“Dear customer, we understand an anomaly on his account“. And again:” Yours parcel was withheld at our dispatch center. ”These are just two examples of the SMS scam that are arriving on the smartphones of numerous users. They are short messages, with alarming phrases, which originate from unknown senders and which invite to click on a link: a trap set by cybercriminals aiming at steal banking data and credentials. “IT’S pure phishing, the goal is to steal money and personal information. It is not a direct attack on one or a few specific people, but it is massive and relies on large numbers, on hitting the largest number of victims possible “, he explains. Riccardo Croce, Deputy Commissioner of the Police post. “The package delivery formula is widely used, considering the increase in online purchases and especially in times of Black Friday, Cyber Monday e christmas shopping. We are witnessing a resurgence of this phenomenon “.
Over the past two months, the Postal Police has seen a surge in phishing reports. “Between October and November we received at the portal of the online police post office 2227 records relating only to the fraudulent SMS of the blocked parcel “, Croce tells us, underlining that generally some of these reports lead to complaints at our offices or initiate investigations on the initiative of the police.” They thus become treated cases, to which are added the other cases handled come from citizens who do not use the portal but go directly to the offices “.
How the scam works
One of the most used formulas is that of the blocked package. Maybe we made a purchase on one e-commerce platform and we are awaiting receipt of the product: cyber criminals try to take advantage of these situations, now so frequent with the boom in online commerce. The message that arrives on our mobile phones sometimes also seems to come from the courier in charge of delivery: the link contained in the text of the SMS leads to a clone site of the real site of the express courier. A fake page, designed to steal our personal data and our payment cards. And the goal isn’t just about emptying our balance. “When the user arrives at the payment method screen on the fake website, enters their personal details, card numbers and verification code, they end up handing the scammer a lot of valuable banking information. But it’s not just their credentials. financial “, adds the expert, underlining that” if the cards are emptied, the user’s personal data can be used for many illicit purposes: they can being sold on the dark web or exploited for identity theft, to enter into contracts and activate users in the name of other people “.
The threat of phishing in Italy
Beyond the SMS of the blocked package, the phishing formulas adopted by cybercriminals in our country are of different types. “From January to October 2021 we have negotiated 12505 phishing cases“, the expert recalls, underlining that the amounts subtracted due to these activities amounted to approximately 27 and a half million euros.
Among these cases, there are certainly the email on phishing: e-mail that seems to come from public institutional interlocutors or companies. In reality they are traps that can contain a malicious attachment, such as a word or Pdf file that hides a malware; or that host a link to a phishing site in the text. In both cases, the goal is to steal the victim’s personal data and banking credentials. Still, it smishing, that is to say phishing SMS (such as that of the parcel or of the blocked account): the scam through an SMS that apparently seems to come from a courier, from a bank or from the post office. “A threat that at times cleverly exploits a technical tool called a telephone alias: the scam message not only appears to the recipient as coming from a reliable number, such as that of a financial institution, but is queued in the user’s mobile phone for other messages – this time real – received from that financial institution “. In addition, there is also the vishing, a kind of voice phishing. Leveraging the VoIP technology, the scammer calls the victim by simulating the phone number of his bank and pushes him to communicate his data and codes.
Sometimes these three forms of phishing go hand in hand. “In the past few months we have faced one bank fraud which combined these three different modalities. The cybercriminals knew the victim’s name and surname, his telephone number and the bank where he was account holder “, the deputy chief of police of the Postal Police tells us.” The first step is to send the phishing SMS, that communicates to the recipient the existence of a danger, of a threat of some kind. That message invites the user to click on a link that leads to the phishing clone site, developed to steal the victim’s home banking credentials. “Once that data has been stolen, however, it is also necessary to know the virtual token, that is to say that device code that allows payment, which is increasingly generated by the bank’s app on the smartphone. And this is where vishing comes into play: “The victim has now entered into total panic, he is in a state of agitation and is in a hurry to resolve the situation. So she is reached by a phone call apparently coming from the bank. In reality it is the scammer, who takes advantage of this moment of weakness of the victim to tread the hand and persuade her to generate the virtual token and read it over the phone “.
ecommerce
Black Friday, how to avoid scams and buy with peace of mind
by Marco Cimminella
The reports on social networks
On his twitter account, the state police also launched an alert: “Beware of fake SMS that contain links to unblock a package. You are asked to enter your credit card details with consequent withdrawal of a large sum from the account”. The reports from citizens are numerous: many have posted them on the social network commenting on the tweet of the state police. Some have received a message warning of an anomaly on the account which risks being blocked. Others than the account will be suspended. Still others, that a delivery parcel has been blocked.
In some cases, the recipient name. And there is no shortage of people who have received both types of SMS.
Tips to avoid the scam
The audience of victims is vast. It is not certain that only the most elderly, frail or less attentive people fall into such traps. These attacks take place on a large scale and also affect people who are perfectly capable of juggling these kinds of pitfalls and other cyber threats. “A moment of weakness can happen, the moment in which you are distracted or tired, or when you are anxiously awaiting a package and are more inclined to click that phishing link”, notes the deputy chief of police of the Postal Police. who adds: “We must always be prudent and follow this rule: always be wary and check later“.
First of all, it is good to check that the message received by SMS is credible, checking the text carefully: are there errors? Is it written in correct Italian? And by looking at the phone number it comes from. At that point, before entering personal data or a card on a web screen, you need to check that that internet page is authentic, paying attention to the text used, and to the graphic elements that could be superficial and arranged: you can also do a comparison with the actual website of the delivery company. But above all, it is necessary to verify that the connection is protected, that is to say that the page – where my payment credentials are to be entered – uses the protocollo https (the protocol that protects the integrity and confidentiality of the data exchanged).
“Finally, there are the search engines. Since these are very large-scale fraud, it is highly likely that I am not the first victim”, concludes the expert, inviting users to always consult official sources that inform about these phenomena, such as the site of the Postal Police. And if someone unfortunately falls victim to these traps, the advice is to immediately block the card and report immediately to the police, also to prevent the illegal use of their personal data.
The advices
From phishing to ransomware, how not to become the weak link in cyberattacks
by Simone Cosimi
.