One victim lost £22,500 in January 2016 in a smishing attack
One victim lost £22,500 in January 2016 in a smishing attack

'Smishing' scams could cost victims thousands of pounds, internet security experts warn

Hackers using 'smishing' attacks attempt to dupe victims into giving up personal information through text messages

Doug Bolton
Tuesday 16 February 2016 16:47
Comments

Cybercriminals are using targets' mobile phones to break into accounts and steal personal information, in so-called 'smishing' attacks that have cost some victims thousands of pounds.

Due to publicity campaigns and a general increased awareness of online security, many internet users would be able to spot a 'phishing' email if they received one.

Phishing can take a number of forms, but generally involves a victim being duped into handing over personal information by a fake but genuine-looking message, typically an email.

Smishing works on the same principle, but uses victims' mobile phones to carry out the con.

There's a number of different types of smishing attacks, but hackers commonly use password recovery features employed by email providers to break into targets' email accounts. Armed with only their victim's email address and phone number, which they can easily find online, a hacker can take advantage of some websites' security features to gain access to private information.

One scenario described by online security company Symantec involves a hacker attempting to log in to a target's account using their email address, before clicking the 'I forgot my password' prompt.

The hacker can then choose to get a one-off login code sent to the target's mobile via SMS, if they have this security feature set up. Once the code is delivered, the hacker will immediately follow up with a smishing text designed to look like it comes from the email provider, which could say something like: 'We have detected unauthorised activity on your account. Please reply with your verification code.'

The victim, worried by the prospect of being hacked, replies with the code - the hacker can then log in to their account with the code and change the password, locking the victim out.

With unrestricted access to the email account, the hacker is able to access private information and sensitive documents, and even gain access to social media and banking accounts by changing passwords on other sites.

These kinds of attacks have hit victims hard, and banks and security experts are urging people to be more cautious. One Santander customer had £22,700 taken from his bank account in January this year, after cybercriminals used smishing to get him to reveal a 'one-time password' to his account.

As This is Money reports, the hackers managed to 'spoof' their phone number, making their fake message appear in a thread of earlier, genuine texts from Santander. When the victim got the text, which told him there had been suspicious activity on his account, he had no way of immediately telling anything was amiss.

Most people are vigilant about scams like these when they see them on their desktops or laptops, but they may not be as eagle-eyed on their mobiles - especially when scam texts appear to come from legitimate senders.

Fortunately, simply by adopting the same security practices as they would for traditional email phishing attacks, users can protect themselves.

As Tim Keanini, chief technical officer at cybersecurity company nCircle, told PC World: "Everyone needs to take a hard line with text messages - don't trust anything. If you have the slightest doubt about the authenticity of the message, don't even think about clicking."

Banks also say that they will never ask customers to move money from their accounts due to security problems. They'll also never ask for personal or security information via phone call, text message or email - so by being aware of the issue and staying vigilant on your mobile, you could stop yourself from becoming a victim of smishing.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in