SMiShing Scam- A New Age Crime
NEERAJ AARORA, AICWA, LLB, PGD (Cyber Law), ACFE (USA)
A new word has been added to the cyber crime lexicon, “SMiShing” which is another variant or cousin brother of Phishing. Now not only computers are alone susceptible to online attacks. Increasingly Cellular devices are being targeted by the fraudsters with mobile spam that attempts to trick them into revealing personal information or remotely control the mobile device or hack it. Now it is SMiShing instead of Phishing which is a combination of “phishing” with “short message service (SMS)” and is initiated via text message. Thus, SMiShing refers to a phishing attack sent via Short Message Service on cell phones.
SMiShing attacks can be in different forms and serve different ill purposes of the perpetrator. Some examples are as follows:
Fraudsters are now sending text messages to the Cellular devices of customers of the Banks/Financial Institutions to lure them into giving personal information. Cases have been reported in US where the customer’s of the banks/Credit Card Companies are receiving unsolicited text messages purportedly sent by the bank. The victims receive a text message via cell phone warning that their bank account has been closed due to suspicious activity. It then tells them they need to call a certain phone number to reactivate the account. A typical SMS of SMiShing can appear as follows:-
“Dear Customer, we regret to inform you that we had to lock your bank account access. Call 1-800-xxx-xxxx to restore your bank account.”
What the above SMS suggests of course there’s a “social engineer” at the other end of the line probably waiting for preys. Unsuspecting callers who dial the number provided in the text message will be taken to an automated voice mail box that prompts them to key in their credit card or debit card number, expiration date, and PIN to verify their information. Once the gullible fills in the information, his account is compromised and fraudster gets away happily with the money.
Another more deadly form of SMiShing is when Web enabled Cell phone users receive SMS with text messages Â Â which goes like this “We’re confirming you’ve signed up for our dating service. You will be charged $2 per day unless you cancel your order. The message includes a URL which, if clicked on, downloads a Trojan horse that could allow criminal access to the Web-enabled phone or it may be remotely controlled by hackers the consequences of which can be horrendous more so because the victim does not knows that his web enabled phone has been compromised. There is more to it; through the Cell phone belonging to an organization which the employee uses to access the network of the organizations can be attacked by the virus.
The internet enabled phones have inherent security weaknesses which are exploited by the fraudsters. The security experts warn that any smart phone- including Blackberry, Windows Mobile, iPhone and Symbian phones can be hacked. The fraudster simply sends a spyware or snoopware through an SMS/MMS which may be disguised as an SMS from the service provider. The moment the SMS is clicked, the spyware/virus gets activated. It starts working quietly and the victim has no clue that his phone is bugged and remotely controlled by hacker. Once the virus is in, it can block/modify SMSes, intercept calls, upload data, delete or copy the address book.
How to avoid SMiShing:
- Never open an unsolicited SMS, especially if it is web enabled or smart phone.
- Even you inadvertently or otherwise opened the SMS, do not open the link in the unsolicited SMS, it may be a Trojan attack.
- Please always remember that your bank or credit card company would never ask for your personal information via e-mail or SMS or phone.
- Even if you need to call the bank, don’t try the number given in the SMS, instead try the one given in your bank account statement.
- Prevention is better than cure; don’t display your wireless phone number or e- mail address in public. This includes newsgroups, chat rooms, Web sites, or membership directories.
- Protect your Cellular devices with antivirus, firewall, anti-SMS spam, and data encryption technologies and install regular security updates to protect phones from viruses and other malware.
Last but not the least, if you fall prey, do not shy away from police or law enforcement agencies. Immediately lodge a complaint or FIR. It may help the law enforcement agencies to catch the perpetrators as well as can save you from the possible criminal liability as the perpetrator of crime may be disguising you.