Smishing is on the rise. In June of this year, Bank of Ireland customers were targeted by a string of smishing attacks. In August, the national center for cybersecurity in Brussels warned of a ‘tsunami’ of smishing attempts about to hit the country.
The spike in this type of scam is not an accident and deserves a deeper review of what is happening and the what the driving factors are behind the increase.
Smishing, otherwise known as SMS phishing, is a form of social engineering attack that targets victims on their mobile phones. It exploits people’s trust in their banks by sending them fraudulent messages attempting to trick them into giving out confidential information that fraudsters then use to take over their accounts.
In other cases, even just clicking on a fraudulent link in one of these texts can install malware on the person’s phone designed to enable fraudsters to gain control over the device and compromise sensitive information.
Smishing attacks are often used to bypass two-factor authentication by duping customers into handing over their strong authentication codes, effectively bypassing this security measure and allowing attackers to take over accounts or alter transactions.
As with all social engineering attacks, the human element makes it extremely hard for banks to detect since they allow attackers to impersonate customers.
Fraudsters targeted Bank of Ireland customers by inserting fraudulent texts into legitimate message threads between the bank and its customers.
The fraudulent message claimed that the customer’s card had been skimmed during a purchase or at an ATM and as a result had been deactivated. It asked customers to follow a link and input their card details to order a new one.
Believing the message to be legitimate, many customers followed the instructions and clicked on the link which transported them to a fake Bank of Ireland website, where they unknowingly handed over their ATM card details to cybercriminals.
Overall, it is believed these account take over cash out attacks netted over €800,000 stolen from up to 300 account holders. Individual customers claimed to lose as much as €20,000.
To prevent future smishing attacks and help its customers stay safe, the Bank of Ireland has launched an awareness campaign specifically around the threat of smishing and how to spot it.
For one, most people who use online banking services own a mobile phone and tend to be on them most of the time, providing fraudsters with a direct line to unsuspecting customers.
Mobile phones are also not typically what customers think of as likely threat vectors, they’re such a personal device that the idea a fraudster could drain your bank account from one is unthinkable.
Additionally, the pandemic has generated a greater reliance on our phones and the internet than ever before, which gives fraudsters a greater breadth of opportunity for social engineering campaigns.
The aforementioned attacks also highlight the fact that people are more likely to trust a text message over other forms of communications such as emails.
One reason for this is that there is now a high level of awareness around fraudulent email campaigns, including the risk of clicking on links in unsolicited emails.
People seem to be much less alert to the dangers of text messages, not least of all because fraudsters have managed to insert these texts into legitimate message threads with customers and their banks. It’s this level of sophistication that compelled the Bank of Ireland to launch an awareness campaign and reimburse its customers, thereby setting a precedent for the industry.
The concept of taking responsibility for losses due to fraud is a concept echoed by initiatives set up in several countries around the world to increase customer trust in banks, such as the Contingent Reimbursement Model in the UK.
This means not only do banks have an incentive to raise awareness around fraud, they also need to prioritize preventing fraud altogether, to avoid costly renumeration as well as the inevitable loss of customer trust – along with the associated brand damage associated with a publicized attack.
Detecting and preventing social engineering techniques such as smishing requires a unique approach. A requirement based on the fact that if successful, the perpetrator of a smishing attack will have a customer’s legitimate details to impersonate them and commit fraud. Traditional fraud detection methods are not able to easily identify these stolen credential-based impersonation attacks.
Behavioral biometrics is the most adept solution to preventing these types of impersonation-based fraud, because it doesn’t look at what is being entered, but how it is entered. If the actions of a customer don’t match their typical past actions when entering the same information – such as the rhythm and cadence of typing – fraud alerts are sent to the bank so it can take action.
Even if a smishing attack is successful, and the customer does hand over their legitimate details, analyzing the behavioral biometrics of the fraudster means the bank will be able to detect if there has been some kind of account takeover or customer manipulation, and stop the fraudulent transaction from taking place.
By building behavioral biometrics into their cybersecurity solutions, banks can detect anomalies in user behavior in real time, identifying those caused as a result of social engineering and flagging any suspicious behavior before any harm is done.