Gemma Staite, Threat Analytics Lead
Cybercriminals will recycle attack strategies for as long as they are effective. In Fraud scammers will keep using a method for as long as victims continue to fall for it. SMS phishing is no exception, as shown by a recent wave of attacks globally, particularly in Asia that caused millions of dollars in financial damages.
SMS phishing, often known as smishing, is a type of social engineering assault that preys on victims through their mobile devices. Smishing attacks use texts that appear to be sent by reputable sources. The messages contain links that drive unsuspecting victims to a phishing site where they are asked to divulge personal information, download malware onto their mobile device, or provide a one-time passcode that will allow a criminal to bypass multi-factor authentication (MFA).
Smishing has increased significantly across the globe and complaints about SMS spam increased over 140% last year. Smishing remains a big concern as users spend so much time on their mobile devices – an average of five hours per day in 2021. In addition, users are much more likely to open a text message. According to MobileMarketer.com, SMS recipients open 98% of their text messages while email recipients only open about 20% of their messages.
The ability to launch attacks has also gotten easier for criminals. There are SMS bots that can be used to intercept the one-time passcode (OTP) most banks use for step-up authentication. There are bots that can reach thousands of potential victims at a time with messages that appear to come from a victim’s bank or other trusted brand. Netflix, the most popular streaming service in the world, was recently exploited to serve as the face of a massive smishing campaign that attempted to divert users to a phishing site.
Beyond SMS Fraud Losses: A Case From Singapore
A smishing attack’s fraud losses are scarcely insignificant. An alleged recent attack in Singapore cost a bank S$13.7 million over 790 victims. That works out to an average of S$17,300 ($12,800 USD) per person. The business is required to pay around $4 for every dollar the customer loses due to fraud. This high cost excludes reputational damages and any potential clients lost as a result of people associating the institutions with higher scam risk.
Direct fraud losses can be quantified, but other costs are not so easy to put a price tag on. First, there is the operational costs such as an increase in calls to the contact centre. This one attack reportedly caused calls to surge 40% in one week. Second, there is the reputational costs of negative headlines from such an attack being reported to the media and the potential customer attrition that may result. Finally, there are potential regulatory costs when such incidents catch the attention of regulators.
The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) released a set of guidelines in response to the recent string of smishing attacks targeting banking customers. Some of the security measures make sense, such as removing clickable links in emails and SMS messages sent to customers. However, others seem to be counterintuitive and go against the very premise of convenience offered by digital banking. For example, requiring notifications and confirmation from customers for every transfer that exceeds S$100. This adds unnecessary friction for customers who have come to rely on the ease of digital transactions on the go.
Increasing friction doesn’t make fraud issues disappear. Additionally, it can cause customers to lose track of messages and become confused, leading them to miss important alerts when fraud may be present.
Increasing current fraud controls
Because fraud can be prevented via device, IP, and network-based restrictions, scammers have developed ways to get around these. Cybercriminals will always find new cunning ways to social engineer around authentication restrictions. Banks must examine users’ behaviour patterns, including how they type, move the mouse, and explore a website, in addition to the device they are using. With the addition of behavioural biometrics to their existing fraud controls, several sizeable financial institutions are already achieving better fraud detection outcomes for a variety of use cases, such as account takeover, account opening, social engineering fraud, and mule account identification.
