Back from holidays: beware of SMS scams that have been swarming for months
August 2023 by Proofpoint, Inc.
As in every key period of the calendar, the summer holidays are an opportunity for cybercriminals to deploy all their ingenuity to take advantage of the gullibility of vacationers.
This summer has demonstrated this once again, with many cases of SMS scams reported in the media, whether to fake airline tickets, or fake unpaid fines.
The threat is indeed growing.
Researchers at Proofpoint have uncovered a 196% increase in conversational abuse (mobile phishing scams) in the first half of 2023 compared to 2022.
These scams are far more sophisticated than ever before, involving a series of back-and-forth interactions to first gain the victim’s trust before potentially costing them thousands of dollars. They are especially evident now with well-crafted and timely travel-themed lures.
In the UK for instance, Proofpoint saw an increase of 30% of travel-related smishing attempts from the first quarter of 2023 compared to the second quarter, showing a rise as the UK headed into its summer travel season.
Examples of Travel smishing in the UK [portraying big travel companies like Expedia and Ryanair]:
Cloudmark director at Proofpoint, Stuart Jones, warns that “Consumers should be skeptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look. If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address/URL. For offer codes, type them directly into the site as well. It’s also vital that you don’t respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers.”
See below for some top tips on what to do if you do think you’ve fallen victim to or are at risk of social engineering attacks whether it’s via email, SMS or phone call:
• It’s important to remember that it isn’t difficult for scammers to obtain your number fraudulently. If you do get a request from your bank/another organization via text message, phone call or email, do not interact and call your bank directly on the legitimate number. Never provide any personal details over the phone, by text message or email to an unsolicited caller.
• Whenever you receive a text message, including some sort of warning from your bank or package delivery notification that contains a web link, do not use the web link provided in the text message. Instead, use your device’s browser to access the sender’s website directly, or use the brand’s app, if you already have it installed on your device. Do this as well for any offer codes you receive by entering them directly into the sender’s website from your browser.
• Report SMS phishing (smishing) and spam to the Spam Reporting Service [Arcep at 33700]. Use the spam reporting feature in your messaging client if it has one.