Don’t Get Caught in a SMiShing Scam
The word ‘SMiShing’ may sound like gibberish — we think it’s a weird one — but some of the world’s largest enterprises are losing millions of dollars to these scams every year.
Similar to phishing, the fraudulent act of sending imitation emails claiming to be a corporation in order to obtain personal information from customers, SMiShing uses SMS (short message service) to achieve the same outcome.
Scammers are taking to SMS to prey on people’s trust, (A text message feels more personal than an email nowadays.) panic or sense of urgency. These messages are disguised as a warning from your bank about an unauthorized charge or an alert about an unidentified user accessing one of your accounts. The goal? To lure you into providing account information — such as a login name, password or credit card info — by tapping on a link and entering your information into a look-alike website.
SMiShing is only one tactic used to steal personal information. People must also be wary of the following:
- Spoofing: Hackers set up fake connections in high-traffic areas such as airports, libraries or coffee shops and use a generic name to encourage people to connect. Often times, users must create an “account” and include some sort of personal information in order to connect. As many individuals use the same email and password combination for a variety of services, hackers use this to compromise their email and other secure information.
- SIM swap attacks: This is one of the fastest-growing and most devastating fraud vectors tormenting consumers and organizations alike. According to Javelin Strategy & Research, in 2017 account takeover attacks via SIM swaps cost Americans 62.2 million hours of lost time and $5.1 billion in monetary losses. Organizations that fail to protect their users may find themselves liable for billions in lost funds.
- Bluejacking: A hacking method where hackers can send anonymous messages to Bluetooth-enabled devices within a certain radius. First, hackers scan the surroundings in search of other Bluetooth-enabled devices then send an unsolicited message to a detected device in hopes to connect and gain control of the device.
While cyber scams and identity theft attacks are one of the fastest growing threats facing users today, it’s not just a consumer issue. Often times, businesses are liable for the fraud losses. Even when they’re not, they suffer irreparable damage to their brand loyalty and reputation. While people should absolutely educate themselves on potential threats and put the right safeguards in place, we maintain that businesses, vendors and providers ultimately bear the responsibility of protecting their users.
The current CTIA regulation in the US allows enterprises to be fined if their customer is a victim of these attacks. So, by law, corporations have the obligation to protect their clientele from telecom-based attacks. This is particularly true when the scam is initiated using a corporation’s digital “address” such as their IP address or telephone number.
Clearly, no one organization is immune to these scams, but regulated institutions suffer disproportionately. These firms often have the most to lose as they’re stewards of our most personal (i.e. valuable) information. Think banks and healthcare companies. As these are highly commoditized industries, they often turn to customer support and user experience as a way to differentiate their offerings. This, in turn, has led to the proliferation of mobile as a channel to reach and engage consumers. Great for customers, better for fraudsters. The question then becomes the following: how does a reputable business *really* know who they’re interacting with on the other end of the device?
Over the past decade, there have been significant advancements in the realm of digital trust and mobile identity. That said, fraudsters need to eat, too. Every time the industry innovates, fraudsters respond in kind. Thus, the single best thing organizations can do to help thwart attacks against their users is to work with reputable vendors who are compliant with local telecoms regulations and actively work to remove potential threat vectors from their network.
In short, enterprises need to be out in front of these threats, and they bare an obligation to protect the data their customers have entrusted to them. Customers should never be in a situation where they have to decide whether the SMS they received from your brand is legitimate. Don’t let your customers fall prey to a SMiShing scam–ensure you partner with a safe and compliant network provider for all your customer outreach.