Security firm notes sharp increase in SMS phishing attacks
As more users turn to their mobile devices to conduct business, researchers are tracking a significant uptick in SMS phishing attacks that can lead to financial and identity theft.
The scams work by sending victims text messages that direct them to call spurious numbers thought to be banking institutions, credit card services or even government agencies.
Security firm Cloudmark said the new set of attacks began last Tuesday, and since then, researchers are seeing a roughly 900 percent increase in the daily number of SMS phishing attempts compared to before the campaign started.
While tactics vary, attackers have primarily sent text messages that appear to be forwarded to victims, and include the message “Attention Required” and a phone number.
Cloudmark published a blog post, which includes a list of the phone numbers the scammers are using.
Ploys include messages allegedly coming from or regarding Bank of America account suspensions, Macy's credit card collections or the U.S. veteran's health services. All of them request information from mobile users.
Mary Landesman, senior security researcher at Cloudmark, told SCMagazine.com on Monday that phishing ruses now are the most common SMS-based attack seen by her firm. Previously, the most common SMS attacks included free gift card and giveaway scams or "need cash now" ploys, in which texts enticed recipients to visit a URL leading to a survey, where participants unknowingly consented to sending premium rate SMS messages.
In recent SMS phishing cases, victims who call the numbers sent in phishing texts usually reach an automated message asking them for personal information, like credit or debit card numbers. Landesman has even received reports of victims reaching a recording claiming to be Bank of America identity theft services.
Scammers are more than likely obtaining victims' numbers from virtual number providers, she said.
Landesman advised recipients of phishing messages to forward the text to short code “7726 (SPAM),” a centralized service that notifies participating carriers of unsolicited SMS. Mobile users should also avoid giving out personal information to untrusted sources.
A common misstep among victims is assuming that a number they have kept private won't get into the hands of a fraudster.
“They believe that if they have a phone number, and it's not widely known, it wouldn't be likely for someone to send a [malicious] SMS,” said Landesman. “The person thinks their number is private, and then they think that it's from a trusted source, so the attackers are playing a game of odds.”
