NatWest online banking suffers SMS ‘smishing’ scams

Online banking appears to be suffering more security breaches today than at any other time in its past. Recent scams have included new strains of ransomware and the rise of so-called ‘smishing' techniques ie phishing by SMS.

News reports suggest that both NatWest and its Royal Bank of Scotland parent were hacked by journalists from BBC Radio 4's You and Yours programme. The ‘hack hackers' were able to use smishing techniques to break into a UK citizen's account and remove money.

Sometimes also called ‘SIM swap fraud', banks have fallen foul of smishing due to their use of SMS alerts where activation codes are often sent by text to users' smartphones when they forget their personal details - the same technology can also be used to allow payments to be made from an account.

How the scam works

SMS smishing works by blocking a genuine user's phone without the user knowing why their device has gone dead and stopped working. While hackers have control of a target device, the user's bank account is vulnerable to exploitation and theft.

NatWest has told the BBC that its systems (and those at the Royal Bank of Scotland) would be changed as a direct result of the You and Yours investigation.

Chris Popple, managing director of NatWest Digital told the BBC, "This is a cross-industry problem, particularly with us [banks] and the telecom companies. We are working with Financial Fraud Action UK to make sure we're communicating with each other... to make sure mobile phone security is as strong as it possibly can be."

Action Fraud UK has posted an example of a spoof text next to a link from UK-based user Matilda Bourne, who openly tweeted an example of the NatWest alert, which read as follows: “Hi Customer, We can't seem to access your account because of a problem we are having with you Full Pin. Please confirm your Full Pin and Password by clicking on the link below to remain high levels of security.”

As readers of will know, poor grammar is often the first sign of a scam email or other form of alert. Recent examples of this have included spoof information emails from the HMRC revenue and customs service.

What the technology industry says

Robert Capps, VP of business development at NuData Security spoke to SC to say smishing as a twist on the phishing scam, is an old scam that evolves each time new technology comes along. 

“With this specific wave of smishing attacks, hackers fool customers into downloading their malware by posing as a legitimate, unrelated app. The malware then takes over a legitimate SMS communication between the customer and their bank to socially engineer the customer into giving away their PII information and access their account,” said Capps.

He contends that fraudsters know that it is generally easier to take over an account by phishing, spear phishing (targeting an individual) or smishing, than it is to open a new account using a real or stolen credentials, which is why account takeover (ATO) is alarming and, as we've been saying, on the rise. 

“If your bank can't distinguish between legitimate users and fraudsters, even with  valid credentials, it's time to they move away from static data to protect accounts and move to behavioural analytics for authentication. User behaviour analytics observes and understands how the user behave. Behavioural analytics looks beneath the surface of matching usernames, passwords and other means of authentication such as one-time SMS, to truly understand user behaviour. These behaviour patterns reveal details that fraudsters can't fake despite their best efforts,” advised Capps.

A call for more password management?

This news surfaces at the same time as new reports from password management company LastPass. The firm says that giving someone remote access to an account is the biggest reason respondents say they share personal passwords. A total of 38 percent of respondents to a recent survey share passwords to give someone remote access and 31 percent of respondents also say they share passwords in case of an emergency.

“The fact that 75 per cent of people acknowledge the risks associated with sharing passwords continue to do so suggests they are not aware of more secure alternatives,” said Joe Siegrist, vice president and general manager of LastPass.

Siegrist asserts that a secure password manager with a sharing centre such as LastPass 4.0 addresses both of these issues, as passwords are kept safe, and it's easy to store as many different passwords as you need.

A network issue

But are the mobile networks doing enough to protect consumers, and the brands that use their services, from this type of fraud attack? Claire Cassar, CEO of Haud, a company that provides mobile network and SS7 security services believes that not enough is being done and that it could result in long term damage to trust in mobile services.

Speaking to on this story, Cassar has said that the growing number of cases of this type of SMS fraud brings into question if the telecoms industry is taking seriously its obligation to protect its customers from nuisance messages, spam and other untoward activity on mobile networks.

“The technology exists to rapidly identify and block this traffic, but not all networks are currently using it,” she said. “Smishing and fraud SMS are a reputational time-bomb for network operators and as the volume of unsolicited messages increases the quality of service suffers. Some mobile users have even started taking matters into their own hands by installing message and spam blocking apps on their phones, but this presents the risk of preventing legitimate messages from being received, further impacting on customer experience. “

Cassar's final word is that there's a clear need for the network operators to do more to prevent unwanted SMS traffic, otherwise they risk irreparable damage to trust in the telecoms industry as a whole.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.