Fraud attack methods never grow old. As long as victims continue to fall for a scam, criminals will continue to use it. SMS phishing is no exception as evidenced by a recent spate of attacks in Asia that has led to millions in monetary losses.
SMS phishing, also commonly referred to as smishing, is a form of social engineering attack that targets victims on their smartphones. A smishing attack uses text messages that appear to come from a legitimate organization. The messages often have links in them that drive unsuspecting victims to a phishing site where they are asked to divulge personal information, download malware onto their mobile device, or provide a one-time passcode that will allow a criminal to bypass multi-factor authentication (MFA).
Smishing has increased significantly across the globe and complaints about SMS spam increased over 140% last year. Smishing remains a big concern as users spend so much time on their mobile devices – an average of five hours per day in 2021. In addition, users are much more likely to open a text message. According to MobileMarketer.com, SMS recipients open 98% of their text messages while email recipients only open about 20% of their messages.
The ability to launch attacks has also gotten easier for criminals. There are SMS bots that can be used to intercept the one-time passcode (OTP) most banks use for step-up authentication. There are bots that can reach thousands of potential victims at a time with messages that appear to come from a victim’s bank or other trusted brand. Netflix, the most popular streaming service in the world, was recently exploited to serve as the face of a massive smishing campaign that attempted to divert users to a phishing site.
We recently hosted a LinkedIn Live event with Aurelie Saada, Risk Lead for APAC at Microsoft and Tim Dalgleish, VP of Global Advisory at BioCatch to discuss the impact of smishing and other social engineering scams and what financial institutions can do differently to mitigate their risk.
Beyond the Fraud Losses: A Case From Singapore
Fraud losses from a smishing attack are hardly something to scoff at. One recent reported attack cost a bank in Singapore S$13.7 million across 790 victims. That is an average of S$17,300 per victim (about $12,800 USD). “For every dollar you’re losing because of fraud, the company has to pay about four dollars,” notes Aurelie Saada, Risk Lead for APAC at Microsoft. “This doesn’t include reputational costs and the potential clients you will lose simply because they will link your name with the fraud which happened.”
Direct fraud losses can be quantified, but other costs are not so easy to put a price tag on. First, there is the operational costs such as an increase in calls to the contact centre. This one attack reportedly caused calls to surge 40% in one week. Second, there is the reputational costs of negative headlines from such an attack being reported to the media and the potential customer attrition that may result. Finally, there are potential regulatory costs when such incidents catch the attention of regulators.
The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) released a set of guidelines in response to the recent string of smishing attacks targeting banking customers. Some of the security measures make sense, such as removing clickable links in emails and SMS messages sent to customers. However, others seem to be counterintuitive and go against the very premise of convenience offered by digital banking. For example, requiring notifications to customers for every funds transfer that exceeds S$100. This is going to add unnecessary friction for customers who have come to rely on the ease of banking online. “Adding more friction is not going to solve your fraud problem,” notes Tim Dalgleish, VP, Global Advisory at BioCatch. It also stands to create noise and confusion for customers who may start to ignore the notifications and overlook something that could potentially be fraudulent.
Augmenting Existing Fraud Controls
While device, IP, and network-based controls are still useful in deterring fraud, criminals have found ways to defeat them. “You can add more authentication controls, but scammers will always find a clever way to socially engineer past them,” said Dalgleish. Banks need to look beyond the device and at the user themselves – behavioural patterns such as how they type, move the mouse or navigate a web page. Many large financial institutions are already augmenting existing fraud controls with behavioural biometrics and seeing improved fraud detection results across a number of use cases including account takeover, account opening, social engineering scams, and mule account detection.