The shopping season recently ended, which once again brought the topic of smishing to the fore, with dozens of false “non-delivery” messages designed to steal money, data and identities.
There is some good news, however. According to Proofpoint data, the growth of smishing has slowed in many areas over the past 18 months, becoming more of an established feature of the landscape rather than an emerging threat.
However, the risk remains significant and, in many cases, attacks are becoming increasingly targeted and dangerous.
New conversational attacks
Over the past year, we’ve seen rapid growth in conversational attacks conducted on mobile devices. These tactics involve cybercriminals sending multiple messages, which mimic patterns of authentic engagement to build trust. Over this period, we have seen conversational attack volume increase by 318% globally, 328% in the US, and 663% in the UK.
Pig butchering, the cryptocurrency scam, is perhaps the best-known example of a conversational threat. But it’s certainly not the only one.
In some parts of the world, impersonation has become a significant trend. In this case, the attacker pretends to be someone known to the victim, such as a family member, friend or co-worker, to increase the likelihood that the victim will trust the message and be lured into a conversation.
In the UK, but also in many other countries, one of the most common impersonation tactics sees the potential scammer pretending to be a boy or girl who has lost or broken their phone.
This is a classic example of social engineering, exploiting parental anxiety to circumvent usual caution. The next step in conversational abuse typically involves convincing the victim to log into WhatsApp or another messaging service before requesting a money transfer. In this case, the sum is likely to be small, but we have seen significant amounts requested and received through a variety of conversational lures.
Similar messages have also been reported in New Zealand. In the United States, the impersonation is more likely to be that of a friend or business acquaintance, claiming to have lost contact or asking to meet. Methods that are successful in one country are often applied in others, with little variation, so it may not be long before the UK’s “Hey Mum” becomes the US’s “Hey Mom”.
Additionally, as layoffs and economic uncertainty remain a reality for many, hiring scams have also moved from email to mobile. After an initial approach via SMS, attackers will try to continue the engagement on another messaging service. Victims may be targeted for advance payment fraud, have personal data stolen, or be recruited to launder money for criminal groups.
You should remain vigilant and report dangerous messages
Slowing growth might seem like good news, but in reality smishing attacks have simply become ubiquitous, growing in sophistication and cunning, with the risk to users and the mobile ecosystem remaining severe. Phones are still at the center of everyone’s personal, professional and financial lives. As scams become more numerous and targeted, the cost of becoming a victim of an attack can be significant.
If you happen to come across smishing, spam or other suspicious content, be sure to use the reporting features offered by the Android systems e iOS.
“The abuse of SMS and social media conversations is particularly concerning because threat actors spend time and effort (often weeks) to establish trust with their targeted victims by initiating what begins as an innocuous text conversation, designed to deceive them, thus bypassing technical and human defenses. There are many variations of these attacks and mobile users should be very skeptical of any messages from unknown senders, especially considering that AI tools are allowing threat actors to make their attacks more realistic than never,” he emphasizes Stuart JonesDirector, Cloudmark Division di Proofpoint.