Proofpoint finds that bad actors are using SMS messages about package deliveries as the bait in new scams.
‘Tis the season for scammers to use SMS messages to deliver malicious links straight to your phone. Proofpoint warns that bad actors are taking advantage of the holiday season to hide malware in texts. This form of phishing is called smishing because the attack is delivered through short message service, also known as text messaging. These campaigns range from package delivery notices to offers of loans to help with the holidays.
Cybercriminals send smishing attacks that claim to be from reputable companies, including retailers, ecommerce brands and parcel delivery companies, to steal personal information from unsuspecting targets. Proofpoint researchers report that holiday-themed smishing attacks have almost doubled compared to this time last year.
Jacinta Tobin explained the spike in malicious text messages in a blog post on Proofpoint's site. In one smishing attack, the scammer sent a text about an”Early Bird Black Friday” package delivery with a landing page that looks like an authentic package notification. Instead, the website requests personal information from the potential victim, including name, postal and email addresses.
Proofpoint reports that SMS attacks around the world are experiencing exponential growth, thanks to a growth in this kind of marketing and a lack of awareness about the threat. As Tobin notes:
“….misplaced trust is fueling this trend, so is a lack of awareness. Consider that 69% of people globally are unaware of or don't accurately know what smishing is. With 98% text message open rates and 8x click-through vs. email, the enormous damage mobile malware can do quickly becomes apparent.”
Marketing company G2 reports that 82% of people say they open every text message they receive and 84% of consumers have received SMS messages from a business. G2 also states that the top three SMS text message types customers say they like to receive are updates on shipping for products, receiving order status and confirmations and scheduling reminders.
Tobin offered a list of dos and don'ts for the holiday season. She recommends consumers take these precautions:
- Be on the lookout for suspicious text messages.
- Be careful about giving out your cell phone number to businesses.
- Don't use web links sent in text messages. Instead, use a browser to access the sender's website directly, or use the brand's app.
- Report smishing and spam to the Spam Reporting Service via the reporting feature in your messaging client if it has one, or forward spam text messages to 7726 (SPAM).
- Read app install prompts closely, particularly for information regarding rights and privileges.
- Don't respond to any unsolicited enterprise or commercial messages from any vendor or enterprise you don't recognize.
- Don't install software on your mobile device from any source other than a certified app store.
Any holiday is a prime time for a cyber attack, according to Cyberreason, because the goal is to catch an organization's IT and security staff off-guard when they're unavailable or distracted.