Social networking sites and search engines are expected to face increased cybercriminal activity this holiday season. However, the FBI is also warning consumers about two other significant threats: “smishing” and “vishing” scams.
Both smishing and vishing are forms of phishing. Smishing involves using SMS texts to initiate scams, while vishing uses automated phone calls. These scams have been reported since at least 2006. The FBI's Internet Crime Complaint Center (IC3) recently issued an advisory warning that these scams will be prevalent during the holiday season.
In these attacks, users receive a text message or automated phone call stating there is a problem with their bank account. They are then given a phone number to call or a website to log onto to provide account credentials to resolve the issue.
“While most cyberscams target your computer, smishing and vishing scams target your mobile phone, and they're becoming a growing threat as more Americans own mobile phones,” the advisory stated. “These scams are also a reminder that cyberscams aren't just for computers anymore.”
Peter Cassidy, secretary general of the Anti-Phishing Working Group, a global coalition focused on eliminating identity theft and fraud resulting from phishing, told SCMagazineUS.com that phone and SMS-based phishing attacks have increased over the past few years. These attacks often target customers of local banks and credit unions.
Scammers increase these attacks during the holidays because people are traveling and shopping more frequently. They don’t want their ability to pay for things to be interrupted, Cassidy explained.
Cybercriminals typically use automated systems to text or call people in specific regions or area codes, according to the FBI. They sometimes use customer phone numbers stolen from banks or credit unions.
“Instead of the text being from an 800 number, it begins with your area code,” Cassidy said. Using the name of an individual's bank or credit union creates another familiar reference, he added.
“They are trying to get the distracted person,” he said. “Every bit of familiarity helps. They are always going to find ways to make you feel like you have a relationship with them.”
Using personal information obtained from these schemes, cybercriminals can steal money from victims' bank accounts, make purchases, or create fraudulent cards, the FBI reported.
Recently, attackers used a smishing scam to steal money from customers of an unnamed credit union. Victims received a text about an account problem, called the provided number, and gave out their personal information. Within ten minutes, money was withdrawn from their bank accounts. The same technique was also recently used against banking customers who were told via text to reactivate their ATM cards.
Attackers are increasingly using phone and SMS-based phishing scams to steal money from businesses by targeting accountants, CFOs, and other individuals within companies who have access to corporate accounts, Cassidy warned.
“They are smart criminals," he said. "They want to go after someone with more money they can access. If they phish the comptroller of a large company, they have access to a much larger pool of deposits.”
Information security professionals should warn users, especially those with access to corporate accounts, to be alert about these threats and to notify the security office if they believe they have been targeted, Cassidy advised.
The IC3 advises users not to respond to text messages or automated voice messages from unknown or blocked numbers.
