SMiShing reports date back to around 2006 when this threat started to become noticeable. Spoofed or otherwise faked SMS messages are used as bait to lure victims to responding via SMS to premium rate services, visiting a malicious website or calling a telephone number. The SMS messages are not malicious in themselves but often require the recipients attention for something which must be completed immediately or urgently,”confirming” or “activating” account or credit card details, cancelling non-existent subscriptions or confirming imaginary purchases.
The threat from SMiShing sometimes works in conjunction with Vishing (voice phishing) when the recipient is required to call a telephone number, or with more traditional Phishing when the recipient is directed to visit a particular website, SMiShing messages have also been known to direct recipients to malicious websites designed to infect them.
“Someone posted your full personal and banking information at insert-bad-url-here website you must remove it now”
“Notice – this is an automated message from insert-bank-name-here, your ATM card has been suspended. To reactivate call urgent at +##-####-####”
In the case of Vishing, if the victim calls the number, an automated system (IVR), or occasionally a real person, will prompt them for things like credit card number, CVV code (the number on the back of your credit card), expiry date or bank account details and even card PIN numbers. Criminals will also often seek to elicit personal information such as date of birth, personal identification numbers (SSN, National ID etc.). Click here for an audio capture of such a system.
If the phishing threat is web-based the stolen information can be more extensive and include items which are more difficult to enter on a telephone keypad, such as mother’s maiden name and email address. These items are then used to create faked credit cards or sold on as ID packs for others to do the carding.
Concurrently we are also seeing a rise in speculative outbound vishing calls. These kinds of calls exploit the trust that people have in the traditional and the familiar telephone system. Advances in technology, specifically the use of the internet to make and take telephone calls (VoIP) has really simplified the process of spoofing or faking your caller ID and making the scammer much more difficult to trace and to block. This threat has grown established to the extent where telephone based cybercrime-as-a-service outfits are already in business.
Vishing calls arrive with a spoofed caller telephone number and often come from outside the country of residence of the victim. An example is detailed in an earlier blog here.
If you receive a communication that you were not expecting, whether it be by telephone, email, SMS or carrier pigeon, and that communication is asking you to give up sensitive information, *do not respond*. Do not reply to the email or SMS, do not talk to the person on the end of the telephone or click on any links provided to you. Instead, note the name of the company the communication is supposedly from and contact them directly to find out if they indeed have something they wish to tell you. Contrary to some advice I have seen, I would not advise immediate deletion of the SMS or mail as the contents of it may be helpful to the organisation that is being impersonated.