A U.S.-based cybersecurity company says Canadians are being hit with a ‘tsunami’ of mobile phone scam attacks aimed at getting financial data.
The attacks are called ‘smishing’ — attacks using fake mobile text messages to trick people into sharing sensitive information, downloading malware or sending money to cybercriminals.
The term derives from a combination of “SMS” — or “short message service,” the technology behind text messages — and “phishing.” Phishing uses email links for similar scams. There is also ‘vishing,’ which uses voice calls and voicemails to obtain sensitive information.
California-based Proofpoint’s research results comes in the wake of an announcement from United Parcel Service (UPS) that said smishers were targeting Canadian customers and shippers.
Proofpoint said the UPS attacks were just the iceberg of the Canadian smishing landscape.
The company said it has seen a 500% rise in such attacks in Canada between the first and second quarter of 2023. However, the actual number could be higher as that number only covers reported incidents.
Stuart Jones, Proofpoint’s Cloudmark Division director, told Glacier Media people have become used to the scams via email and recognize them.
That level of experience and education hasn’t quite happened with mobile phones and the messages that arrive on them.
“We read them quickly and we response to them quickly, Jones said. “There’s a high degree of trust in the mobile channel.”
And that’s what cybercrooks bank on, he said.
“Threat actors recognize that trust and they want to leverage that trust to get your information.”
The information to do that leveraging comes from mining other data sources or can be bought on the black market via the dark web, according to Arturo Torres with tech security firm Fortinet.
“Even cell phone numbers,” Torres said, noting some information could come from data stolen during ransomware attacks, which have become more common in recent years.
As such, people need to be educated about how others might misuse their cellphone.
“Every one of us has a cellphone,” Torres said. “That’s one of the major risks in the digital era.”
And, he agreed, there are multiple ways bad actors can come at technology users: email, cellphones and messaging systems.
Attacks look reputable
A Proofpoint blog said smishing attacks often pretend to be from reputable companies or organizations, such as banks, delivery services or government agencies.
They may use scare tactics, such as claiming that your account has been compromised or that you owe money. They may also offer fake rewards, such as gift cards or prizes.
Jones said combatting that threat is a cooperative venture between the phone providers with their security software, security companies, telecommunications firms and the phone users themselves.
The bad guys, he added, frequently impersonate companies to get people’s information.
Some of the UPS attacks may be familiar:
- “UPS, to NURSE NEXT DOOR: Your package is currently being shipped from VISTA to L6H3P1 with a delivery fee of $2.89. Please make sure to pay your invoice before March 15, 2023 to avoid any delays. Visit: [REDACTED link]”;
- “UPS: [NAME], you have an unpaid fee of $3.96 for your previous CROCS parcel delivered at J9P5Z5. See the link below to paid it today: [REDACTED link]”; or,
- “UPS for [NAME]. Delivery fee of $2.89 for Apple Inc. shipment to J0J1Z0. To complete your delivery, pay online before February 27, 2023. Visit: [REDACTED link]”
Proofpoint said iPhone iOS 16 updates rolled out simplified smishing reporting for Canadian users. That, Proofpoint said, could provide further data on the extent of the attacks.
“To report smishing on an iOS device where simplified reporting is enabled, all you have to do is press the ‘Report Junk’ button. A similar feature is available on many Android devices,” Proofpoint said. “If you don’t see that option on your phone, you can also forward the message to 7726, which spells “SPAM” on most keypads.”
The federal government provides tips on avoiding such attacks on a cybersafe website.
Revenue Canada also offers warnings about scams where the agency is misrepresented in text messages.