Proofpoint threat intelligence lead, Chris Dawson says the scam warned about by both Kmart and the NSW Police, claims Kmart customers have won a prize, and uses the real names of family and friends to increase the scam’s legitimacy.
And to claim the prize, the message asks users to pay a small fee.
“SMS phishing targeting consumers is on the rise, and cybercriminals are introducing new techniques to increase its effectiveness,” says Dawson.
“The sophistication of this latest scam is particularly noteworthy as the hoax uses real names of family members and close friends.”
“Because there are no commercially available inbound filtering products for SMS like those that exist for email, attackers have discovered sending text messages can be highly effective for directing users to fraudulent websites and tricking users into handing over their banking credentials,” Dawson cautions.
“This gap in defence is compounded by the small screens of mobile devices, which make it difficult to determine whether websites are fake, as well as the immediacy normally associated with SMS-based communications.
“Even if recipients become suspicious when asked for their credit card details, attackers already have a phone number and access to an associated email account. For many providers, this is enough data to port the phone number away from the original provider and take control of a victim’s online identity. In many cases, recipients also enter credit card data, allowing the attackers to rack up credit card charges and steal victim identities.”
Dawson says that as a majority of Australians use a smartphone each day, businesses should ensure that their employees are trained to spot malicious phishing attempts delivered via SMS, “and to exert greater management and control over the security of the devices they provide to their employees”.
“For consumers, the burden lies with them to treat unsolicited text messages with extreme caution,” Dawson concludes.