'Smishing' scams could cost victims thousands of pounds, internet security experts warn

Hackers using 'smishing' attacks attempt to dupe victims into giving up personal information through text messages

Doug Bolton
Tuesday 16 February 2016 11:47 EST
Comments
One victim lost £22,500 in January 2016 in a smishing attack
One victim lost £22,500 in January 2016 in a smishing attack (MEHDI FEDOUACH/AFP/GettyImages)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Cybercriminals are using targets' mobile phones to break into accounts and steal personal information, in so-called 'smishing' attacks that have cost some victims thousands of pounds.

Due to publicity campaigns and a general increased awareness of online security, many internet users would be able to spot a 'phishing' email if they received one.

Phishing can take a number of forms, but generally involves a victim being duped into handing over personal information by a fake but genuine-looking message, typically an email.

Smishing works on the same principle, but uses victims' mobile phones to carry out the con.

There's a number of different types of smishing attacks, but hackers commonly use password recovery features employed by email providers to break into targets' email accounts. Armed with only their victim's email address and phone number, which they can easily find online, a hacker can take advantage of some websites' security features to gain access to private information.

One scenario described by online security company Symantec involves a hacker attempting to log in to a target's account using their email address, before clicking the 'I forgot my password' prompt.

The hacker can then choose to get a one-off login code sent to the target's mobile via SMS, if they have this security feature set up. Once the code is delivered, the hacker will immediately follow up with a smishing text designed to look like it comes from the email provider, which could say something like: 'We have detected unauthorised activity on your account. Please reply with your verification code.'

The victim, worried by the prospect of being hacked, replies with the code - the hacker can then log in to their account with the code and change the password, locking the victim out.

With unrestricted access to the email account, the hacker is able to access private information and sensitive documents, and even gain access to social media and banking accounts by changing passwords on other sites.

These kinds of attacks have hit victims hard, and banks and security experts are urging people to be more cautious. One Santander customer had £22,700 taken from his bank account in January this year, after cybercriminals used smishing to get him to reveal a 'one-time password' to his account.

As This is Money reports, the hackers managed to 'spoof' their phone number, making their fake message appear in a thread of earlier, genuine texts from Santander. When the victim got the text, which told him there had been suspicious activity on his account, he had no way of immediately telling anything was amiss.

Most people are vigilant about scams like these when they see them on their desktops or laptops, but they may not be as eagle-eyed on their mobiles - especially when scam texts appear to come from legitimate senders.

Fortunately, simply by adopting the same security practices as they would for traditional email phishing attacks, users can protect themselves.

As Tim Keanini, chief technical officer at cybersecurity company nCircle, told PC World: "Everyone needs to take a hard line with text messages - don't trust anything. If you have the slightest doubt about the authenticity of the message, don't even think about clicking."

Banks also say that they will never ask customers to move money from their accounts due to security problems. They'll also never ask for personal or security information via phone call, text message or email - so by being aware of the issue and staying vigilant on your mobile, you could stop yourself from becoming a victim of smishing.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in