SMS Vishing: Why Fraud Solutions must be Dynamic – By Cathal Fitzpatrick, VP Marketing and Value Propositions
Like the other virus that plagues us at the moment, criminals using Telco services in attempts to defraud the unwary are demonstrating an amazing capacity to adapt, change and bypass the defensive measures that are put in place to stop them. Once people started to recognise that URLs in text messages (Smishing) were a potential threat, Fraudsters increasingly switched their focus to unsolicited voice calls (Vishing), to the extent that most people now routinely block calls from unrecognised numbers.
In response, the criminals are now focussing on a hybrid attack, SMS Vishing, that combines the ‘advantages’ of both Smishing and Vishing. Like Smishing, SMS Vishing starts with a text message alerting the recipient to some urgent event that requires their immediate attention. Unlike Smishing messages which ask the recipient to click a fraudulent URL, SMS Vishing messages ask the recipient to call back a specified phone number. Fraudsters sit on the other end of these phone numbers, and use all their experience to lure people to providing bank account details, social security numbers, and other personal data. This change from URLs to phone numbers is an attempt to work-around solutions that detect and block Smishing. For example, the latest Android Messages client has in-built URL checking functionality and successfully recognises Smishing messages, but it does not flag SMS Vishing messages with phone numbers. More people are therefore vulnerable to SMS Vishing messages, giving the fraudsters a greater chance of success.
The constant variety and changing point-of-attack used by Fraudsters highlights the problems facing Mobile Operators as they work to protect their networks and subscribers. Product-based solutions with fixed functionality to deal with specific types of attacks are of very limited use. By the time such a solution is implemented in a network, Fraudsters will already have moved on to their latest and most deadly variant. Fraud solutions need to be dynamic, and Operators must have counter-measures that evolve as fast as the attackers.
This need for dynamism is the reason why Openmind has built a continuous improvement cycle into the design our portfolio of ‘Smart Services’ that protect Operators from Fraud and Revenue Leakage. Combined with our CI/CD implementation process, we ensure that our customers always have access to the latest functionality they need to defeat the attacks they face. We have already extended the scope of our Smishing Detection solution to deal with SMS Vishing attacks, and we are always on the alert for the next ‘variant of concern’ that threatens the security of the mobile messaging service.