The Defence Works is continually watching out for scams that come in, both to our own network and the wider world. When we saw this text message in a tweet, we knew immediately that it was part of a SMiShing campaign.
Mobile phishing or SMiShing, is a form of phishing that, instead of using emails, the fraudsters use text messages or messaging apps, like WhatsApp, to trick users into clicking links or downloading mobile apps.
A Not So Cute PUP (Potentially Unwanted Program)
This week’s Breaking Scam is a mobile text message SMiShing campaign. The sender displayed as ‘BTMobile’. One of the issues with mobile texts that scammers exploit is the fact a fraudster can configure the name of the sender to be anything they want. The ‘details’ in a text are minimal; you cannot confirm if the sender is legitimate or not.
The message itself was brief, a ‘billing issue’ meant that the recipient had to confirm their details.
This type of message is typical in a scam. It is meant to make the recipient worried enough to click a link.
Instead of clicking the link, we analysed the URL. It came back as containing a PUP or “Potentially Unwanted Program”. A PUP is not quite malware, but not far off. The software behind a PUP often requires consent to install and run. PUPs cross the fuzzy line between annoying marketing pop-up and privacy breach. A report by Symantec found that in 63% of cases, even consented PUPs leaked personal data from a mobile device to the person(s) behind the PUP.
To give you an idea of why software PUPs are not cute or cuddly, this is a list of what often occurs once a PUP is installed:
- Slow performance (PC)
- On a mobile device, an app may be installed that causes your battery to drain
- Annoying pop-ups on your screen/in app
- Browser homepage set to an unknown page
- New toolbar items installed on your browser without your knowledge
- Data leaks
We did not delve further into the URL, but it is likely that the page would have encouraged a PUP download in the form of a mobile app and may also have attempted to gather login credentials.
According to a survey from Cofense, the vast majority (74%) of phishing is an attempt to steal login credentials. There are two main things to remember when dealing with SMiShing (and email phishing):
- Do not click on links in text messages – navigate to the site directly or contact the legitimate company, to double check any concerns
- If you do click, DO NOT enter any login credentials. Only log in to online accounts by navigating directly to a company website
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
BT Billing SMiShing Scam
If you receive an SMS text message from “BTMobile” be very cautious. This is likely a SMiShing attempt. The message contains a malicious link that could steal login credentials and encourage a mobile app download. The app will likely be a Potentially Unwanted program or PUP. These apps can leak personal data and drain your mobile battery.
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”