23 Mar Three important things worth considering to protect your subscribers from smishing attacks
Hrach Tamrazyan, Senior Consultant
Smishing is the SMS equivalent of phishing. When cybercriminals ‘phish’, they do so by sending fraudulent emails to trick the recipient into opening an attachment that contains malware or clicking on a malicious link to collect some sensitive data (credit card account details, passwords, etc.). Smishing simply uses text messages instead of email.
Mobile operators have a responsibility to protect their subscribers by ensuring that this kind of traffic does not happen on their network. Smishing risks the privacy and security of subscribers which, in turn, can result in serious financial damages for subscribers and operators. Ultimately, smishing can lead to a decrease of trust in the operator (reputational damage), and an increase in subscriber churn.
There has never been anything quite like the turmoil that the Covid-19 pandemic is wreaking on every aspect of our lives. It has changed the way we live, communicate and work. We have transformed, over the course of one year, into a far more virtual world. Because we’re spending more time online for everything from work and shopping to banking and state services, this increases the risk of us becoming victims of smishing. We receive more OTP, confirmation and notification messages via SMS – probably the most ubiquitous and trustworthy channel.
I know this first-hand as my mom nearly fell victim to a smishing attack recently. After doing some online shopping, she received an SMS. The message included an alphanumeric senderID of her bank name, asking her to approve the purchase by verifying her credit card details using the URL in the message. This was a classic example of smishing. Luckily for my mother, she’d forgotten her glasses and asked me to do what was required, at which point I explained that this was a smishing attack. My mom subsequently changed her mobile operator because she was upset that they had not protected her, as a subscriber, from this kind of traffic.
Since the incident, out of curiosity, I have done my own test. This was quite easy to do using GTC’s broad testing capabilities. I simply sent a phishing SMS to my two mobile numbers from different operators, using the sender IDs that those networks are using to send their subscribers important messages. Guess what? Both messages were delivered. This might sound strange, especially for people in the messaging business, who know that mobile operators deploy expensive firewalls to protect their networks from unexpected A2P SMS. But is the firewall itself enough? Does the firewall know what to block and what to let through?
If you’re a mobile operator, here are three important things to consider if you want to protect your subscribers from smishing attacks and safeguard your own reputation:
1. Make sure you have a holistic view of the type of traffic that is reaching your network and your subscribers. And find out how this is happening. This is an ongoing task as cybercrime is constantly evolving. Bypass and spam mechanisms are becoming more creative and sophisticated.
2. Invest in constant testing of the network. Specialised and independent testing solutions will provide measurable test results that will help to constantly refine and improve the blocking mechanisms of your network, by mimicking fraudsters’ current and potential behaviour.
3. Be proactive and not reactive. Don’t wait until your subscribers complain or, even worse, drop using your services and go to your competitor. Protect your network and subscribers, before it becomes a problem for them. If blocking grey route and SIM box deliveries are important from the perspective of revenue assurance, blocking spam and smishing messages is important from the perspective of your reputation and great customer experience. As a mobile operator, it’s in your best interest to make sure that SMS remains a trusted channel for the A2P traffic.
At GTC, we are committed to compliance and data protection matters, and are always keen to share tips on how to protect consumer data with our clients. In doing so, we can ensure that our clients can gain the trust of their customers and enjoy a competitive advantage in the market.