for many years, but the global pandemic has led to a whole new level of scams in the form of smishing.
SMS based phishing (sm-ishing) has been one of the biggest digital threats to consumers and brand holders in the last two years. According to the FBI, smishing scams costs Americans more than $50 million in 2020 alone. Cybersecurity experts Proofpoint says that mobile phishing attacks in North America increased more than 300% in the same three month period in 2020 when compared to 2019. In the United Kingdom, consumer affairs organization Which? reported a 700% increase in reported scam messages in the first half of 2021 when compared to the same period in 2020.
It isn’t just delivery companies that have been targeted. Fraudsters have adapted their business models, understanding that quantity rather than quality is the way forward. Fraudsters have bombarded us with requests for payment for undelivered parcels, and fines for social media transgressions. They have even jumped to exploit Covid testing, vaccination queues and all such variants. Many of the texts are poorly written with spelling and grammatical errors, whilst some just use URLs that are clearly not right. Those scammers are reliant on the less clued up recipients not checking or realizing what they are doing.
The motivation for the fraudsters attacking through smishing scams is always financial gain. Even if by following a URL there is no request for payment or money, the chances are that somewhere, someone will profit from your action. That may be simply confirming that the mobile number is genuine and can be sold on to another fraudster, or that there has been a download of malware onto the recipients computer or mobile device. This in turn could be used to gain resalable or reusable personal and financial information. In worst case scenarios amidst the global pandemic, personal medical information could be shared. If shared, this is incredibly valuable to fraudsters.
Technology has made it far too easy for fraudsters to develop smishing scams. Earlier in 2021 police in Manchester, United Kingdom, raided a hotel room and arrested a man in possession of equipment used to send over 26,000 text messages in a single day. In the messages, he claimed to be from a well-known logistics firm, and asked for payment to re-arrange a delivery. These such text scams have been on the rise in recent months. Fraudsters attempt the tactic of asking for a small payment (usually under $2) in the hopes that it will not raise any concerns. However, the small payment is only the start of a bigger scam, as the fraudsters then have personal and financial information they can exploit even further.
Not only did the arrested individual have the equipment capable of creating the fraudulent text messages, he had 44,000 mobile phone numbers ready for more smishing scams. Whilst this was a major success for the police, it remains to be only the tip of the iceberg. There are likely still hundreds of similar individuals throughout the country operating similar operations, creating havoc on a daily basis.
For logistics and delivery companies, implementing a brand protection strategy is key to mitigate the reputational damage that smishing scams can cause. Domain names used for smishing tend to have a short shelf life – they are registered and used quickly for one scam before they are either shut down or are “retired” by the fraudsters. Therefore implementing an early warning system is vital so that action can be taken before any revenue and reputational damage can be done.
OpSec’s Early Warning System (EWS) is a proprietary prevention measure that brand holders can take that will alert them to any suspicious looking domain name registrations that features trademarks, brand names and those similar in the last 24 hours. In addition, the daily report will also highlight any Secure Sockets Layer (SSL) certificates that have been issued, using the same terms.
Once a suspicious domain has been detected and validated as a phishing website (or one that is hosting malware) we use our Fraudcasting capabilities, sharing the details with ISPs, browsers, email providers and security vendors so that they can block the malicious website within minutes, or remove the malicious software if it is in a network environment. Whilst the fraudsters may still be able to send the smishing scams, the URLs identified will be blocked, rendering their attempts to steal personal and financial information useless.
Smishing scams are a relatively low-cost, high impact scam and one that relies on the victims being tricked into a believable situation, such as paying a small fee for the redelivery of an item that they think is genuine. However, left unchecked, the problem will exponentially grow and erode trust in the brand. This ultimately impacts revenues and reputation. It is best for organizations to implement a brand protection strategy that uses EWS means. This allows companies to play their part in the solution rather than being the unintentional center of the problem.
Author: Stuart Fuller – Senior Director, Global Operations, OpSec Security