My sister, Bonni, is the principal of an elementary school in Long Island, New York, and she is an understandably busy person. Recently, she received a text message from her bank, informing her that her checking account was overdrawn because of a $2,000 transaction.
The text from the bank instructed her to click a link that would take her to the bank’s website for an important message. If she didn’t address the problem immediately, the text message said, she’d be charged a hefty overdraft fee.
Of course, being the sister of an FBI agent who investigates cybercrime, Bonni had heard me go on and on about the importance of thinking before you click on an email. But this was a text message sent to her cell phone, and she was pretty sure she’d provided the bank with her number in case they needed to contact her.
Fortunately, she was driving by her branch when she received the text, so she stopped and talked to a representative. The bank employee checked her account and told her there wasn’t a problem and that the text message was actually a scam.
As cybersecurity continues to evolve, cybercriminals create new and not-so-new methods to persuade people to divulge their usernames and passwords. One way is called smishing, which is short for SMS (short message service) phishing.
Smishing is another tool cybercriminals use to access personally identifiable information and steal identities, gain access to your accounts, or help themselves to your money and credit by infecting your smartphone through texts or SMS messaging.
Smishing is also used to spread viruses that contain keyloggers. As we’ve seen, these are programs that hide in the background, waiting to steal your credentials or install ransomware on your phone, making it useless unless you pay the crook’s extortion demands.
Smishing is a growing threat in the world of online security. One big reason is that nearly every U.S. adult uses some type of cell phone, and most of them are using smartphones. According to a 2018 Pew Research Center study, 95 percent of U.S. adults own a cell phone and 77 percent own smartphones (up from 35 percent in a 2011 study). And now, more and more Americans are relying solely on their smartphones to access the Internet.
According to the Pew Research Center study, one in five American adults is a smartphone-only Internet user who does not have traditional broadband Internet service at home. In fact, 63 percent of total Internet visits in 2017 were from mobile devices (up from 57 percent the previous year), according to a study by SimilarWeb—and that number is expected to grow every year.
Cybercriminals have taken notice of that trend, and they’ve altered their arsenals to attack our cell phones and smartphones, whether it’s by smishing, spoofing mobile sites, fraudulent promotional offers, or fake login landing pages. Cybercriminals like sending viruses and malware to cell phones because the screens are smaller and users are less likely to closely examine webpages and emails.
As people have become more reliant on their smartphones (and more suspicious of emails and thus less likely to click on links or attachments), the bad guys are relying more and more on text messages to do their dirty work. Because smishing has been less prevalent in the past, people are less suspicious of a text message from their bank or close friends.
For whatever reason, people seem to trust a text message more than an email, and they feel less vulnerable when using their smartphones. Plus, massive data breaches in the recent past have given cybercriminals access to millions of cell phone numbers, which have been packaged and sold on the dark web.
In late 2016, the ride-sharing service provider Uber announced that a data breach had affected about fifty-seven million customers, revealing their names, email addresses, and phone numbers. Uber later admitted to keeping the breach secret for a year and paying the hackers $100,000 in ransom money.
In another data breach, personal data belonging to about 1.5 million members of E-Sports Entertainment Association League was leaked online by hackers after the company refused to pay a ransom. Now it’s probably easy to understand how cybercriminals might have your cell phone number.
Text messages and mobile emails aren’t the only weapons for cyber attacks. According to Wandera’s “Mobile Data Report” in July 2017, only 19 percent of mobile attacks originated through mobile emails. The majority—81 percent—came through mobile applications and websites. It also may surprise you that Wandera’s data showed 63 percent of the phones attacked had iOS operating systems (remember what I said about Apple products?) and 37 percent were Android devices.
If my sister had clicked on the link included in the text message, she would have been taken to a website that looked like her bank’s actual website. She would have been instructed to enter her username and password, and then it would have been game over. The thieves would have wiped out the money in her checking and savings accounts. Fortunately, she outsmarted them.
Bonni asked me how the bad guys obtained her phone number and knew where she banked. I explained they were able to do it because her consumer habits are like most of ours. First, we provide our cell phone numbers when we sign up for banking and finance, e-commerce, utilities, and even social media services. Somewhere along the way, bad guys probably hacked into one of those sites and stole the numbers.
In some cases, cybercriminals will even randomly text numbers in certain area codes, hoping to win the lottery by duping a couple of unsuspecting victims. Bonni lives in Long Island, New York, which is located in the 516 area code. She banks with Chase Bank, which is quite popular in that area. The cybercrooks might have taken a shotgun approach and simply sent hundreds of thousands of text messages to numbers in the 516 area code.
Unfortunately, they have automated ways of doing it that make crime easy and efficient nowadays. Think about it: If the bad guys sent out one hundred thousand text messages and only one hundred of the recipients actually did their banking at Chase, how many of them would fall for the scam, click on the link, and provide their credentials? It would probably only be a handful. But the criminals might only need one person to respond to make it worth their time and effort, depending on how much money they steal.
Sometimes, attackers will send a text message asking you to call a bank’s phone number, which is only an attempt to further persuade you to divulge your personal information. If you receive such a text message, call the bank using a number from your statements or one you’ve written down. Never call the number included in the text message. You’d probably be talking to some guy sitting on a couch in Eastern Europe or Southeast Asia.
Unfortunately, it is becoming difficult for law enforcement to stop smishing. I received dozens of calls from banks when I worked for the FBI informing me that cybercriminals were sending these types of text messages to their customers. The banks provided me with a list of phone numbers from which the smishing messages originated, and they expected me to track the bad guys down.
Let me explain why it’s so difficult. In the old days, you had to have a physical address to have a hardline phone in your home. Today, through Google, Skype, and other online phone providers, you can obtain free voice over Internet protocol (VOIP) numbers that enable you to call phone through your computer.
Through free VOIP numbers, it’s easy for criminals to send out smishing messages, and it’s extremely difficult for law enforcement to trace those numbers.
Even when law enforcement goes through the long and arduous process of sending a subpoena to an Internet provider, the originating Internet protocol (IP) address usually resides in a foreign country.
If we’re fortunate to shut one down, the cybercriminal simply moves to another IP address. Stopping them is like playing a game of Whack-a-Mole; you knock one down and another pops up. The hard truth is we cannot stop the bad guys from sending text messages with links.
It’s impossible. What we can do is teach people how to react and how not to react. Whenever possible, I’ve encouraged people in the financial sector to educate their customers on the different types of smishing scams. If they were doing their jobs effectively, I probably wouldn’t have needed to write this book.
The episode with my sister and her cell phone made me think about my own cell number, which is also my work phone. I tell people it’s the best way to reach me. I decided to conduct a test and searched for my cell phone number on Google.
Much to my surprise, I saw it listed on a website. I figured it was there because I’d previously provided it to a company as my contact number, and it was either sold without my knowledge or stolen through a data breach. I’m not going to lie: what I discovered was absolutely frightening. The website that had my cell phone number was strange-looking.
When I clicked on that link, I was taken to a different webpage that included my name, date of birth, home address, work address, wife’s and mother’s names and dates of birth, and every phone number and physical address I’ve had for the past twenty years.
The website claims to be a data aggregator; it crawls the Internet specifically searching for the personal information of people living in the U.S. It combines the best social networking information with all publicly available information for everyone over the age of eighteen. The site boasts of having one of the largest public records repositories on the Internet (it had information for nearly two hundred million people and more than eighteen million companies in 2018), and I’m sure it’s expanding rapidly every day.
What was frightening about this particular site is that its point of contact was listed as someone in Africa. I didn’t have a good feeling about the entire situation. It comes down to a fundamental question: do we have an expectation of privacy on the Internet? Or should we assume there’s somebody sitting in Africa collecting all our personal information and probably selling it to anyone who will pay? In the old days, you simply needed to have an unlisted phone number and that alone made it difficult for someone to find you.
Today, everything about you is online, and those details are being aggregated and sold. Privacy has gone out of the window! And, if this information gets into the hands of bad guys, the chances of you becoming a victim are extremely high.