When we think of cybersecurity, we perhaps think of vulnerabilities in cutting-edge technologies, such as the internet of things, artificial intelligence, or mobile technologies. Cybercriminals are not snobbish, however, and just as they are only too happy to utilize distinctly low-tech methods, such as social engineering, to attack their target, there has also been a growing wave of SMS-based attacks in the past year.
The tremendous growth in e-commerce during the pandemic has helped to drive the trend, with text messages purporting to be from delivery companies instructing victims that they have missed a delivery and need to pay a fee to release their package. Similar scams have purported to be from the government reporting tax violations or even Covid-related concerns around testing, vaccination, and isolation requirements.
The SMS scams are taking advantage of many of the same conditions through which more traditional cyberattacks have been conducted, with criminals exploiting the stress and uncertainty caused by the pandemic.
The anatomy of SMS scams
A central aspect of any text message scam is timing. They all seek to take advantage of time pressures introduced by an expected delivery or an urgent deadline that people “have” to meet. While Covid has provided a fertile environment year-round, such scams tend to mushroom around particular periods of the year, such as the busy Christmas shopping period or the end of the financial year when tax returns are filed.
The pandemic has created opportunities throughout the year, with e-commerce mushrooming and people using mobile platforms for things like track-and-trace applications and notifications around things like vaccination records and vaccine passports, as well as the application of government financial support packages to those made temporarily unemployed due to the restrictions.
A second fundamental facet of such scams is the sheer scale with which they can be conducted.
The marginal cost of sending a text message is extremely low, which allows cybercriminals to send thousands of messages extremely cheaply.
While it may seem scarcely worth the while undertaking such an attack given the relatively tiny sums requested of victims, but the key is not so much the money that is extracted but the credit card details that are attached to the attack. These allow the cybercriminals to engage in a much more substantial attack that can cause a significant financial loss to the victim.
Another common approach is to use the text message as a form of phishing attack, with the victim encouraged to click on a link to visit a website purporting to be from a respected source, such as the individual’s bank or the government. This then infects their device with malware and allows the criminal to begin extracting valuable data from it.
An effective approach
That the number of these scams is on the rise highlights their effectiveness, and despite a spate of recent arrests, criminals have not yet been put off from deploying SMS-based attacks. As such, it’s important that authorities work to ensure that the public is made aware of these scams and how they can protect themselves from them.
The scams work on much the same principle as phishing attacks via email.
And, despite often being quite crude, the volume of messages sent out means that even a small success rate can be sufficiently lucrative. The messages typically play on a psychological vulnerability, such as fear of breaking the law or missing out on something important. Delivery scams also play on our fear of loss by claiming that a failure to pay immediately will result in the loss of our goods, with short deadlines imposed to pile on the pressure.
Tax-related scams can also play on such fears, but they can also play on our sense of greed by claiming that we have a tax refund or some other financial windfall awaiting us if we click the link or follow the instructions in the message. Such attacks are far more likely to succeed if the victim has already received similar authentic messages in the past, although it’s highly unlikely that the attackers will be aware of this when sending out their messages.
Indeed, while there are certain groups that are more often susceptible to such attacks, the shotgun nature of most SMS scams means that they are unlikely to be targeted specifically.
The success of text message-based attacks rests in part due to our lack of familiarity with them.
While most of us are aware of the existence of email-based phishing attacks, with pretty robust spam filters designed to prevent them from reaching our inboxes, we are slightly more vulnerable to SMS-based attacks, not least due to the fact that we’re often accessing our mobiles on the go so may not be paying as much attention as we should be.
While spam filters for SMS messages are certainly getting better, it is nonetheless well worth people taking more care with the way they respond to the messages they receive. If we properly scrutinize each message then it’s usually quite straightforward to spot scam messages, and we should always report them to our provider so that the spam filters become more effective in the future. Even something as simple as pausing for thought can be sufficient, and with the volume of scam attacks on the rise, it may be time well spent.