How do we tackle SMS spear phishing?

It didn't take much time following internet connections on mobile phones to become commonplace for scammers to realise they had another avenue for phishing attacks, says Claire Cassar.

Claire Cassar, CEO of HAUD
Claire Cassar, CEO of HAUD

Half a decade or so since SMS phishing began to grow exponentially, I doubt many of you reading this cannot recall receiving at least one unsolicited text message prompting you to click on a suspect looking link.

It's fairly easy to identify these as phishing attacks. We've had them for years on email and social networks, and you may have even fallen victim yourself, sending out a mass-mailed apology to friends and contacts explaining how you had been ‘hacked.'

But what if you received a prompt to follow a link via text message from your bank? Filed by your phone in a neat ‘conversation' view alongside previous SMS correspondence; informing you of your balance or when your next statement was ready, you wouldn't question it, would you?

A2P messaging has become an important communication tool for the finance industry, offering banks the capability to interact with customers instantly, for all manner of purposes. It has also been touted as an extra layer of security in cases when identity authentication is required and for authorisation of payments.

The UK's Financial Fraud Action (FFA) group has recently highlighted a spate of highly sophisticated targeted SMS phishing attacks that mimic A2P messages from the recipient's bank. Fraudsters are able to send messages with the same SMS ID that the financial institution uses, fooling the phone's software into thinking the messages are from the same place.

The messages often relay seemingly urgent information – a notification about a failed payment, for instance – which prompts the recipients to call a number or follow a hyperlink. It is at this point that the receiver has been fooled by the trap, handing over card and account details before being financially exploited. 

Katy Worobec, director of FFA, warned users to be “very wary if you get any call, text or email out of the blue, even if they state there has been fraud on your account. If you receive such a call do not give out any information if you are at all suspicious and instead contact your bank on a number that you know, waiting five minutes before you make the call.”

Trust is the foundation of the financial industry, so when fraudulent behaviour makes a bank's vital communication channels seem untrustworthy, it can have a lasting damage on consumer confidence.

This is also true for mobile networks, and if operators don't act to minimise instances of A2P fraud, they may see consumer and business trust lost in their services.

Pressure on customer service

For networks, subscriber experience can be significantly affected by SMS phishing and when instances of fraud increase for any service provider, customer service departments are often the first to feel the backlash. With the volume of calls increasing, resources are diverted away from improving the customer experience across the board, so even those not affected directly by fraud suffer the consequences.

The key is for mobile network operators (MNOs) to enhance visibility and monitor all traffic being terminated on their networks. Filtering technology can act as a pre-emptive measure against fraud and pecuniary loss for all parties that invest in it. Working together mobile operators and banks can ensure that only SMS from trusted sources are terminated on subscribers' phones and thus prevent the distribution of phishing messages at source.

Subscriber churn

For MNOs, subscriber churn is particularly problematic. Reputation can be fragile and a high turnover of users will have a knock-on effect that can harm the overall brand.

A report by Harvard Business School estimated that mobile carriers in Europe battle between 20 to 38 percent churn. Users need to trust networks, and MNOs should be able foresee potential threats, and while malicious behaviour can't be stopped, appropriate insurance measures can be taken as a protection method. This will help to retain customers in the long-term and avert defections caused by malicious activity.

Working together

It's not just banks that need to be responsive to SMS spear phishing. Any organisation that uses A2P messaging is a potential target of fraudulent activity.

Enterprises using SMS and A2P messaging as a primary means of communication need assurance that their messages follow a safe path from origination to their customers. A mobile network open to manipulation is a risk to a business's bottom line and longevity.

While consumers and mobile subscribers can be educated to identify obvious fraud, they are not always best placed to protect themselves from sophisticated attacks; the technology being used by scammers evolves, but so does the preventative technology.

MNOs have a responsibility to implement the necessary control measures and work jointly with ‘bait' organisations, such as banks, to tackle the issues directly.

Contributed by Claire Cassar, CEO of HAUD.