By Trevor Clawson.
There are few more immediate ways for a business to communicate with one of its customers than by SMS message. An email may not get read for an hour or two, even when it is sitting snugly in a smartphone inbox, but a text announces its presence with a buzz or a beep the moment it arrives, often prompting an instant response on the part of the recipient. So, when a bank wants to tell you that you’ve breached your overdraft limit, or a logistics company thinks you should know that a package is about to be delivered, then the humble text message provides an ideal means to get the information to you in a timely fashion.
But not every text that wings its way to a smartphone is quite what it seems. Over the years, email users have become wearily accustomed to receiving so-called phishing messages from fraudsters. Typically, these will masquerade as emails from legitimate contacts and their purpose is to harvest information, such as credit card numbers or login details. By now, most of us are aware of the threat and we are on the lookout for suspicious emails. But as mail users have grown savvier, fraudsters have applied the tricks of the phishing trade to SMS messaging. The problem is sufficiently acute to have prompted the UK’s four big mobile operators to launch an anti-phishing initiative, aimed specifically at protecting their customers from bank account fraud.
The Quirks of Mobile Messaging
It is one of the quirks of mobile messaging that a fake text – supposedly from a bank – can sit in the same thread as legitimate messages from the genuine party. Thus, from the recipient’s point of view, the phishing message appears to be entirely above board.
And failure to detect a fraudulent SMS can have distressing and expensive consequences. As is the case with phishing messages sent by email, the SMS will generally have a link, which the customer is invited to click. This action could trigger the download of malware – typically to harvest logins – or direct the user to a site where he or she is invited (or instructed) to share bank account details. As Frederik Mennes, Senior Manager, Security and Market Strategy at security solutions company, OneSpan points out, fraudsters may be able to syphon thousands of pounds from the victim’s bank account.
“UK banking customers lost £500m to fraud in the first half of 2018, and £145m of that was through authorised push payment fraud, which text scams play a major part of,” he says.
To prevent such frauds from taking place, the mobile operators – in collaboration with banking trade body, UK Finance, and the Mobile Ecosystem Forum (MEF) – have devised a system called SMS Phishguard. Essentially this is a registry, which allows banks and other bodies to log the digital identities that they use when texting their customers. Once the details of a bank are registered, fake messages from malign third parties will be spotted and blocked.
Commenting on the move, Hamish MacLeod, Director of the mobile communications industry trade body, Mobile UK, said:
“SMS PhishGuard ups the ante in the fight against fraud. Through this new initiative the four mobile network operators, together with MEF and the banking sector, will have in place the tools to significantly reduce the ability for fraudsters to send messages impersonating a brand and block any messages that are fraudulent. This will ensure SMS remains a trusted communication channel for brands and consumers alike.”
The Mobile Danger
Phishing via SMS messaging arguably represents a greater threat to users than the email equivalent, not least because we all tend to be a little less security conscious when checking incoming messages on our smartphones.
“The majority of people now use mobile phones in every aspect of their daily lives, which opens a gateway for cybercriminals as security often isn’t at the forefront of people’s minds when using these devices,”
says Raj Samani, Chief Scientist and Fellow at digital security giant, McAfee.
“Because text messages are checked regularly as part of our daily habits, people often forget to double check if the sender or links are legitimate before clicking.”
But even if the recipient is security minded, it’s not necessarily easy to authenticate a message arriving on a mobile device. For instance, let’s say a suspicious email drops into a consumer’s inbox. If he or she is sitting at a laptop, there are a couple of quick checks that can be carried out. First of all, even if the sender’s name is Barclays Customer Service Team or Lloyds Bank Offers, the recipient can easily check the underlying email address. If that turns out to be ‘user1411’ at a Hotmail or Google domain, the message is clearly not genuine. Equally, if the link says, ‘click here to resolve your problem,’ the customer can check the underlying web address by holding the cursor over the relevant section of text. As Mobile security firm Lookout.com pointed out in a 2018 report on phishing, these simple checks are not available on SMS messages.
And according to Lookout, fraudsters find it easier to carry out successful scams when their targets are using mobile devices. Crunching the numbers from its own base of users, the company found that 56% had tapped on links placed in mobile phishing messages. And the problem appears to be increasing, with the number of people tapping on dubious links rising by 85% every year.
Not A Complete Defence
As Mennes stresses, authentication systems such as SMS Phishguard do not offer complete protection against a cyber-attack.
“Even when combined with static passwords and pins, SMS has well-known security weaknesses,” he says.
So, it important for users to be aware of the threat. To that end, the four mobile operators involved in SMS Phishguard are also promoting the Government’s Take Five to Stop Fraud campaign. The campaign offers three crucial pieces of advice. Never respond to an SMS request to move money from one account to another. Never give up personal or financial information. And don’t automatically click on links, even when a message appears, at first glance, to be legitimate.
A huge amount has been said and written about computer security, but ironically it is the phone we carry around 24/7 that may be exposing us to the greatest risk.