SMiShing attacks often leverage a trusted brand to route the victim to a phishing site. An alternative variant of SMiShing is where the spam message contains only a call back number. The message maybe as simple as “Please urgently call back xxxx xxxx xxxx to update your account details” and there is no mention of a brands name. This type of SMiShing can easily reach a broad audience. The number may direct to a human voice – where our friendly criminal will answer the call, or it may often lead to an automated system where the victim is prompted to enter in credentials.
This type of SMiShing, where a brand is not leveraged, is harder for the business to monitor and detect as their brand is not mentioned in the message or attack. However, the bank may still end up with their access credentials / credit card details compromised.
SMiShing is prevalent is some geographies especially where a new mobile phone number can be readily obtained, often with a lack of verification, or where mobile pay-as-go accounts are common.
The use of fake IDs, credit card details can also be used by the criminal to obtain a mobile number. The portability of mobile numbers to alternative carriers may also assist the criminal in their efforts. In some countries, the telecommunication regulator mandates the ease of obtaining mobile accounts and the portability of those accounts which further assists the criminal in launching their attacks.
The source of SMiShing originates from the telco network but the outcome deeply effects the other industries such as banking and financials. Because the victim organization is a non-telco business often the motivation to help prevent this kind of SMiShing maybe a little disparate. Often the real solution may take a coordination between telco/bank industry with the involvement of the respective regulators.
