The Rise of Text Phishing

If you’ve received a text message asking you for information about an order you don’t remember making, there’s a good chance you’ve been targeted by SMS phishers. You’re not alone. Americans were bombarded with billions of similar messages last year with attacks rising rapidly from month to month. The pandemic — along with the growing reliance on mobile technology — has been a gift for spammers, dramatically increasing the success rate of even the most basic scams.

With more and more people using mobile phones at home and at work, this is a serious threat not only to individuals, but to businesses as well.  

Rising numbers of text phishing

The rise has been sudden. Mobile text phishing — or ‘smishing’ rose by 328% in the third quarter of 2020 compared to the same period the year before according to Proofpoint.[1] In March of this year alone, Americans received 7.5bn spam text messages — a massive rise on the previous year according to the app Robokiller.[2]

The damage is hard to estimate but likely runs into the billions. By 2025, a report from Cybersecurity Ventures warned that cybercrime in general could cost the economy $10.5tn a year with phishing being one of the leading causes.[3]

Attackers set up fake web domains mimicking reputable companies or government organizations. According to Proofpoint's data the most commonly simulated companies include those operating in financial services, as well as retailers and governmental organizations.

Once the domain is set up, scammers start sending text messages to targets in an attempt to persuade them to reveal personal details. Common examples include:

·         Cloud verification: One of the more common ruses is a text message claiming to be from Apple warning that an iCloud account has been suspended due to suspicious activity. Texts appear with messages stating: “Hello we detected fraudulent activity on your iCloud account. To reset your password visit Apple Support.”

·         Benefits claims: A sophisticated attack sent people messages claiming their unemployment benefit claims had been updated. A link would take you through to a site which looks exactly like the website of the Ohio Department of Jobs and Families services. The fake site was designed to trick people into entering their personal information.

·         Shipping information: E-commerce has boomed during the pandemic, so it is perhaps unsurprising that this is also one of the scammers’ top targets. Texts can appear claiming to come from a shipping company which says there is an issue with an order. You are invited to click on a link which takes you to websites which look and feel like the real deal.

·         Competition prize wins: A tried and trusted — if not particularly sophisticated — approach uses emails claiming targets have won a prize in a grand draw. These are often misspelled and are relatively easy for most people to spot. However, as cybercriminals become more sophisticated, they are managing to make even these attacks more convincing.

The role of COVID-19

So, what has created such a dramatic increase in smishing attacks? The answer – in a word – is ‘Coronavirus’. The pandemic has introduced two influences on our daily lives which give text message scammers a window of opportunity.

1.       Remote working: The pandemic has forced people to rely on technology and to do everything remotely. Internet use for everything from retail to banking and administration skyrocketed.

2.       Believability: The pandemic created situations which made it easier for fraudsters to create more believable scenarios.

Credibility has long been a problem for phishing cybercriminals. People have become more educated about cyber threats and are wary of unsolicited messages. The days when people fell for mysterious messages claiming to be from African princes have long gone.

However, these are unusual times. People are worried and in need of information. Text messages claiming to be from official sources claiming to offer health information or details about vaccine appointments feel much more plausible than might otherwise be the case.

The rise in e-commerce means that people are regularly using the internet for all kinds of shopping. A message out of the blue claiming to relate to a recent purchase may seem like nothing out of the ordinary. Neither might a text from a local health authority about a vaccine.

Equally, difficult economic times encourage people to set aside their usual defenses if there appears to be hope of financial reward. The last year has certainly been tough. Unemployment rates came close to 15% during the height of the pandemic.[4] One in four Americans were skipping meals or relying on food donations.[5] The US suffered the sharpest rise in poverty in more than 50 years.[6]

For all sorts of reasons, the pandemic helped place people in a psychological state in which they were more vulnerable to fraudsters. Those fraudsters did not miss the opportunity crafting attacks which capitalized on people’s hopes, fears and current events.

Common attacks include:

·         Scareware: Frightening people into action by claiming there is a problem with their account or that ‘our systems have detected illegal activity’.

·         Baiting: Playing to people’s greed by holding out the prospect of financial reward in return for clicking a link.

·         Spoofing: Texts claim to be from a recognized and trusted organization such as Amazon. Targets are led through to a website which mimics all the branding of the original.

Each of these uses principles of psychology and social engineering to put targets in a specific frame of mind in which they will be open to handing over their details.

Enterprise smishing

The rise in text phishing is not just a question of personal security. It’s also a growing problem for companies. With more and more people using mobile devices as part of their work, fraudsters see these devices as an opportunity to get behind even the most sophisticated corporate defenses.

It’s not just people who are targeted. As mobile devices become more common among employees, enterprise smishing is becoming an increasingly serious threat.

According to data from mobile security provider, Lookout, enterprise mobile phishing grew by 37% in the first quarter of 2020. It also found that unmitigated smishing attacks could cost an organization with 10,000 mobile devices as much as $35mn per incident.[7]

For cybercriminals, mobile phones represent a way around increasingly tight corporate defenses. According to data from CBS News, 67% of people use their own mobile devices for work.[8] All those unsecured devices accessing company systems complicate the challenge for cybersecurity teams and create an additional attack vector for criminals.

They are adapting smishing attacks to target not only individuals but their businesses. For example, in 2018 Amazon’s Mark Bezos became the most high profile victim when his mobile phone was attacked. Fraudsters downloaded a malicious file via a video on a WhatsApp message and copied data from his mobile device.  

The data contained in phones which have been used for work purposes represent a back door option for criminals who are attacking company systems through personal email addresses rather than corporate.

Hackers are also employing surprisingly sophisticated approaches using voice phishing attacks in which scammers leave voicemail messages to persuade employees to log into malicious sites. An advisory notice released by the FBI last year highlighted criminals using voice phishing attacks to target employees at large firms. Attackers sought to compromise employees with increasing levels of privileges in the hope of compromising key company systems.

Protecting your business

Defending against such attacks requires firms to firstly make it more difficult for attackers to gain access, and to limit the damage if they do. Among the mitigating factors suggested by the FBI are:

·         Multifactor authentication (MFA) to reduce the chances of compromise.

·         Periodic reviews of network privilege to reduce weak spots in the network.

·         Scanning and monitoring unauthorized access to detect possible compromises earlier.

·         Network segmentation to break up one large network into multiple smaller ones which allow administrators to control traffic flow.

·         Administrators should have two accounts — one to make system changes, and another for email, reports and updates. This limits the damage if either is compromised.

Businesses are responding to the threat by investing in better endpoint security, using gateways and virtual private networks (VPNs) to ensure all devices accessing the company network meet minimum security requirements.

Security software can routinely screen incoming text messages checking domains to which they send people scanning for anomalies. When they detect suspicious activity, they can quickly block access to those messages limiting the number of people impacted by the suspicious messages.

Firms can also benefit from additional training to help employees spot potential smishing attacks and to govern the way in which they pass on information so that details are only released to sources which are known to be trustworthy.

Common signs are:

·         Spelling mistakes: As with email scams, texts can often contain spelling or grammatical errors.

·         Urgency: Scammers may place a deadline forcing people into making an immediate decision.

·         Vague messaging: If a company contacts you, they will normally address you by your name. Fraudsters are more likely to use a more vague “Dear Sir or Madam.”

·         Design inconsistencies: Scammers have become much more successful at mimicking the branding of well-known companies. However, there may still be inconsistencies such as in spelling, graphics and names. Uniform resource locators (URLs) may also be slightly different than those you are accustomed to.

Protecting your business is a constant process involving both technology and training. Software must be constantly updated to ensure firewalls continue to protect against the latest attacks and staff must be aware of the latest developments.

As technology infiltrates every part of our world, we are entering an increasingly frantic arms race between both sides. This is a world in which advanced technology is being deployed by attackers and defenders: one to create more convincing illusions and the other to build more effective barriers. Those organizations which fall behind will leave themselves wide open to attack.

Sources:

1. Proofpoint.com: Mobile Phishing Increases More Than 300% as 2020 Chaos Continues. 
2. Cnbc.com: Spam Text Messages Spike. 
3. Cybersecurityventures.com: Cybercrime to Cost The World $10.5 Trillion Annually By 2025.
4. Bls.gov: The Economics Daily: U.S. Bureau of Labor Statistics: Unemployment rate rises to record high 14.7 percent in April 2020.
5. Cnbc.com: 1 in 4 Americans skipping meals or relying on donations amid pandemic.
6. Bloomberg.com: U.S. Suffers Sharpest Rise in Poverty Rate in More Than 50 Years.
7. Lookout.inc: 2020 Mobile Phishing Report from Lookout shows 37% sequential increase in the first quarter of 2020. 
8. Techjury.net: 44 BYOD Stats for 2021 [67% of Us Are Doing It.