Mobile Devices

I Broke My Phone! An Update on New Developments in Conversational Attacks on Mobile

Share with your network!

It’s shopping season, which can only mean one thing: scores of fake “missed delivery” smishing messages trying to steal our money, data and identities. But there is some good news. Proofpoint data shows that smishing growth has slowed in the past 18 months across many regions, becoming an established part of the landscape rather than a rising threat.  

Figure 1

Global trends in smishing. 

However, the risk remains serious. And in many cases, attacks are becoming more specialized and devious. 

New conversational attacks emerge 

Over the past year we’ve seen rapid growth in conversational attacks on mobile. These tactics involve attackers sending multiple messages, mimicking the patterns of authentic engagement to build trust. In that time, we’ve seen the volume of conversational attacks increase 318% globally, 328% in the U.S. and 663% in the U.K. Pig butchering, which we've covered before on the blog, is a notable example of a conversational threat. But it isn’t the only one. 

In some parts of the world, impersonation has become a significant trend. This is where the attacker pretends to be someone the victim knows, such as a family member, friend or business acquaintance. Impersonation can increase the likelihood of the victim trusting the message and being lured into conversation. 

In the U.K., one of the common impersonation tactics is to claim to be a child with a lost or broken phone.  

Figure 2

Example of a text sent by attackers.  

This is a classic example of social engineering, using parental anxiety to bypass our usual caution. The next step in conversational abuse typically involves persuading the victim to move onto WhatsApp or another messaging service before requesting a money transfer. In this case, the sum is likely to be small, but we’ve seen significant amounts requested and received across a range of conversational lures. 

Similar family-oriented messages have also been reported in New Zealand. In the U.S., impersonation is more likely to be of a friend or business acquaintance claiming a missed connection or asking to catch up. Methods that are successful in one country are often applied elsewhere, so it may not be long before the U.K.’s “Hey Mum” becomes America’s “Hey Mom.” 

And as layoffs and economic uncertainty remain a reality for many, recruitment scams have also made the switch from email to mobile. After an initial approach via SMS, attackers will try to continue the engagement on a messaging service. Victims can be targeted for advanced-fee fraud, face the theft of personal data, or get recruited as money mules laundering for criminal gangs.  

Stay vigilant and report malicious messages 

Slowing growth might sound like good news. But the reality is that smishing attacks have simply become ubiquitous, while growing in sophistication and cunning. And the risk to users and the mobile ecosystem remains severe. Our phones are still at the center of our personal, professional and financial lives. As scams become more varied and targeted, the cost of falling victim to an attack can be significant.  

If you encounter smishing, spam or other suspicious content, be sure to make use of the Android and iOS reporting features. Or if simplified reporting capability is not available, you can forward spam text messages to 7726 which spells “SPAM” on the phone keypad.