Fraudsters never stand still. They can't afford to; after all, financial service customers have become conditioned to be wary of potential phishing emails following years of being inundated with spam and phishing attacks. That makes it harder for crooks to successfully lure victims with a craftily designed email and website, so now they're experimenting with newer tactics like
"We're noticing attackers moving to other channels where people are less suspecting, such as through smishing [text message phishing], vishing [voice message phishing] and social networks," explained Frank Nagle, senior consultant at Alexandria, Va-based security firm Mandiant Corp. "People tend to still be trusting in these mediums."
Rod Rasmussen, president and chief technology officer at Tacoma, Wash.-based Internet security vendor Internet Identity (IID), has also seen an increase in smishing and vishing scams. "We are seeing more attackers calling and claiming to be bank employees, or they are hijacking phone systems and using them to send outbound messages that ask victims to key input their banking information," he said.
With the growth in popularity of mobile banking -- customers are increasingly using mobile applications and text messaging services to check balances and receive account alerts -- it's no surprise attackers are increasingly targeting smartphones. In text-to-phone attacks, criminals dispatch messages especially crafted to lure users to call a phone number linked to an interactive voice response system under the control of the attackers. The goal is the same as traditional phishing attacks: They are designed to trick users to provide account information, credentials and other sensitive information.
The trend in smishing attacks has been a bit of a roller coaster ride in recent months, according to a recent report from IID. The company found 118 unique smishing attacks in the first quarter of 2010, down from 310 such attacks in the fourth quarter of 2009. Fortunately, unlike many other kinds of technology-based attacks, technology is stacked against the bad guys when it comes to mass-smishing. "The wireless providers have the ability to see these attacks start at their onset and shut them down," Rasmussen said.
While the vectors of attack that phishers use may change, their psychological tactics do not. "Whether it is the classic 419 scam, or other types of phishing attacks, the bad guys motivate users through fear or greed. They'll scare users with the fear of not being able to access their account or bait them with a chance to earn easy money," Mandiant's Nagle said. "Users are accustomed to reacting quickly to texts and phone calls, so it could be a successful tactic for the bad guys trying to tap into fear while people are on the go."
With the improvement of technological defenses within financial services firms and even among end-user systems, such as personal firewalls and more frequent patching, criminals are trying more creative tactics and even more targeted attacks, experts warn.
"They are getting more industrious and better at what they do. They're willing to take more time and research their victims more thoroughly, so that when they try to scam them they have information that perhaps only their bank or friends would know. They use that information to enhance trust, and increase the chances of getting their victim to do what they want," Nagle said.
What can financial services firms do to protect themselves and their customers from vishing scams and smishing? Most experts agree the focus should be on education. "When customers sign up for text message alerts, for instance, the financial institution should make it clear to them that it would never ask them to enter any financial information. Financial services firms need to be very upfront and consistent with educating users about these kinds of risks," Rasmussen said.
Lindstrom agrees: "It's important to train users, when they suspect anything suspicious, to change the channel of communication -- such as calling the bank directly, or visiting a local branch to answer any questions that seemed unusual or out of place."
About the author:
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota.