Scammers are getting sophisticated: how ‘Smishing’ is evolving




It used to be that, if a company wanted to get in touch, they’d write you a letter, or perhaps call you. Then it evolved to email, and text messages to your mobile, and now there are loads of ways of being contacted and therefore a big increase in the number of ways that scammers can target you. Scammers are getting sophisticated, using SMS ‘Smishing’ to trick us into giving away personal information or money, which is becoming ever-more difficult to spot.

The scenario: you receive a text message, commonly from your bank, a courier company or online store, informing you that there’s a problem with your account, issues with making a payment or some suspicious activity. The message will typically include a link for you to click or a number to call to sort out whatever the problem is. Once you’re engaged, the scammer will try to get you to reveal information such as passwords, account numbers and PINs, which they could use to gain access to your email, bank, or other accounts, or sell your information to other scammers.

How to spot a smishing attempt

In the UK, the Money Advice Service provides useful advice on how to identify and prevent smishing scams, warning that they are difficult to spot, particularly if from an organisation who would usually contact you by text.

But just like email ‘phishing’ scams, they say, there are some tell-tale signs. For example, there might be spelling mistakes or text that just addresses you as Sir or Madam. Real messages from these companies will usually address you by your full name. You can also look at the phone number it’s been sent from. It will likely not be the same as the one on your bank card, it will not be one you recognise and it might be sent from an overseas number.

Use Case: the increasing sophistication of fake Hermes texts

As reported by the Which? organisation in the UK this month, there has been a resurgence in fake texts purporting to be from the Hermes delivery company trying to lure you into bank transfer scams.

Operating along usual lines, these scammers are getting sophisticated, using text messages in an attempt to persuade you that you’ve either missed a delivery or there’s a fee to pay for a parcel. They include a link that takes you through to a website to enter details or make a small payment.

So far so normal. But Hermes (and nearly all organisations) never asks for payments via text – it only sends links that let you view parcel tracking, and customers have wised up to this. So, scammers are now including other details in the message (retailer brands, estimated times of delivery) to mimic real Hermes texts, and offer links to ‘track’ a parcel.

The links included take you through to copycat Hermes websites that look just like real thing, and are becoming more difficult to spot as the scammers use ‘masked SenderIDs’ enabling them to mask or ‘spoof’ the Hermes name on the messages sent, replacing the number being sent from and making the message look more believable.

Instead of asking for payment upfront, the clone website that you land on cleverly takes details from you, piece by piece, to ‘locate’ your parcel and only after you’ve handed over your address, number, and other personal information, will the site warn that there’s an outstanding fee to pay. By this time, a lot of victims have told Which? that they’ve realised something’s not right, but have already given away sensitive details.

Staying safe: how to spot scam messages and what to avoid

Scammers use the details they’ve gathered to target people with more scams, possibly with phone spoofing scams where they pretend to be calling from the delivery company, or your bank.

The number one piece of advice for avoiding being scammed is to avoid following any links you’re sent in text messages, and if you think you’ve given away your bank details, contact your bank immediately via its official channels and tell it what’s happened.

Even when a SenderID appears to be real and the message is asking you to update payment information urgently, it threatens a service or order will be cancelled and/or you’re curious about having had something delivered, do not click the link. Contact the organisation or company the message claims to be from directly to check the details if you’re not sure.

Yes, scammers are getting sophisticated, but armed with the right knowledge and tools we can counter the threat and stay in control.

To learn more about how we work, or to discuss the Sekura approach with any of our team, Contact Us.