From online banking to storing sensitive personal information, from running business to availing services, mobile phones have become an extension of our identities. Fraudsters know this and that’s why phones are a top target for ID theft and financial crimes. Nearly one in three Americans (68.4 million people) have fallen victim to mobile phone scams that amounted to almost $40 billion in financial losses.
So how do mobile phone scams work? Let’s understand the top three techniques used by fraudsters to target mobile users:
1). Smishing
SMS phishing (or smishing) is probably the most widely used tactic in mobile phone scams. The average American consumer receives about 20 text messages per month, a number that has more than doubled over the past three years. Text messages usually start with a link (using a shortened URL) to some kind of survey, prize winnings, sweepstakes or lottery, or it’s an urgent notification about your bank account, credit card or tax refund. Victims are typically asked to either visit a website, download an application, enter login credentials or fill a form on a page controlled by attackers. Once victims complete the desired action, attackers take hold of the victim’s credentials, bank account, other sensitive information, or infect the device with malware to carry out additional attacks.
2). Vishing
Voice phishing (or vishing) is another form of phishing where scamsters call unsuspecting victims by impersonating legitimate businesses or trusted individuals. Attackers can use a combination of scare tactics and emotional manipulation to gain the victim’s trust and deceive them in carrying out an action. Common examples include neighborhood calls, tax refunds, healthcare scams, and technical support calls. In addition to this, robocalls (scam calls that use recordings instead of humans) are also a widely used tactic in vishing. Americans received 50.5 billion robocalls in 2021 and is the number one cause of complaint to the FCC.
3). SIM Swapping
Mobile phones are used for authentication purposes by banks and other service providers (via one time passwords or access pins) as a means of verifying identities. If scammers can somehow get access to a phone’s SIM card, they can gain control over text messages, emails and other sensitive information. SIM swapping is the fraudulent act of transferring a mobile SIM card to the ownership of a scamster who then leverages it to compromise the victim’s digital identity or banking credentials. Attackers do this by either stealing the victim’s SIM card or using the victim’s personal information to con the mobile phone company into porting the victims’ number to another device controlled by the scammer. Earlier this year, the FBI issued an alert, highlighting $68 million in losses attributed to SIM-swapping.
How Users Can Avoid Being Victimized
Some mobile phone scams can be highly targeted, making it difficult for even the most security-savvy user to spot them. Here are some best practices that can help:
- When receiving an unexpected text message watch out for common warning signs such as misspellings, grammar mistakes, unexpected prizes or gift cards.
- Be careful with links in SMS messages. When in doubt, visit the website directly instead of clicking on the link.
- Do not connect your mobile Wi-Fi with unfamiliar networks or unknown Bluetooth devices. Avoid sending sensitive information over public Wi-Fi unless the network is secured.
- Only use mobile apps from your phone’s official app store. Avoid downloading apps from a browser. Be wary of unknown developers or apps with bad reviews. Do not grant admin privileges unless you truly trust the individual. Keep the apps updated to ensure they have the latest security fixes.
- Be wary of ads, giveaways and contests which can lead to phishing sites that steal information. Pay close attention to URLs. Avoid saving login credentials to web browsers -- they can be hacked easily.
- Do not respond to phone, social media or email requests for financial data or sensitive information like credentials or access PINs. Never return missed calls from unknown numbers or unfamiliar country codes. Provide account information to only those with whom you have initiated the call, not the other way around.
- If you own a business, ensure your users receive regular security training and follow cybersecurity hygiene best practices when using mobile phones. Run tabletop exercises and phishing simulations with real-world examples so that employees develop muscle memory in recognizing and reporting phishing and social engineering scams.
More than 80% of cyber incidents stem from human error. Being alert to what spam looks like in all its various disguises will go a long way toward reducing the probability of a successful phone hack. Because the fact is, phone and text scams are not going away anytime soon.
About the Author:
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with 50,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at [email protected].