ST. LOUIS — The amount of scam text messages being sent is on the rise nationwide as approximately 11.6 billion scam texts were sent over U.S. wireless networks this past March, which is a 30% increase from February.
That’s according to data from anti-spam firm Teltech. In March, Robokiller estimated the average U.S. mobile customer received 42 scam texts.
Receiving spam text messages is known as smishing, which “is a form of phishing that uses mobile phones as the attack platform to gather personal details, like SSN or a credit card number,” according to Scott Schaffer, chief information security officer at Blade Technologies, Inc.
A smishing text could look like it is coming from a four or five-digit number or an email address that could contain a malicious link.
By clicking on the link, Schaffer said a scammer could load malware onto the receiver’s phone to harvest their credentials, or track everything they type, or it could lead them to a malicious website that may appear normal and prompt them to type in personal information.
Cybercriminals only are after money, according to Schaffer, who said smishing happens more often than one would think, and a big part of this is social engineering.
“The most vulnerable thing is and always will be the human,” he said. “Social engineering, you can look at it as being ‘hacking the human.’ And all it is is just being a con man.”
Cybercriminals try to gain someone’s trust and trick people into making a mistake, according to Schaffer. They may do this by sending a text that provokes an emotional response to make that person more apt to reply.
Specifically, a cybercriminal may send a text to someone claiming to be from their bank and have a link that claims to be about emergency overdraft protection.
“People are going to see that and they’re going to freak, and they’re going to click on it, which is exactly what the bad guys want you to do,” Schaffer said.
If someone receives a suspicious text claiming to be from their bank or credit card company, the solution, he said, is to call their bank or credit card company directly to confirm.
Cybercriminals also may try to capitalize during specific times of the year, including holidays and around major news or political events to entice someone.
“By heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action,” Schaffer said.
Cybercriminals also could use a situation that could apply to targets to build an effective guise. The message may feel personalized, which could override suspicion that it may be spam, according to Schaffer.
No matter what, people should never respond to smishing texts, according to Schaffer, even if it says how to unsubscribe. By responding, that person is verifying their phone number to the cybercriminal, which they can then trade on the dark web to other cybercriminals for money.
“If you try to unsubscribe, they’re just going to mark you as ‘Hey, this is a human being’ and they’ll come back. Don’t worry, they’ll come back to you,” Schaffer said.
To help ensure safety from cybercriminals, he suggests people use multi-factor authentication for online accounts. If someone were to accidentally give a password, there is an extra layer of security with multi-factor authentication such as a fingerprint, among tactics, that a cybercriminal would not have.
If a website offers multi-factor authentication, Schaffer encourages people to use it.
So far this year, he has been involved in half a dozen ransomware breaches where he said each one could have been avoided by having a multi-factor authentication in place.
Banks and credit unions currently do not offer multi-factor authentication, however those companies are pushing for it. Right now, the only forms of security for banking users are a password and knowledge-base questions. Schaffer said hackers can figure out answers to those questions because of social media clues.
Another way to keep cybercriminals from gaining access to someone’s financial information is not to save a credit card on a web browser. Schaffer said there could be a flaw in the system that cybercriminals can figure out.
“We get these a lot, these are called ‘zero days,’ where flaw is found out by the bad guys, and then what they do is they get all of their ducks in a row and then they attack,” he said.
“They call it a ‘zero day’ because we have zero days to fix it. So then we’re pretty much scrambling and trying to get patches in place and that sort of thing.”
Storing credit card information in apps such as Apple Wallet or Google Pay is considered safe because they are custom built to protect your information, unlike web browsers that try to be “all things to everyone,” Schaffer said.
For more information about cyber security and Blade Technologies, Inc., click here.