Smishing and vishing, the new trend beloved by hackers
In the increasingly complex universe of cybercrime, thieves often run faster than guards. And the epilogue is almost never like in American films, where those on the right side always win. Here, in the “real” life of the cyber world, hackers know more than the devil and most of the time, they find a way to escape checks and controls.
Among hacking discoveries, there are two insidious variations on the theme of phishing: vishing (voice phishing) and smishing (SMS attacks). According to the latest quarterly report by Threat Trends Intelligence, Agari and PhishLabs:
- Vishing attacks increased by almost 550% between Q1 2021 and Q1 2022
- Smishing attacks increased by more than 700% in the first two quarters of 2021. Indeed, according to research by EarthWeb, criminals sent 2,649,564,381 smishing messages during a single week in April this year.
There are several reasons for these new strategies: firstly, the now widespread email spam filters, which, together with a greater and more widespread awareness of users, who are increasingly suspicious and careful before clicking on suspicious links, are reinforcing the barrier capable of blocking phishing messages.
To all this is added the fact that, unlike emails, text messages see a very high open rate and most of them are opened within 15 minutes. In addition, telephone companies have not yet developed methods for filtering messages appropriate to the high level of risk. Finally, there is the great ease with which a cybercriminal can nowadays retrieve telephone contacts.
Having solved these easy matters, the scammer is left with the most entertaining part: inventing a story to act as a trap for the message recipient. It could be a problem with your current account, credit card, or a win, prize, trip or lottery, or even the offer of free advice. In short, anything that can convincingly lead the unfortunate person to click on a malevolent link and hand over all their data to criminals.
All roads lead to the same point
It was only a few months ago that the Italian Postal Police warned people to pay close attention to a smishing campaign that is affecting the account holders of several banks. The scam starts with a text message, apparently coming from the “IoSicuro system.” In the message, the unfortunate user is warned of an abnormal transaction in their current account and asked to promptly click on the link to verify the transaction. Needless to say, the link redirects to a bank clone site. To access it, you will need to enter your online banking credentials and your phone number, thereby providing cyber criminals with everything they need.
The themes used are some of the most imaginative. In the US, nearly 60 million Americans lost money totalling about USD 30 billion to phone and SMS scams in 2020. Criminals offered free Covid test kits, or offered free help in filling out paperwork, such as applying for unemployment benefits, or posed as charities raising money to help those affected by the pandemic.
In short, the stories may be the most diverse, but they all lead to the same point: the handing over of user data or the installation of malware on the device.
While smishing is dangerous, vishing is even more sneaky
Vishing is even more sneaky because on the other side of the phone is a voice that seems very convincing and calls from a known number. A “familiar” number that can be that of the bank, the insurance company or even your medical centre.
With the technology available today, (for example, VoIP) criminals can create more numbers with local prefixes (to which people are much more likely to respond) or that seem almost identical to those of existing companies or organisations.
With the same ease with which these numbers are created, they can be eliminated, with the consequence that tracking down the scammer becomes a very difficult task. Call-spoofing (using false caller ID information to mask the true source of an incoming call) is also an operation that scammers regularly use to hide behind a seemingly real and legitimate caller ID.
For example, criminals who want to steal a bank account or login details often use call spoofing to pretend to call from a local bank or a well-known credit card company. The victim is much more likely to answer a call if the ID says it’s their bank or health centre than an unknown number.
After answering, the unfortunate interlocutor, convinced that they are talking to an operator at their bank or insurance company, or to their boss, will have no problem revealing their most personal details or carrying out very delicate transactions.
Even the news in recent years has recorded stories of voices reproduced with artificial intelligence who, pretending to be CEOs of companies, have asked their subordinates to transfer large sums of money. Obviously, the money, lots of money, went into the bandits’ account.
Investing in training and awareness is no longer an option
Sure, it sounds like a hard war to win. Pirates are always ahead of the average user, and this awareness makes them feel even more invincible.
But it is a reality that must be confronted and that will require an ever greater investment of energy in the years to come, especially in terms of training and knowledge.
What is certain is that it is no longer possible to ignore, especially at the corporate level, the need for up-to-date training that can keep up with the rapidly evolving nature of piracy. The latter does not appear to intend to stop inventing new ways to defraud companies, administrations, corporations and private citizens.
The only thing that can stop it is to confront it with users who are prepared and able to respond to attacks with an equal amount of cunning. Considering that it is always the human factor that allows pirates to get away with it, the preparation, awareness and correct digital posture of every user is the most effective barrier to stem the tsunami of cyber risk that seems unstoppable. But it isn’t.