Mobile phishing campaigns could be targeting your bank. In fact, phishing attackers are targeting bank accounts more in 2020 than ever before. Criminals found the easiest way to get in is through your mobile phone. Some of the recent targets? Capital One and Chase are two of the dozens of phished that have been identified recently.
Hackers are using automated SMS tools to blast bogus security text messages to you and have successfully snatched accounts from thousands so far—that’s of the millions receiving these texts.
Mobile campaigns will become the new normal in 2020
We predict that mobile-based attacks will grow more prevalent in 2020 than ever before. As people become more cautious of email phishing attacks (though these attacks are easy to forget), criminals have started exploiting mobile-based texting attacks more and more.
These SMS-based messages can include a link to a phishing page (mirroring a legitimate bank page).
These phishing pages are built to look like legitimate mobile-friendly web pages. They have login pages mirroring the mobile site at your bank. They completely mimic the layout of the bank’s applications and sizing, along with its links—including its privacy and security policies or account management pages.
Hackers are wanting you to never catch on to their scheme.
By mimicking the experience you get on the bank’s legitimate mobile site, they are hoping you will be none the wiser by the end of your login and experience with their fake mobile portal.
By doing this, they are making sure that you will not get alarmed, change your credentials or alert your bank to the scam.
They are playing the long game. At some point when you least expect it—they will start siphoning money out of your account. They will take as much information as possible—your purchase history and behaviors—to be able to impersonate you in your digital life.
Why Text Messages?
Since mobile users are less likely to scrutinize SMS messaging AND since mobile providers have not kept up with spam technologies implemented in email systems, you are less likely to even tell the difference between a legitimate and malicious text.
On top of that, mobile sites do not display entire URLs, making it harder for you to even determine if the site that text is linking you to is legitimate.
There have been LOTs of banks impacted that have been impacted, several of which are in the US.
What if you click on the link in a malicious text?
If hooked, you will be prompted for information. You probably will be prompted to divulge answers to security questions like date of birth, credit card expiration date, account number, along with standards like username and password.
What the criminal wants to do before logging in is get as much information as possible to log in from an unrecognized account. And if two-fact authentication is set up on that account, to get as much information about you as they can to verify who they are via phone in the case they are not able to bypass your bank’s security.
The bottom line: there is always a way in, some ways just take longer and more tedious. In many difficult cases, a criminal will likely opt to move on to the next victim (cybercrime is very much a numbers game).
You may have already grown accustomed to texts from your bank
With increased use of multi-factor authentication for banking, you are probably already used to text messaging in banking. This added security has likely made your trust in bank texts a little higher than it should be.
Criminals are realizing that text messaging may be a good way of getting your attention and that it’s been an effective way of getting people to comply with their demands.
What to do the next time you get a text?
Treat texting like email. Revisit your phishing training in the context of texts. If someone is asking for you to login via text, reconsider clicking on that link. If someone you know is asking for information or money, give them a call to a number you trust. Just keep a skeptical eye on things that come into your inbox, whether email or texts.