The threat of scam text messages may now seem distant, even quaint. With all the new, exotic and sophisticated attacks that have arisen in the past decade, surely text message attacks are low on the list. But, they can still be a big problem.
Short message service (SMS) scams are social engineering attacks that work like email phishing attacks. Called ‘smishing’ (a portmanteau of SMS and phishing), the attacks aim to trick the victim into providing information or access that benefits the attacker.
One of the more effective and modern variants of scam text messages alert users of a new, incoming package delivery. Upon replying, the scammer harvests personal information for identity theft, monetary theft or the theft of company information. In one specific variant, the text directs victims to a website and offered a small gift (like a wristwatch) in exchange for participating in a survey. They’re asked for credit card information to cover shipping, and, of course, the credit card information is stolen.
Another scam text message campaign pretends to come from banks. It tricks victims into divulging their banking credentials. Once they’ve done so, the Emotet malware infects their machines.
Yet, another scam threatens the victim with violence if they don’t pay. These are different approaches to the same aim: all are designed to extract information from the target for nefarious purposes. What they all have in common is that they all want you to do something, like visit a website, click on a link or take some other action.
Other scam text messages reference food aid, jury duty, a mobile carrier, a bank, COVID-19 or human trafficking. It doesn’t always help to understand the specific content of text attacks that have already happened, though. Future attacks will be designed to surprise you with brand-new content.
Scammers are engaged in a back-and-forth fight with smartphone users as part of a larger arsenal of mobile scam techniques. And, they have two advantages. First, they leverage techniques that are the result of an evolutionary process of learning how to scam people. Next, victims aren’t aware that the conflict is even taking place.
The first step in social engineering is a misdirection: to excite the mind of the user and get them thinking about something emotional to disarm whatever skepticism they may have.
For example, “You’ve got a package!” “There’s a problem with your bank account!”
Another variation on this theme is to tap into a concern you already know people are thinking about. That’s why the people who send scam text messages love upsetting current events. Wildfires! Pandemics! Politics! Crime! Missing persons! By referencing current events, scammers are hoping to route around your defenses and get you to click or act.
Protecting against scam text messages is an important component of application security, mobile phone security and mobile data protection. Use training and awareness to inform people to:
Don’t be lulled into thinking that scam text messages are yesterday’s threat. In fact, text scammers are evolving, learning and changing. Train your staff to recognize, handle and report scam text messages and expect the unexpected.
4 min read – When ChatGPT and similar chatbots first became widely available, the concern in the cybersecurity world was how AI technology could be used to launch cyberattacks. In fact, it didn’t take very long until threat actors figured out how to bypass…
7 min read – In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has…
4 min read – When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of…
5 min read – Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…
4 min read – The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…
8 min read – This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…
12 min read – ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.