People are constantly engaged with our mobile phones, reading news, listening to music, checking out social media, and answering emails. SMS has also become a way for brands to communicate with their customers. But the downside is that this trusted means of communication has become an “attack vector”.
SMiShing, short for SMS phishing is an attack in which the user is tricked into downloading a trojan, virus or malware onto their mobile phone. It is predominantly aimed at Android users as they comprise 85% of the global phone market, but iOS users are not immune.
Deloitte reports there are approximately 15 million mobile phones in use in Australia, with mobile penetration at 79%, the second highest per capita in the world, according to messaging solutions provider SmartHub. Australians are increasingly at risk of SMiShers who are looking to obtain users' private details for personal and financial gain.
Simon Banks, head of Merchant Services, PayPal Australia, has provided some tips for avoiding SMiShing.
{loadposition ray}
PayPal advises exercising extreme vigilance when assessing suspicious text messages, specifically:
- Sender’s name – To give you a false sense of security, the SMS "From" field may include a name or company which looks like it is from a trusted source. However, just because a text says it is from a company, doesn’t mean that it is to be trusted. Look out for incorrect capitalisation or punctuation that might give it away.
- False sense of emergency – Most phishing emails threaten that your account will be in jeopardy if you do not act immediately. An SMS that urgently requests sensitive personal information is usually fraudulent.
- Generic greeting – A typical SmiSher will use a generic greeting for everyone, such as "Dear User" or "Dear Customer". Lack of personalisation is a sure sign of a fake SMS.
- Dodgy links – Many SMiShing attempts have links embedded which look valid, but send you to a fake site.
Banks says, “Just like with email, you need to stay on watch for signs that an SMS might not be legit. Some things are obvious like the promise of large cash prizes for competitions claiming to be from well-known organisations. Also, look for things like incorrect capitalisation, poor punctuation, a lack of personalisation or a high sense of urgency such as "login now to avoid late fees" or "your account is about to be closed".
PayPal’s name has been used in SMiShing. It will never ask you to disclose your personal or financial details via SMS, and nor would other reputable companies.
What do you do if you are SMiShed?
PayPal advises customers to delete the message and not to open any links. If you receive an SMS that you think might be a SMiShing attack, contact the company the SMS purports to come from and check.
If the SMS is claiming to come from PayPal, but you’re not sure, you can take a screenshot of the SMS and email it to phishing@paypal.com.au and include the phone number the text came from. The PayPal team will conduct investigations into the source of the SMS.
Banks says, “At PayPal, the safety and security of our customers’ accounts, data and money is at the centre of our strategy. Our philosophy is, and has always been, to make sure consumer protection is at the core of all our products.”
Header image courtesy KrebsonSecurity