Bank Of Ireland is to reimburse customers who lost money to scammers through a ‘smishing’ cyber fraud campaign that inserted fake texts into genuine interactions between the bank and account holders.
But what exactly is smishing? How does it work? And what do you need to guard against? Here’s a quick guide to the fraudulent activity.
1. How does smishing work?
Smishing attacks can be either crude or sophisticated. In the case of Bank of Ireland and AIB, the fraudsters managed to insert their criminal texts into legitimate text conversations between the banks and their customers.
Security experts say that this isn’t easy to do and sometimes involves manipulation of SMS services called ‘gateways’ that are often commercially used by big companies. But global security experts have been warning about such vulnerabilities in SMS delivery systems for years.
Once the criminal has entered a pre-existing text chat, the fraudulent text will ask the customer to click on a link, usually by claiming that their card or account has been frozen or that there is some other type of problem that needs quick attention.
2. Is this the same as ‘spoofing’?
They’re related. ‘Spoofing’ is where you make it seem that an email address, phone number or web address is someone else’s - typically that of a legitimate business.
Unfortunately, this is very easy to do at a low level on the internet, ranging from so-called ‘prank’ services such as Spoofbox, Deadfake and Anonymailer to much more sophisticated bespoke systems.
Anyone with even a cursory knowledge of programming can also get in on the act with a few simple lines of code. In about 10 minutes, it’s possible to send someone an email purporting to show the email address of almost anyone - private or public - you choose.
3. Are smishing attacks obvious?
Often they are not. Misspelled text messages (or emails) throw up obvious red flags right away. But others, framed in typical banking language and terminology, may not be as clearly fake.
And it is especially hard to spot if it’s part of what appears to be a pre-existing text conversation.
4. Don’t banks often say they’ll never ask you to click on something in an email or link?
Not quite: this is also a big part of the problem. Banks sometimes ask you to click on links in emails or texts. It might be a survey, for example.
Furthermore, financial institutions also sometimes call customers and, before clearly establishing their own bona fides, ask customers for personal details for “security” or “data protection” reasons. The banking customer experience is full of contradictions when it comes to security principles.
5. How can you guard against smishing attacks?
Most legitimate services will never text or email you with just one or two lines and a link. Even if they do (they’re not supposed to), don’t hit the link — contact them back using another means.
In other words, look up their website or phone number to make sure they sent it to you If you’re unsure, copy one of the phrases from the text and google it — if it’s a scam, there’s a reasonable chance your Google result will confirm as much.
A foreign number (represented by a + before the number) is also a telltale sign, as are bad spelling and grammar.
6. What kind of other scams are doing the rounds in Ireland?
There’s a regularly recurring fake text message purporting to be from Ros.ie, claiming that a “tax return” is ready to be claimed. There are also scam texts labelled ‘An Post’ claiming that ‘a parcel is being held’ and asking you for €2 plus your bank details to release it.
Then there’s the fraudulent Whatsapp drivers’ licence scam where criminals try to get you to contact the National Driver License Service (NDLS) through WhatsApp to apply for or renew your driving licence at a cost of €200.
There’s even a fake contact-tracing app text around, saying: “Someone who came into contact with your tested positive or has shown symptoms for Covid-19 and recommends that you self-isolate”. It then asks you click the scam link.