Nearly 4,000 customers of major North American banks fell victim to a phishing scheme between June 2019 and January 2020. The phishers used SMS text messages to target bank customers, sending them a false security alert that led them to a phishing page.
There were more than 200 phishing pages associated with the attack, each designed to look like legitimate mobile banking login pages. The mobile phishing campaign targeted customers at more than 12 banks, including Chase, Royal Bank of Canada, Scotiabank and TD Bank.
When prompted, users would enter sensitive information such as their account numbers, username and password. They also supplied information that could help phishers hack other accounts, including date of birth, answers to security questions and credit card expiration dates.
During the seven-month phishing campaign, 3,900 unique phone users logged into one of the phishing servers. Some users clicked on the link and entered no or only partial information before realizing it was a scam.
Mobile phishing campaigns have proven more effective than desktop or email campaigns. Users are less likely to scrutinize the information presented on a smaller screen. With mobile, it is hard to see the complete URL, let alone double check that link includes “https://” in the URL.
Mobile users are also more likely to click on a link while on the go rather than at their desks, where they know to expect phishing. With two-factor authentication becoming more prevalent, users are used to receiving texts from the bank.
Some tips to help you avoid mobile phishing include:
Only use official apps. If you receive an alert from an institution, log into your account without clicking the link and see if you can determine whether there is an issue.
Use secure browsers. Check that you have secure settings on your mobile phone browser that help you to identify malware and phishing sites. Google Chrome for Mobile is a good example.
Download antivirus software. Just like you can for your desktop, you can also add antivirus software to your phone.
One of the best defenses against mobile phishing is awareness. Phishing scams continue to get more sophisticated, so it’s important to stay on top of the latest methods. Keep your family and your employees informed so that they can keep their personal information protected as well.
IDMI often sends you emails but will not send you texts. If something looks suspicious, please do not open it. Contact us
to learn more about how you can protect your business from phishing attacks.