Behind every SMS scam is someone capable of using spoofing attacks and social engineering techniques to exploit victims – and trends. Our Threat Intelligence team has detected numerous scams piggybacking off various trends – be it in the form of seasonal holiday scams, or attacks exploiting global events like the Covid-19 pandemic and Russia’s invasion of Ukraine. SMS scammers keep a keen eye on what is going on in the world and are constantly looking for new opportunities to exploit subscribers.
Covid-19 SMS Scams
The Covid-19 pandemic undoubtedly affected the lives of the global population. Many of us were contacted via SMS regarding PCR tests, public health advice and Covid-19 vaccinations. This communication gave threat actors a chance to masquerade as legitimate public health bodies, tricking mobile users into clicking links and retrieving sensitive information. We have described the anatomy of Covid-19 scam text messages in a previous blog.
A good example of a Covid-19 messaging scam we have observed is one that occurred in Canada. This attack commenced very shortly after the Canadian government had announced the provision of welfare payments to individuals who may have been out of work due to Covid-19. The attackers designed an SMS message purporting to be from a public health body offering the subscriber an opportunity to claim a welfare payment. As is standard with phishing scams, the message contained a shortened URL which directed the user to a very convincing website (well designed with no spelling mistakes, used real logos). The site was even bilingual (English and French), which is a requirement for official Canadian websites.
Once the user arrived on the site, they were directed to enter their social security number which the site then pretended to process. After a short amount of time – 10 seconds or so – the site claims that the user is entitled to a welfare payment. The user was then provided with a link to select their bank from a list of Canadian financial institutions so they could “claim” their payment. Once selected, the they were taken to a fake login page for their bank where they were prompted to input their details.
Unfortunately, we know that SMS scams related to the pandemic are still ongoing, despite the reduction in Covid-19 restrictions. The following is an example we recently identified in the UK:
In this instance, the scammer uses fear mongering as a social engineering technique intended to get the recipient to act without thinking. Messages like these remain a threat to mobile subscribers, with scammers taking stock of new developments in the course of the pandemic and adapting accordingly.
Identity Theft of Ukrainian Charities
Another momentous event being broadcasted on the global stage is Russia’s invasion of Ukraine (Read about the role of mobile networks in the invasion here) Many charities have been set up to aid Ukrainians since the beginning of the invasion in February 2022. Unfortunately, mobile scammers have been taking advantage of these efforts, usually by spoofing the identity of legitimate charities. These attackers send SMS messages containing a link to an unsecure website to mobile subscribers, claiming to be from established charities. The message will usually incorporate social engineering tactics such as creating a sense of urgency and appealing to the receiver’s goodwill to get them to click the link and “donate” to the charity. Of course, there will be no donation - once the victim has entered their financial information on the scammer’s website, the details are likely to be used to defraud the individual. Bad actors may also pose as a charity that does not exist rather than spoof an established organization. Websites like Charity Navigator and CharityWatch can be used to check the legitimacy of different charities. A list of the top-rated charities to help Ukraine can also be found here.
We have seen the opportunistic nature of SMS attacks in terms of large-scale global and political events. Just as we are constantly innovating and deploying new methods to protect mobile subscribers, so too are scammers (this is why managed security is so important). Christmas, Easter, Valentine’s Day, New Years – these holidays give rise to new trends each year as media teams and marketers strive to make this year’s event more exciting than the last, thus opening new avenues for fraudsters who deploy holiday SMS attacks.
This year at Eastertime, the following message was circulated over WhatsApp, claiming to offer the recipient a “Free Easter Chocolate Basket” on behalf of Cadbury. The brand often gets creative around Easter, having carried out similar initiatives in the past so many mobile subscribers may not have been suspicious of this message designed to steal personal information, which could in turn be used for identity theft. Credit: Sky News
Similarly, romance fraud has become commonplace around Valentine’s Day each year. Many of us watched in disbelief this year as multiple women were defrauded by their so-called boyfriend in Netflix’s true crime documentary The Tinder Swindler. Romance scams usually start off on online dating sites, or social networking sites. However, after some time the scammer will want to lure the victim over to WhatsApp or SMS based communication. Romance scams rely heavily on social engineering techniques, with the fraudster aiming to get the victim to drop their guard and gain their trust. The scammer usually steals the identity of someone else to appear more desirable to their target. These scams have been extremely effective. In Australia, for example, a record of $56 million in losses was reported in 2021 – up 44% from last year.
Parcel Delivery Scams
Times of the year that evoke lots of online shopping, like Black Friday, Cyber Monday, and Christmas, also see a rise in scam texts. In particular, fake text messages related to parcel delivery tend to shoot up. Note the use of a shortened URL and personalization here. These are very convincing – even If you are not expecting a delivery, the use of a name can be enough to make you assume it is a legitimate message.
Credit: ABC News
In this blog, we have seen that bad actors are continually evolving their techniques when it comes to SMS attacks, crafting compelling scam campaigns incorporating identity spoofing and social engineering techniques to trick and exploit mobile subscribers. Users must be wary of the messages they receive, watching out for shortened URLs, spoofed phone numbers/senders and social engineering tactics like creating a sense of urgency or attempting to elicit an emotional response. In terms of mobile network security, the examples above indicate the scope and variation of SMS scams, and the attacker’s ability to evolve. Thus, managed security is essential for identifying new scams promptly and keeping subscribers protected. You may also be interested in reading our post on payday loan scams in Mexico.
Caitriona is a recent graduate of the National University of Ireland, Galway, where she completed a bachelor’s degree in global commerce. As part of her degree, Caitriona studied abroad in Canada and worked as a marketing intern back in Ireland. Over the course of her studies, she developed a passion for both marketing and cybersecurity, specialising in marketing in her final year. Caitriona is now working as a marketing assistant at AdaptiveMobile Security, a role that marries both of her passions.