‘Tis the season…
Seemingly every year about this time, the phishing campaigns are presented to the consumers. The phishing emails have taken various forms to the consumers. There have been the emails from “shipping carriers” to several individuals stating their packages, all with the same tracking number, is out for delivery. “Vendors” forwarding emails with their new products you need to purchase for your friends and family as the perfect gifts are regularly encountered. These may be also time oriented, stating the Cyber-Monday sale is being extended for a very limited amount of time, so you need to click on the link for the retailer to have the special discount code. These emails are an attractive nuisance, yet are still effective to a point.
This year, I did receive an interesting contact. This was in the form of smishing via text message. The form was “Notice-[phone number] from [Bank]. Code: Visa-Debit Locked. Call us now at 202-852-xxxx. Thank you.” This was notable as it utilized a few of the motivators a phishing attack normally would. During the holiday season, people need access to their funds for the normal everyday purchases, but more to the point for holiday shopping for family and friends. This message indicates, if the consumer believes it, they are cut off from their funds, which they would need. Also, there is the thought that someone may have compromised their account, otherwise what would make the bank cease activity on the account, until the consumer contacts them.
This is also a teachable moment. Bank’s do have this option available for their customers. The customers also have the option to receive other text messages with the account balance, checks clearing, or other activity on the account. The form of the text was relatively close to what would normally be encountered by the consumers. In this case, the phone number was highlighted. If the consumer were to utilize the ease of use and press the option for the phone to call, there could have been a significant issue. The consumer should, as with emails, not presume the link is valid. In this instance the number was called, and the phone number allegedly to my bank was not in service and had been disconnected. The consumers may learn from this instance to make their experience more secure by not automatically trusting text messages as they arrive on their phone.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.