The FBI's Internet Crime Complaint Center (IC3) recently published a warning about Smishing and Vishing. These mobile phone threats are variations of phishing, but smishing uses SMS texts to initiate the scam, while vishing uses automated phone calls.
These threats are new variations on an old and costly mythology of identity theft. The problem here is that mobile users who are novice with regard to computer security threats are simply unaware they are in jeopardy when they respond to text and audio phishing on their mobiles.
Similarly, sophisticated corporate IT users who should know better, are similarly compromised via their mobile phones.
Just to backup a step, SMS stands for short message service. SMS is also often referred to as texting, sending text messages or text messaging. The service allows for short text messages to be sent from one cell phone to another cell phone or from the Web to another cell phone.
Just because the SMS service runs on a phone does not make it impervious to computer phishing.
The particularly nasty form of SMS spam called smishing, is the act of phishing by SMS for private information, often to be used for identity theft. These smishing attempts take the form of text messages and voice massages, which come to your phone saying things like "We’re confirming you've parcel delivery” Your account status as been changed or ABC credit card is confirming your purchase."
The user is given a phone number to call or a website to log onto to provide account credentials to remedy the issue. Or the victim is directed to a spoofed web site. A spoofed web site is a fake site that misleads the victim into providing personal information, which is in turn routed to the scammer's computer.
If a victim attempts to telephone back to the inbound number of a phishing call they will most probably encounter no voice mail or a constantly busy signal. This is due to attackers calling from throw-away, untraceable phones, rendering these calls virtually untraceable.
The FBI report said a recent smishing scam was used to steal money from customers of a credit union. After receiving a text about an account problem, victims called the number provided and gave out their personal information. Within 10 minutes money was withdrawn from their bank accounts. The same technique also recently used to attack banking customers who were told via text that they needed to reactivate their ATM cards at a bogus web site.
What to do. What not to do.
Once again, here are old and trusted simple steps to avoid being a victim of identity theft and fraud:
• Do not respond to respond to text messages or automated voice messages from unknown or blocked numbers.
• Do not respond to unsolicited (spam) email.
• Do not click on links contained within an unsolicited email.
• Be cautious of email claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Avoid filling out forms contained in email messages that ask for personal information.
• Do compare the link in the email with the link to which you are directed. Look and see for yourself if it is the legitimate URL address. Better still, just log directly onto the official web site for the business identified in the email. If the email appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Do contact the actual business that supposedly sent the email to verify if the email is genuine.
• Do verify any requests for personal information from any business or financial institution by contacting them using the main contact information.
Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca