New developments in conversational attacks on mobile
It’s shopping season, which can only mean one thing: scores of fake “missed delivery” smishing messages trying to steal our money, data and identities. But there is some good news. Proofpoint data show that smishing growth has slowed in the past 18 months across many regions, becoming an established part of the landscape rather than a rising threat.
However, the risk remains serious; recent research shows that 66 per cent of organisations in the UAE have reported at least one smishing attempt in 2022. And, in many cases, these attacks are becoming more specialized and devious.
New conversational attacks emerge
Over the past year, we’ve seen rapid growth in conversational attacks on mobile. Globally there has been an increase by 318 per cent. These tactics involve attackers sending multiple messages, mimicking the patterns of authentic engagement to build trust.
In some parts of the world, impersonation has become a significant trend. This is where the attacker pretends to be someone the victim knows, such as a family member, friend or business acquaintance. Impersonation can increase the likelihood of the victim trusting the message and being lured into conversation.
One common impersonation tactic being used is to claim to be a child with a lost or broken phone.
This is a classic example of social engineering, using parental anxiety to bypass our usual caution. The next step in conversational abuse typically involves persuading the victim to move onto WhatsApp or another messaging service before requesting a money transfer. In this case, the sum is likely to be small, but we’ve seen significant amounts requested and received across a range of conversational lures.
W. Stuart Jones, Technical Marketing Director in Proofpoint’s Cloudmark Division
As layoffs and economic uncertainty remain a reality for many, recruitment scams have also made the switch from email to mobile. After an initial approach via SMS, attackers will try to continue the engagement on a messaging service. Victims can be targeted for advanced-fee fraud, face the theft of personal data, or get recruited as money mules laundering for criminal gangs.
Stay vigilant and report malicious messages
Slowing growth might sound like good news. But the reality is that smishing attacks have simply become ubiquitous while growing in sophistication and cunning. And the risk to users and the mobile ecosystem remains severe. Our phones are still at the centre of our professional, financial and personal lives.
In the UAE, 35 per cent of employees surveyed for a recent Proofpoint study reported receiving suspicious text messages on their phones, revealing the pervasiveness of these threats. Even more concerning, over a third of employees (37 per cent) in the UAE are not familiar with the term ‘smishing,’ indicating a critical gap in awareness.
As scams become more varied and targeted, the cost of falling victim to an attack can be significant. If you encounter smishing, spam, or other suspicious content, be sure to make use of the Android and iOS reporting features. Heightening awareness, staying informed, and promptly reporting incidents are crucial in fortifying defences against the ever-evolving landscape of mobile-based cyber threats.
The writer is technical marketing director in Proofpoint’s Cloudmark Division