Proofpoint researchers have identified a massive global increase in holiday-themed mobile/text (SMS) phishing (smishing), almost double from this same time last year. Over two-thirds of all SMS messages sent worldwide are related in some form to an order delivery or consumer retail brand. With Black Friday and the holiday shopping season fast approaching, mobile users must remain vigilant as they are inundated with SMS messages promising everything from package/gift deliveries, to special retail offers, to alerts of delivery exceptions.
Cybercriminals continue to prey upon mobile users with smishing attacks that claim to be from reputable companies, including prominent retailers, ecommerce brands, and parcel delivery companies. These lures attempt to steal personal information from unsuspecting targets.
Many of these lures request credit card information to resolve an issue supposedly related to the purchase or delivery of a nonexistent item. In other cases, the attackers attempt to steal personal information through an enticing URL or landing page.
For example, in the “Early Bird Black Friday” package delivery smishing attack below, the landing page presents an authentic looking package notification. Following multiple pages related to this fake delivery, the website requests personal information from the potential victim, including their name, postal, and email addresses.
Mobile threats such as these are dangerous for many reasons, particularly as enterprises increasingly make mobile their primary communication channel.
Email users are gradually learning that opening attachments from strangers, clicking on questionable links, and visiting web pages with multiple redirects are risky behaviors. But by comparison, mobile users are not nearly as cautious. As organizations migrate from office servers to remote work deployments with a broad mix of devices, people increasingly communicate solely through their phone. While certainly more convenient, research shows that security best practices have not accompanied employees in this migration.
Consider this SMS data:
- Text messages have a 98 percent open rate; recipients open 90 percent within 3 minutes
- Text messages have 8x the click-thru rate vs. email
Any communication channel growing this fast is ripe for abuse. Fueled by the trust consumers have in their mobile devices, SMS attacks around the world are experiencing exponential growth. While misplaced trust is fueling this trend, so is a lack of awareness. SMS threats benefit from this knowledge gap.
Consider that 69% of people globally are unaware of or don’t accurately know what smishing is. With 98 percent text message open rates and 8x click-through vs. email, the enormous damage mobile malware can do quickly becomes apparent.
As people have continued migrating from email to mobile communications, marketing campaigns have followed. Mobile messaging is now the fastest growing and most highly trusted marketing channel. The creators of email marketing campaigns have increasingly turned their focus to text messages. Customers are becoming more comfortable interacting with merchants who text them with promotions, deals, and package notifications. This cuts both ways, as enterprises have also opened mobile channels to hear from their customers. The following data bears this out:
- 61 percent of global companies have been attacked by smishing
- 81 percent of U.S. companies have suffered the same fate
No matter the communications channel, malicious actors will always follow the money. During the past year, SMS attacks have grown exponentially, because those actors discovered a trusting and captive audience ready to engage on the other end of the phone. It is critical to remain vigilant.
Mobile Users Should Be Aware
Mobile users should be alert and skeptical of unexpected or unrequested holiday-based awards, prices, and offers, and wary of any package delivery notifications. Mobile users should also observe these SMS best practices:
1. Be on the lookout for suspicious text messages. Criminals increasingly employ mobile messaging and SMS phishing (smishing) as an attack vector.
2. Carefully consider before providing your mobile phone number to an enterprise or other commercial entity.
3. Whenever you receive a message, including some sort of warning or package delivery notification that contains a web link, do not use the web link provided in the text message. Instead, use your device’s browser to access the sender’s website directly, or use the brand’s app, if you already have it installed on your device. Do this as well for any offer codes you receive by entering them directly into the sender’s website from your browser.
4. Report SMS phishing (smishing) and spam to the Spam Reporting Service. Use the spam reporting feature in your messaging client if it has one, or forward spam text messages to 7726, which spells “SPAM” on the phone keypad.
5. Be careful about downloading installing new software to your mobile device. Read install prompts closely, particularly for information regarding rights and privileges that the app may request.
1. Don’t respond to any unsolicited enterprise or commercial messages from any vendor or enterprise you don’t recognize. Doing so will often confirm that you’re a "real person."
2. Don’t install software on your mobile device from any source other than a certified app store from the vendor or Mobile Network Operator.
For more information on our security platform for mobile messaging, please visit: https://www.cloudmark.com/en/s/products/cloudmark-security-platform-for-mobile