Smart phone users beware "Smishing" attacks are on the rise.
Police in Pima County, Ariz., have issued a warning about smishing, or text-based phishing attacks, targeting mobile users.
The warning comes after a Tucson-area resident filed a complaint about a phishy text message that appeared to be from the recipient's financial institution. The text, which asked the accountholder to call a specified number to resolve a possible compromise of his bank account, included the last four digits of the user's debit card, making the text appear legitimate
.
"If the victim had called the number provided, he would have been asked to verify his debit card number and the security code on the back of the debit card," the department said in its warning. "With this information, the debit card could have been reproduced, and the victim's bank account would have been cleaned out."
Smishing attacks are low-tech schemes, but they nevertheless prove frustrating for financial institutions. Jason Rouse, a mobile security expert and consultant with Cigital Inc., says smishing, like most socially engineered schemes, preys on victims' trust. "So, the bank should issue very clear guidelines about the way it will communicate with customers," he says. "The must tell customers they will never ask for a password or information over a cell."
Smishing on the Rise
In the Tucson case, the would-be victim was quick to contact his financial institution before responding to the text. But not all consumers are quite so savvy, especially in the mobile environment.
"People are used to phishing by e-mail," says mobile expert Dr. Markus Jakobsson. "Smishing has still not sunk in."
The mobile phone is a social device, and consumers' communications and behavior over mobile devices mirror casual phone communications. "Their trust in their friends rubs off on everything that has to do with the [mobile] phone," Jakobsson says [See Mobile Banking: The New Risks]. That casual mobile behavior is likely to perpetuate more mobile fraud, and encourage fraudsters to exploit even the most low-tech mobile schemes, such as smishing.
The good news for financial institutions is that smishing attacks have not hit a tipping point. But it's only a matter of time. "We will see it peak in the next couple of years," Rouse says. "From an organized crime perspective, smishing is simple, and I think you will see more organized crime lean toward it."
http://www.bankinfosecurity.com/articles.php?art_id=4124