Dr. Security gives tips and answers questions related to cybersecurity. This time it’s about receiving a suspicious SMS from the post and how to detect phishing (or smishing) attacks.
Question
Dear Dr. Security,
I received an SMS from DHL that says “Your parcel has been sent. Click on the following link to open your shipment tracking”. I am surprised, because although I regularly buy things online shipped through DHL, I believe that I am not currently expecting any packages, and I do not remember ordering anything online. I heard from some friends how lately phishing attacks are on the rise, also in the form of SMS, so I decided to reach out to you for advice. Is it safe to click the link? If it is indeed a phishing attack, what would happen if I click the link?
(Sofia, Bern)
Answer
Dear Sofia,
Realizing that you were not expecting a parcel and taking caution with regards to this SMS is indeed a great example of how to stay vigilant against phishing attacks. We are daily and constantly bombarded with various texts and messages, which increases the risk of us overseeing red flags in a moment of stress and thus falling for a phishing scam.
Phishing/Smishing: What Is It And Why Is It On The Rise
Phishing is a form of fraud that tries to trick people into revealing sensitive information or downloading malware. It usually involves email or SMS messages (in which case it is sometimes referred to as ‘smishing’) that appear to come from trusted sources to steal personal and financial data. On some other occasions, the SMS links may have you downloading malware. A recent and highly malicious example is the ‘flubot’, which has been a large concern for the protection of users’ financial data. The malicious malware targets particularly Android devices with the intention to steal online banking credentials. Read about what the flubot is, how it spreads so quickly, and how to detect it in our article here.
Lately, the number of SMS or parcel-related phishing attacks has especially been on the rise. This has mostly been driven by the COVID pandemic, as people spend more time at home and become accustomed with using web and delivery services to avoid leaving their houses. The success of SMS phishing attacks can also be attributed to the fact that they are more difficult to detect and that people are always checking their phones.
As a result, there is a higher chance that the SMS from the post that your parcel is shipped is a phishing scam and you should be extra vigilant when receiving such texts. The text message is designed to look like it comes from the delivery company, but it is actually an attempt to steal your personal information. One way that delivery services have tried to fight against scammers is by moving all parcel related communication to their personal applications. Consequently they have been abandoning all email and SMS communications, and help to increase the level of security and trust for their users.
Social Engineering is at the root of phishing attacks
There are a number of reasons why we still fall for phishing scams. Although phishing has been around for a long time and many of us may feel like we have heard this over and over again, we still fail to stay vigilant enough as phishing attacks become more sophisticated. Phishing scams use social engineering techniques to trick people into giving up their personal information or download malware onto their devices. Social engineering refers specifically to how attackers leverage human factors to target and extort their victims. You can read an extensive article on why chances are high that we fall for phishing scams and how social engineering comes into play in our article here.
What to do when you receive a suspicious SMS
We might receive a message that we were not expecting that may seem either interesting or urgent. However, it is important that you:
- Do not click on any links from suspicious messages, even if they portray urgency.
- Do not open any attachments.
- Do not download any applications.
- Do not forward the message to anyone else except for to report the message to a specific entity that deals with phishing threats (see below).
Instead, do the following:
- Ignore the contents of the message completely.
- Contact the service directly to either validate the message or to report it. For example, DHL has their own fraud awareness page that allows you to take the necessary steps to report an attempt or if you have been scammed.
- Block the sender if possible.
- Delete the message.
Did you already click on a suspicious link?
Since phishing attacks are becoming more advanced there is no reason to carry shame or blame yourself if you get caught in one. For example, if you have already clicked on a link in a message and only later realized that it might be a scam, then make sure to terminate your interaction as soon as possible and do not complete any fields. Make sure to never give out personal information or codes, or enter passwords. If you do, make sure to change your passwords for the given services immediately. At the slightest doubt of whether the request or the website is legitimate, do not continue. If any financial information was requested, contact your bank to notify them that you may have been a victim of a phishing scam.
In conclusion, today scammers are using advanced technology to rapidly send large amounts of SMS messages. They generate spoofed numbers that appear legitimate. Often these types of SMS do not require replies to be sent (as they simply encourage the reader to click links), hence they do not need to originate from real phone numbers, either. As a user, you might only see a legitimate name, such as DHL appearing as the company name. Although blocking these numbers is helpful, attackers can easily generate new messages from new numbers using the same screen name, making it an endless battle.
The best you can do is to continue vigilance as well as make sure that the services you use implement multiple factors of authentication. If they do not, you might consider an alternative service that cares more for your online security!
Best, your Doc
I am happy to answer your questions, so do not hesitate to write to the Doctor at: doctor@futurae.com
Learn more about Futurae’s FIDO2 solutions, or other fraud detection solutions. If you have questions or feedback, please let us know.