The day after we found out about this scam, Spain’s national police force arrested 17 people that had been running a smishing fraud scheme and had stolen 145,000 euros from 170 victims.
Smishing has become an increasingly popular attack method among cybercriminals – and they’re getting better at using it.
Today, it’s not just customers of big financial institutions that are being targeted, and messages with spelling mistakes or in the wrong language that allowed users to notice something was off are getting harder to spot. Nowadays, we’re seeing nearly-perfect language and fake websites used by scammers that are almost impossible to say whether we are looking at a fake message or a real one at first glance.
An example of one of our team’s latest catches is a small regional bank in Spain called Laboral Kutxa. The day after we found out about this case, Spain’s national police force arrested 17 people that had been running a smishing fraud scheme and had stolen 145,000 euros from 170 victims. There’s a press release (in Spanish) available with further details about the case.
A step-by-step look at the smishing scam
In this smishing scam, an initial message to the bank’s customers arrives via SMS using perfect Spanish:
It translates to “Purchase accepted for the amount of 500 euros. If it wasn’t you, follow the steps in this link to cancel it”.
The link starts with ‘https’, which may lead users to believe that it is real. Years ago, one of the things that many people examined when doing online transactions was whether or not they had a secure connection – at that time, it was widely believed that the ‘s’ in ‘https’ means ‘secure’. Now, the majority of web connections are “secure” in the sense that the traffic from our browsers is encrypted, but this doesn’t mean that we’re safe.
When clicking on the link shown in the SMS above, the victim is taken to the bank’s login page, which mimics (almost perfectly) the real one.
Below, the top screenshot is a look at the phishing website, while the one on the bottom is the bank’s genuine website.
As I mentioned before, cybercriminals are getting better at these kinds of malicious techniques, and it’s clear to see their skills when comparing these two screenshots. Given its level of sophistication, most customers won’t realize that they’re on a phishing site.
The unlucky folks who fall for the scam will be asked for their mobile phone number:
Afterwards, they’re asked to input an SMS code that they’ll receive:
Of course, anyone who gets to this point in the smishing scam can be certain that their account is compromised.
With the arrival of easy-to-use AI tools, the sophistication of these types of smishing attacks will only get better. For that reason, it’s crucial that we take the steps necessary to prepare ourselves and know what to look for.
Here are a couple rules of thumb to keep in mind: