Belfast Telegraph

Smishing: Security experts urge vigilance over scams that use text messages to steal personal information

Cybercriminals are using targets' mobile phones to break into accounts and steal personal information, in so-called 'smishing' attacks that have cost some victims thousands of pounds.

Due to publicity campaigns and a general increased awareness of online security, many internet users would be able to spot a 'phishing' email if they received one.

Phishing can take a number of forms, but generally involves a victim being duped into handing over personal information by a fake but genuine-looking message, typically an email.

Smishing works on the same principle, but uses victims' mobile phones to carry out the con.

There's a number of different types of smishing attacks, but hackers commonly use password recovery features employed by email providers to break into targets' email accounts. Armed with only their victim's email address and phone number, which they can easily find online, a hacker can take advantage of some websites' security features to gain access to private information.

One scenario described by online security company Symantec involves a hacker attempting to log in to a target's account using their email address, before clicking the 'I forgot my password' prompt.

The hacker can then choose to get a one-off login code sent to the target's mobile via SMS, if they have this security feature set up. Once the code is delivered, the hacker will immediately follow up with a smishing text designed to look like it comes from the email provider, which could say something like: 'We have detected unauthorised activity on your account. Please reply with your verification code.'

The victim, worried by the prospect of being hacked, replies with the code - the hacker can then log in to their account with the code and change the password, locking the victim out.

With unrestricted access to the email account, the hacker is able to access private information and sensitive documents, and even gain access to social media and banking accounts by changing passwords on other sites.

These kinds of attacks have hit victims hard, and banks and security experts are urging people to be more cautious. One Santander customer had £22,700 taken from his bank account in January this year, after cybercriminals used smishing to get him to reveal a 'one-time password' to his account.

As This is Money reports, the hackers managed to 'spoof' their phone number, making their fake message appear in a thread of earlier, genuine texts from Santander. When the victim got the text, which told him there had been suspicious activity on his account, he had no way of immediately telling anything was amiss.

Most people are vigilant about scams like these when they see them on their desktops or laptops, but they may not be as eagle-eyed on their mobiles - especially when scam texts appear to come from legitimate senders.

Fortunately, simply by adopting the same security practices as they would for traditional email phishing attacks, users can protect themselves.

As Tim Keanini, chief technical officer at cybersecurity company nCircle, told PC World: "Everyone needs to take a hard line with text messages - don't trust anything. If you have the slightest doubt about the authenticity of the message, don't even think about clicking."

Banks also say that they will never ask customers to move money from their accounts due to security problems. They'll also never ask for personal or security information via phone call, text message or email - so by being aware of the issue and staying vigilant on your mobile, you could stop yourself from becoming a victim of smishing.


Independent News Service