Phishing is a mode of cyberattack whereby a malicious actor impersonates a reputable identity and uses fraudulent communications forms to trick users into clicking a malicious link embedded in a text message or email. The attacker then steals sensitive user data such as credit card numbers, bank account numbers, login information or installs a malware on their devices.
While email phishing scams are most common, SMS phishing, or smishing, are on the constant rise globally, with such occurrences being more pronounced during the holiday period.
In December 2021, for instance, close to 500 customers of a major bank in Singapore fell prey to such SMS phishing scams, resulting in S$8.5 million being siphoned away. This incident, which has caused many to lose their entire life savings in a short period of time, has since put in the spotlight the vulnerabilities of text messaging security.
This incident serves as a red flag for other organizations, as SMS messaging is a popular form, yet insecure form of marketing and communication tool.
Using SMS aggregators, or third-party service providers that handle SMS messaging for businesses, malicious actors can easily send SMS messages under the name of an trusted organization to commit fraud.
In the above-mentioned case, fake SMS messages appeared in the same thread with legitimate bank messages offering two-factor authentication (2FA) and transaction alerts, leading customers to think that the text messages were from a trusted source. Links were shortened to disguise the actual URLs, making it difficult for customers to verify its authenticity. Many of the customers did not receive a one-time password (OTP) for verification as they were likely intercepted by malware installed on their phones, or diverted to an overseas telco that had been hacked.
What made these fake messages even more convincing were links that led customers to fake sites that looked genuine. Customers ended up keying in login information, which were eventually misused by attackers to siphon away money.
Vigilance and education
Campaigns to draw awareness to phishing attacks and educating users on the methods that attackers use are very important. Despite reminders by banks for customers to refrain from clicking on unknown links in SMS messages, many customers still do so. Instead of relying on SMS notifications, banks can turn to app notifications to send information to customers. While this cannot completely eradicate scams, it can significantly thwart fraudulent attempts.
Mandating the registration of SMS senders is also an important measure to counter such malicious attacks. Many countries have already adopted this approach to prevent attackers from spoofing organizations’ SMS sender IDs. In Singapore, the Infocomm Media Development Authority (IMDA) launched a pilot scheme for this registry in August 2021. The IMDA has since urged more organisations to sign up with an anti-SMS spoofing registry. It would also be mandatory for all banks, SMS aggregators and telcos to sign up with the national registry.
Specifically targeted at the banking sector, the Monetary Authority of Singapore (MAS) and Banks in Singapore (ABS) have introduced new measures for banks to enhance digital banking security.
In the UK, where smishing has increased by sevenfold in the first half of 2021 compared to the second half of 2020, the National Cyber Security Center (NCSC) has issued guidelines for organizations to avoid using web links in SMS messages. If necessary, organizations should not use URL shortening services that obscure the website domain.
Needless to say, telcos also play a crucial role as secure gate-keepers. In November 2021, the Philippines’ National Privacy Commission (NPC) launched an investigation into smishing, requiring telcos to submit documents and information involving data aggregators, owing in a rise in SMS text scams. As the first line of defence, Globe Telecom had reportedly blocked more than 1 billion scam messages last year.
In Australia, a new regulation that came into effect in November 2021 allows telcos to identify and block malicious SMS messages at the network level.
With the responsibility to safeguard user’s interests, telcos need to be proactive in bolstering network-level protection. Telcos can optimize SMS firewalls with artificial intelligence and machine learning, identifying white route traffic and blocking grey route traffic to address smishing even before they reach their targets.
In Singapore, where telcos configure a prefix to overseas calls to alert users of a potential scam call, overseas SMS messages can also be configured with a prefix.
Evidently, the growing threat of phishing is too great to ignore. Jointly, authorities, organizations, telcos and consumer groups must strengthen resilience towards similar scams to prevent undesired losses and damages.