SMS scam: a timeless evergreen

Security Awareness
8 February 2024

The latest case of smishing raises an alarm that should never go unnoticed

Rather than weapons, masked faces, daredevil escapes and dangerous actions. Today, an SMS is enough to empty your bank accounts.

The latest victim was a pensioner from Favaro Veneto a few days ago who had his account cleaned out in a few minutes and who found himself immediately afterwards, cursing not only the criminals who cheated him, but above all, his own naivety.

The elderly man received a fake text message from the bank that reported “a suspicious transaction” and, to generate even more trust, hinted at the possibility of talking to an operator to avoid the card being blocked. Of course, the phone call from the fake anti-fraud operator alerting him to the “checks in progress” on the current account was also a scam.

However, the victim was already in a very emotional, worried state and, therefore, was not thinking clearly.
A mental state that paves the way for criminals. The hacker in question had thus indicated to the victim all the procedures to be followed to block the payment. After closing the phone, the man waited for a text message telling him that the operation “had been successful”. Instead, a new phone call came from the number 39-113, this time from a fake policeman who advised the victim to contact the toll-free number of their bank to avoid the “fraud that was still ongoing”. At that point, the man began to have suspicions and contacted the real police, who, of course, denied having called.

At that point, the victim realised what had happened, but by now, the game was over; he had fallen into the trap, and the money he had in his account (all his savings) had disappeared and ended up in someone else’s account.

Basically, it is like waking up with a bad bump on the head, which can leave very deep and painful marks.


Let’s talk more precisely about smishing, the SMS attack technique, and vishing (voice phishing), which are certainly not new, but which are gaining significance as threats also because attacks are becoming increasingly targeted and dangerous, such as the one that happened to the man from Favaro Veneto.

The attacker may pretend to be a policeman or a bank employee, as in the case just reported, or a person known to the victim, such as a family member, friend or co-worker, to increase the likelihood that the victim will trust the message and be lured into a conversation that will then lead them to hand over their personal data.

Over the past year, researchers have reported a rapid growth in attacks conducted through mobile devices. These involve cybercriminals sending multiple messages that aim to generate authentic involvement, build trust and drag the victim into the trap.

In this period, the increase in the volume of “conversational” attacks was 318% globally, 328% in the United States and 663% in the United Kingdom.

The success of these techniques in the world of cybercrime lies in various factors: the now widespread anti-spam filters for emails that, together with a greater and more widespread awareness of users, are strengthening the barrier capable of blocking phishing emails; the fact that, unlike emails, text messages see a very high open rate and most of them are opened within 15 minutes; in addition, telephone companies have not yet developed methods of filtering messages appropriate to the high level of risk. Finally, there is the great ease with which a cybercriminal can nowadays retrieve telephone contacts.

The only thing left for the scammer to do is invent a credible story that acts as a trap for the recipient of the message. It could be about a problem with a bank account, with a credit card or winning a prize. However, it could also be a request for help from a friend or a child, writing to say they have lost their mobile phone.
In short, anything that can convincingly lead the victim to click on a malicious link.

Vishing, then, is even more subtle because on the other end of the phone, there is a voice that seems very convincing and is calling from a known number that could be that of the bank, insurance company or other entities.

Even the news in recent years has reported stories of voices reproduced with artificial intelligence, which, pretending to be CEOs of companies, have asked their subordinates to transfer large sums of money.


Even in the case of these two types of crime there are some recommendations that are always valid:

  • For smishing, do not click on any suspicious links, do not fill in forms with your data, at least without having first called the bank, or the insurance company, or the company in question and having ascertained the reliability of the message.
  • For vishing many suggest voice biometrics, which can verify a caller’s identity based on a mathematical representation of a voice stored in a database.

What is certain is that, especially at the corporate level, it is no longer possible to ignore the need for up-to-date training that can keep up with the rapidly evolving developments in hacking.
Hackers appear inexhaustible in their invention of new ways to defraud companies, administrations, corporations and private citizens. The only thing that can stop them is to confront them with users who are prepared and able to respond to attacks with an equal amount of cunning.

Considering that it is always the human factor that allows hackers to get away with it, as in the latest case in the news, the preparation, awareness and correct digital posture of every user form the most effective barrier to curbing the increasingly alarming cyber risk.


Articoli correlati