We’ve become used to getting email-based scams for some time. The original 419 email scams, so-called because the offence is detailed in section 419 of the Nigerian legal code, are on the most part very easy to spot these days as they follow the same modus operandi. Rich widow of a dictator, dying philanthropist, benevolent banker – the stories haven’t changed over the years – they are fanciful, each to verify and simply too good to be true. However, fraud through email scams, “phishing” continues to rise. What has changed is the sophistication of the emails, the detail that the fraudsters go into to create their traps for innocent victims. However, it hasn’t just been the growth in phishing that has been worrying the authorities.
A new generation of smart phone users now favour message-based communication such as WhatsApp, SnapChat, Direct Messaging via Instagram and texting rather than using email. That has seem the fraudsters adapt their approach and targets, where sophistication is significantly less. Whereas emails needs to look authentic, using HTML-based email templates, branding and styles, text-based messaging does not. As long as the call to action, normally a URL to click, has the respective keywords in somewhere, then people will believe it.
The last year has seen a massive increase in the number of these text-based scams, known as “smishing”, with fraudsters looking to take advantage of our home-bound situations such as deliveries as well as Covid-related situations such as testing and access to the vaccines. Examples of URLs include royalmail.parcel-ref212.com, lloyds-confirm-account.com and halifax.secure-personal-login.com where a well-known brand is included in the domain name string to make the URL look authentic.
One more recent, high profile scam, has focused on requesting a small amount, in many cases £2 or less, for postage on a parcel that is due for delivery. By asking for such a small amount, potential victims believe it is a genuine request – most of us have increased our online shopping and have pending deliveries. What harm does paying such a small amount cause? Actually, at the most extreme end of cases, almost everything you own as this story proves.
However, one of the main consequences of interacting with any smishing attempts is that it verifies that the mobile number is valid. Criminals buy mobile numbers in bulk on the dark web and send out these fraud attempts en-masse. However, any “live” number becomes more valuable to be sold on to other scammers which is why you should never engage with any text messages that you may receive, whether that is by following the call to action via the URL or replying to the text message.
Once fraudsters have a live mobile number then they can take their attempts to defraud to the next level, “vishing”, which is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Vishing scams play on fear. Whilst phishing and smishing tend to play on victim confusion, such as using typosquatted domain names within a URL, or revealing username and passwords on a convincing fake website, vishing attempts to scare victims into acting. A common example, one that I received myself just a few days ago went along the lines of an automated voice telling me:
“Your National Insurance number has been used in a financial fraud on the border of North Wales. Press 1 now to speak to a fraud investigator to confirm that it wasn’t you. Failure to press 1 now will result in an arrest warrant being issued and you being summoned to court to face serious criminal charges”
Not nice. Similar calls will use the subject of tax fraud, bank fraud or that your car has been involved in a hit and run. The call to action is always the same though – “Press x to speak to an operative/agent/police/investigator now”. By pressing the key, the call is transferred to a real life operative who will then go through a script to to try to get you to reveal personal and financial details that they will claim is to verify your identity “so that you won’t be charged/arrested” but in reality, as with the case highlighted in the BBC report, will be used to defraud victims to the maximum extend.
Whilst some may be tempted to play along with the fraudsters, attempting to engage with them for sport, the best course of action is to hang up on the numbers and block them on your phone, although in most instances they will be using unregistered SIM cards that will be destroyed or never used again. You can also report the numbers to the mobile network providers by sending details of the number used to 7726.
Technology means that vishing attempts will become more sophisticated over time, just like phishing emails have progressed from the original 419-style attempts. Whilst they will become more believable over time it is vital that we all need to take a few seconds if we do receive a suspicious call and if it doesn’t feel right then ignore it.