Incident Response, Malware, Phishing, TDR, Threat Management

FBI warns of SMS and phone-based phishing scams

Social networking sites and search engines are expected to be hit hard by cybercriminals this holiday season, but the FBI is warning consumers about two other threats they may encounter – so called “smishing” and “vishing” scams.

Both threats are variations of phishing, but smishing uses SMS texts to initiate the scam, while vishing uses automated phone calls.

Reports of these types of scams date back to at least 2006, but the FBI's Internet Crime Complaint Center (IC3) issued an advisory Friday warning consumers that they will be prevalent this holiday season.

In these types of attacks, a user receives a text message or automated phone call to their cell phone stating there is a problem with their bank account, the FBI said in its advisory. The user is given a phone number to call or a website to log onto to provide account credentials to remedy the issue.

“While most cyberscams target your computer, smishing and vishing scams target your mobile phone, and they're becoming a growing threat as a growing number of Americans own mobile phones,” the advisory said. “These scams are also a reminder that cyberscams aren't just for computers anymore.”

Peter Cassidy, secretary general of the Anti-Phishing Working Group, a global coalition focused on eliminating identity theft and fraud resulting from phishing, told on Wednesday that phone and SMS-based phishing attacks have increased over the past few years and often target customers of local banks and credit unions.

Scammers typically ramp up these attacks during the holidays because individuals are traveling and shopping more often, therefore they do not want their ability to pay for things to be interrupted, Cassidy said.

Cybercriminals often carry out the scheme using automated systems to text or call people in a particular region or area code, according to the FBI. They also sometimes use customer phone numbers stolen from banks or credit unions.

“Instead of the text being from [an 800] number, it begins with your area code,” Cassidy said.

Using the name of an individual's bank or credit union creates a second familiar reference, he added.

“They are trying to get the distracted person," he said. "Every bit of familiarity helps. They are always going to find ways to make you feel like you have a relationship with them.”

Using personal information obtained from the schemes, cybercriminals can steal money from victims' bank accounts, make purchases or create fraudulent cards, the FBI said.

Recently, attackers used a smishing scam to steal money from customers of an unnamed credit union, the FBI said. After receiving a text about an account problem, victims called the number provided and gave out their personal information, only to find their money was withdrawn from their bank accounts within ten minutes. The same technique also recently was used successfully against banking customers, who were told via text that they needed to reactivate their ATM cards.  

Attackers are also increasingly using phone and SMS-based phishing scams to steal money from businesses by targeting accountants, CFOs and other individuals within companies that have access to corporate accounts, Cassidy warned.

“They are smart criminals," he said. "They want to go after someone with more money they can access. If they phish the comptroller of a large company, they have access to a much larger pool of deposits.”

Information security professionals should warn users – especially those with access to corporate accounts – to be alert about these threats and to notify the security office if they believe they have been targeted, Cassidy said.

The IC3 is advising users not to respond to text messages or automated voice messages from unknown or blocked numbers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.