Article by: Lea Ysabel Q. Evangelista and Sophia Catherine G. Reyes
Graphics by: Clark Vincent P. Constantino
People have come to rely on online platforms to carry out financial transactions as part of the new normal. As an additional layer of security, financial institutions send one-time passwords (OTPs) to their clients’ registered mobile numbers via Short Message Service (SMS) to verify that transactions are conducted by the clients themselves.
As such, cybercriminals have turned to SMS spoofing to take advantage of unsuspecting individuals.
SMS Spoofing: An Overview
SMS spoofing is defined as a technique that alters a sender’s information on a text message sent via SMS, particularly the mobile number, to their chosen alphanumeric text. With this, the ID of an SMS message is changed to what the sender wants it to be.
Although people tend to associate SMS spoofing with smishing, which is short for SMS phishing, these two have some differences. Unlike the former, SMS phishing leans more on tricking the receivers of the text message to download malware via text message or ask the potential victims to provide sensitive information, but the mobile numbers can remain unchanged.
On the other hand, SMS spoofing focuses on replacing the sender ID with a bank or any institution’s name to allow people to think that they are receiving messages from a legitimate source.
Different uses of the technique
Despite its negative connotation in modern cybersecurity, SMS spoofing has its legitimate uses, particularly by different companies, organizations, and other service providers, to send bulk messages and auto-responses to customers and clients. It may also be used by whistleblowers who wish to protect their identity in legal cases.
However, when cybercriminals employ SMS spoofing, the unsuspecting victim may receive a fake message from a well-known company, be scammed via fake money transfers, and even have sensitive information extracted from them once they believe that the message came from a legitimate sender.
Being secured from SMS spoofing
There are ways to distinguish legitimate messages from SMS spoofers and protect oneself from the latter. To start with, keep track of all transactions – both online and in-person. Report suspicious calls and messages directly to the indicated company and have one’s account reviewed.
As with all cybercrime schemes, SMS spoofers tend to present the victim with an offer that is too good to be true, and this is something one should keep an eye out for. Refrain from opening any links received via SMS as cybercriminals may employ a combination of spoofing and smishing on their attacks. It is also a must to keep in mind that most trusted organizations would never ask for personal details via SMS and it is best to verify the given information from the concerned company or organization before proceeding. Moreover, do not share the OTP to anyone and report the sender of the text message if they are asking for the OTP along with personal information.
On a related note, verify from and report to the relevant parties, should a suspicious message claim that it came from a familiar person or business.
Some spoof messages may also contain flaws in grammar; hence, checking these is a must. Companies are more likely to take extra steps in proofreading reminders and news for their clients. For colleagues, try to reply to their usual mobile number to be certain that they are the ones contacting you or reach out to them through other means.
As everyone is forced to take shelter for an uncertain amount of time, criminal minds find new ways to commit felonies. Being wary of ambiguous messages or calls will help to secure personal information and reporting these incidents will help in lessening potential victims of SMS spoofing in the future.
References: