Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Beware! Phishing Text Messages Soar in Volume and Sophistication

June 1, 2022

Naked Security reported on May 30 about the dangers of dangers lurking in your text messages. SMS-based phishing is known as “smishing.” Not only is it in widespread use, it’s getting much more professional. We see these regularly now.

There are many variants, but the post covers home delivery scams, where the criminal poses as a company (often a well-known company) that apologizes to you via text about not delivering something you ordered. Clink on the link above to see how sophisticated these attacks look in comparison to scams that are easily recognized.

And let’s face it, we’re all ordering a lot online, setting ourselves up as perfect victims. You will be shocked (not) to hear that the exemplar scam highlighted in the post was served up by a hosting company based in Russia.

Hosting companies often provide ready-to-go web server templates, complete with HTTPS certificates that put a padlock in the address bar. Even if the service provider is responsive to complaints and turns off the website within a day or two, the criminals may have gotten everything they were after from their fake server already.

Interesting, when the investigators tried the URL in this scam, they routinely experienced HTTP 404 errors (page not found) when visiting from a regular browser. This means that the website was alive and responding, but effectively ignoring the requests.

But as soon as they used a mobile browser, as you would likely do when receiving a link directly on your mobile phone, the site was live.

No obvious spelling errors and a realistic logo. What should tip you off is the request for personal info. In this case, the phishers ask for a modest redelivery charge which they use as an excuse to ask for payment details, including your credit card info and bank details.

The criminals will likely use your information to pursue a more ambitious scam – or they may simply sell your information to other criminals.

In this case, there is a small delay while the site “verifies” your payment – in that small delay, the fraudulent site transfers you to the real one, so things appear to have ended normally.

Now that we are seeing this activity in the wild, it is time to make sure “smishing” is included in your cybersecurity awareness training for your employees!

Tips from the post:

“Check all URLs carefully. Learn what server names to expect from the companies you do business with and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.

Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all. Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.

Report compromised cards or online accounts immediately. If you get as far entering any banking data into a fake pay page and then realize it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number.

Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.”

Bottom line – go directly to the sites with which you deal and if you are asked for personal data and it smells fishy, don’t give your data away.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson