The scam that hides in your smartphone

“Take everything from me, but not my smartphone”. By paraphrasing a well-known advertisement, this thought could be attributed, without much error, to the majority of the population, given that the mobile phone has become a necessary tool for carrying out a large number of daily activities and, at the same time, a very valuable database of personal information.

So much so that losing it represents, for almost all of us, one of our worst nightmares. In Italy, the adult population that owns a smartphone is approaching 94%, according to the Digital Consumer Trends Survey 2022 by Deloitte. It is a fact that certainly has not gone unnoticed by those who make cybercrime their profession. It seems that the smartphone has become one of the main vectors of scams and that, in addition to the traditional techniques of phishing, smishing and vishing, one that is perpetrated through QRCode, called ‘QRishing’, has recently been added.

This is what emerges in the APWG report that showed in the second quarter of 2022 a growth of fraud perpetrated through smartphones of 70% compared to the first quarter of the year and which mainly concern the financial sector.

The undisputed stars for this type of device are therefore bank scams that are implemented through fraudulent email (phishing), deceptive SMS (smishing), phone calls from false banking operators (vishing) and, last but not least, so-called ‘QRishing’ fraud.

QRishing – easy to scan, easy to use

The latter directs victims to malicious sites to steal their access information as well as their financial information. These are basically phishing attacks that use QR Codes and that, just as in the case of email attacks, leverage the curiosity of the unfortunate person by inducing them to unknowingly scan the malicious codes.

Legitimate company QR codes are used by hackers to redirect potential victims to malicious websites designed to steal their personal and financial information, install malware on devices, or divert payments to accounts under the control of hackers.

Due to the wide and sudden spread of this kind of fraud, the FBI included QRishing attacks on the Internet Crime Complaint Center (IC3) in February.

Phishing – the most widely used for fraud related to electronic payments

But the most insidious threat, and the one that is by far the weapon that is most preferred by hackers, remains phishing.

This was recently confirmed by the Threat Landscape 2022, the Report of the European Union Agency for Cybersecurity (Enisa), now in its tenth edition and published on 3 November, in summarising the general picture of cybersecurity and the main trends observed over a year.

The Internet Organised Crime Threat Assessment 2021 (IOCTA) published by the European Police Office (EUROPOL) confirms that phishing and social engineering represent the main attack vectors in fraud relating to electronic payments and the banking and financial sector.

Smishing – disruption to home banking accounts

Smishing is a phishing attack that uses text messages instead of emails. The scammer then sends an SMS, which has all the appearances of coming from a reliable company. The content of the message may concern a disruption to the user’s home banking account (abusive access, imminent risk of blocking the card, etc.), or a prize or a voucher of some kind to be redeemed.

Obviously, each of these SMS messages will contain a link, clicking on which the victim will be redirected to a website where a form to be filled in with personal data or bank details is shown. All of this information will obviously be passed on to criminals.

Vishing – the fake bank agent

Vishing, on the other hand, is a method of stealing personal information implemented through voice contact. The pirate, or whoever is working for him, calls the victim pretending to be a bank agent, a post office worker, a healthcare company or a telephone company.

It is an attack that usually begins with a message that contains a telephone number to contact, always with the usual objective: to convince the victim to provide information for access to a bank account or to their health records or to download a malicious file (malware) disguised as a system or service update.

This is a particularly insidious crime, because the fraudsters who carry it out are acting on the emotional sphere of the victim, appealing to the need and urgency of a certain behaviour that is necessary to avoid serious and imminent consequences.

In large organisations, with multiple offices and departments, it is very easy to find victims who fall into the trap, thus opening the doors of the entire corporate information assets to criminals.

It should also be considered that VoIP (Voice Over IP) technology allows malevolent actors to create virtual phone numbers with geographic prefixes (to which people are much more likely to respond) or that seem almost identical to those of real companies or organisations.

In addition, the spoofing technique is also used, to hide the caller ID and pretend that the call is generated by a lawful service. The likelihood that the victim will respond is high, since the call appears to be legitimate, as it is identified by the ID.
All this makes it very difficult to recognise the scam from our smartphone and track down the scammer.

How to defend oneself

There are ways to defend yourself against these threats, and they must always be kept in mind. First of all, it is important to always check the addresses, relative to the sender and the URLs, to verify that there are no errors, which would immediately raise the suspicion of a scam attempt. It would be better, in any case, to avoid opening any link where you are not extremely sure of the authenticity of the link.

It is also good practice to always use strong and never trivial passwords or install a password manager. But these measures, although important, do not constitute a guarantee of protection because the thing that allows criminals to get away with it is always the human factor. The latter is, in fact, the weak link of the chain, the crack through which the malicious actors sneak in. And then, without the right preparation, awareness and correct digital posture, there is no password that will do the trick. Sooner or later, the attack will come.

This is why it is crucial to be trained, prepared and continuously updated, both in the company and in our daily lives. Not only on the right digital posture in the use of computers, but also for the use of smartphones, devices with which we practically never part, and which we now use for most daily activities.

To find out more about Cyber Guru training courses