Robbed in Broad Daylight – SMS Identity Theft

As I scroll back over the recent SMS history on my mobile phone I see that a number of companies ranging from banks and e-tailers, to social networks have contacted me with automated messages. 

These Application to Person (A2P) SMS messages are meant to increase the efficiency of their business and crucially, the security of their services.

But ironically, with the rise of these A2P SMS messages, sent for purposes such as new service activation, two factor authentication (2FA) and password reset, comes the opportunity for another avenue of cybercrime exploits…SMS Identity Theft!

Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name. One aspect of identity theft is to steal a user’s details for online account access.  Some example SMS messages we have seen at AdaptiveMobile include (some brands redacted):

This approach, using SMS messages that resembles legitimate enterprise A2P messages, is becoming an increasing brand-damaging trend for many businesses, so much so that they are being driven to invest in broad consumer education through mainstream media advertising.

For example, Barclays Bank have now created a broadcast TV information advert which is also up on YouTube on the official Barclay’s channel at:

http://www.youtube.com/watch?v=XIKC8pKFol0

The advert shows how easy it is to become a victim of such A2P SMS fraud. It is not surprising how successful these scams can be as they often take advantage of new creative approaches, using confidence tricks to encourage some individuals into giving away their private information.

Such social engineering techniques clearly play a big role in delivering effective attacks by criminals. AdaptiveMobile continue to identify and block hundreds of thousands of attempts daily through our Messaging Protection solution deployments across the globe. For example, the following is a visualisation of such attacks occurring in the US using real life data, and highlights both the volume and sophisticated nature of these attacks. Visualizations of these messaging attacks demonstrate the effectiveness of these fraudulent manipulations, and illustrate the clever timings used that are designed to defraud unsuspecting consumers into divulging their personal banking access credentials.

Snapshot 1 - Psychological Manipulation: Attack “loops” show high volume of attack traffic appearing to come from local legitimate bank branches.

Snapshot 2 - Clever Timing: Attacks are seasonal - when banks’ helplines are often closed

In this attack, messages from local numbers appear more genuine to unsuspecting individuals. This then combined with closed customer helplines over national holidays increases the likelihood of a response - just what the criminals need to increase their success rate and ROI.

The use of legitimate A2P SMS by customer contact services such as the banking community has become commonplace. From individuals to enterprises to mobile operators, we now all need to be vigilant and take precautions to protect ourselves from the nefarious cybercriminals exploiting the growth in this type of communication.