By Shane Wilson
Fraudsters are moving from email to embrace text messages (SMiShing) and voice calling (Vishing) to gather personal information or gain control of a user’s device. This shift in focus is due to advances in email spam filters and consumer awareness of email scams which makes committing email fraud more difficult. People perceive their phone to be more trustworthy than their computer and fraudsters are eager to exploit this vulnerability.
SMiShing appeals to fraudsters because of the potential for better local targeting compared to email and the ease with which technology now enables mobile phishing campaigns to be set up. Typically the fraud involves sending a text claiming to be from a bank or credit card company, or increasingly a payday loan company. Since credit and debit cards all follow the same standard method for card numbering the smisher uses the first few digits of a card as bait. The text asks victims to confirm account numbers or passwords. More advanced frauds prompt victims to download fake bank apps or call a number to address an account issue.
This is not dissimilar to Vishing frauds being increasingly perpetrated on elderly women in the UK. The visher poses as the police, calling late at night and telling the victim that their bank account is under attack. To stop these losses the account needs to be emptied and a courier is sent around to collect the card and PINs. The scam is convincing because the call remains open. When the victim attempts to dial their bank their call is intercepted by a second fraudster posing as a bank employee who confirms the details of the attack. Scotland Yard believes £2.4 million has been stolen in London in the past 24 months with this scam.
There are three simple rules mobile phone users should always remember to protect themselves from increasingly common SMiShing and Vishing:
- Be wary of unsolicited incoming calls and hang up if personal information is requested
- Download apps through official channels (iTunes or Google Play)
- Do not click onto links from unknown or unverified senders, especially if the link is shortened on the mobile device