Phishing Attacks on Telco Customers GrowNew Schemes a Gateway to Account Takeovers
Phishing attacks targeting telecommunication companies' customers, which result in account takeovers, are on the rise, according to the Federal Bureau of Investigation and the Internet Crime Complaint Center.
The schemes involve using automated telephone calls, or vishing, and SMS texts, or smishing, to lure customers to phishing sites that replicate telecommunication companies' sites, requesting the victims' log-in credentials and the last four digits of their Social Security numbers. Once access is gained, the fraudsters make changes to the customer's account and may place orders for mobile phones, the FBI says.
Al Pascual, senior fraud analyst at Javelin Strategy and Research, says that while credit card accounts were, by far, the most common targets for account takeovers in 2013, mobile/utility accounts were targets in 29 percent of takeovers last year, up from 9 percent in 2012.
"Fraudsters will take control of a consumer's account to run up unauthorized charges and add additional services for their own use or to resell to others," Pascual says. "Or they can take over a phone account to reroute calls meant for the legitimate consumers, from their financial institution, for example, to further other fraud schemes."
The Internet Crime Complaint Center, also known as IC3, first released an advisory about the telco scams in May 2013. Since then, the attacks have increased, the FBI says. Victims have reported receiving SMS texts with similar phishing messages encouraging them to go to websites to claim a reward. The links send victims to a phishing site to receive a credit, discount or prize ranging from $100 to $2,500.
The reward amounts mentioned in recent fraudulent messages have increased to make the offers more enticing, the FBI says.
An example of a fraudulent URL used in the scams, authorities say, is: www.my[insertphone company name]900.com. "Other fraudulent websites may contain words such as MyBonus, ILove, ILike, Reward, Promo, or similar words, along with a telephone company's name," the FBI and IC3 say.
The IC3 urges consumers to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. "If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the phone numbers that appear on your account statement to contact the business."
Addressing the Problem
Avivah Litan, fraud analyst at the consultancy Gartner, says vishing and smishing attacks are picking up now because users are less aware of these approaches to fraud.
"Attackers are trying to use methods consumers aren't as educated on," she says. "Consumers have been educated pretty well on e-mail [phishing]. But they haven't been educated on phone calls and SMS messages, so fraudsters are more likely to get a positive response."
Fraudsters' strategy of posing as telecommunications providers is "good social engineering," Litan says, because users would expect calls or texts from those companies.
For banks, these new fraud operations targeting telco customers are tougher to track, she says. "Criminals were using bank brands [for their phishing schemes], and the banks could look for attacks using their brand names and take them down," Litan says. "In this case, the criminals are not leveraging bank brands, but are going after bank information, so banks are at a loss at how to stop consumers from giving data that enables criminals to steal money from banking accounts."
Pascual says that, unfortunately, a wide variety of industries continue to rely on consumers' Social Security number as a means of authentication.
"Once the Social Security number is lost, it cannot be replaced, with rare exceptions, and that exposes all of their financial accounts, utility accounts, and others to a potential lifetime of unauthorized access," he says.
"Organizations need to improve their call center authentication to move beyond the Social Security number to alternatives such as voice biometrics or phone line authentication to prevent this issue from getting any worse," Pascual says.