|
|
South Africa: SMS Phishing On the Increase
 |
|
|||||||||
|
||||||||||
Biz-Community (Cape Town)
3 July 2008
Posted to the web 3 July 2008
DR Pieter Streicher
Cape Town
Companies that communicate with their customers using SMS could leave those same customers wide open to phishing, the fraudulent attempt to collect personal or banking details. Companies need to ensure that their customers are made aware of the types of SMS messages they send out, and what, if any, information they might request via the SMS channel to reduce the risk of SMS fraud through phishing attacks.
Technology is used to protect people and companies against fraud but unfortunately it can also be used to assist fraudsters during a scam, especially when certain technologies are used widely among businesses to send communications. Increasingly, reckless communication practices by companies play into the hands of fraudsters. All it takes is one irresponsible communication that fraudsters can replicate and a company's integrity will be at risk and its customers' defrauded.
This is true for email where the most common techniques used to defraud people are phishing scams, an attempt to trick a person into revealing personal information such as credit card details or bank account information by sending an email with a fake web address or telephone number, and '419 scams', so named after the section of the Nigerian penal code that addresses fraud schemes, where a person is persuaded to advance relatively small sums of money in return for larger financial gain.
Due to the broad appeal of SMS for business communications, phishing scams now also target cellphone users by using an SMS to initiate a communication.
SMS phishing, or "smishing", occurs mainly when customers receive an SMS from what seems to be a reputable financial institution prompting them to call a telephone number due to a possible fraudulent transaction on their account. They are then requested to divulge their bank PIN number, or other personal details, on the pretence of changing their PIN to securing their account. The fraudster however is now able to access the callers' funds. Customers are a victim of the very fraud that they were trying to prevent when they were proactively following up on the SMS.
The communications conundrum
While SMS messaging can be used in many ways to make transactions safe and reliable, it requires the careful planning and the implementation by companies of suitable communication policies and procedures. Companies require a good understanding of the benefits of SMS in that messages are read immediately as people have cellphones with them all the time. Companies also need an understanding of SMS's weaknesses, in that messages are not encrypted and are easy to imitate.
Some banks even perpetuate the impression that it is acceptable to divulge your personal information via insecure electronic channels - as long as you provide it only to your own banking institution.
For instance, a South African private bank credit card guide encourages their clients to request electronic statements by emailing their name, credit card number, ID number and preferred email address to the email address or call the client care centre telephone number provided.
Not only is email an insecure means to send personal information but fraudsters can quite easily pretend to be your bank and imitate marketing material, emails and SMS communications. Phishing scams go so far to disarm customers by including the warning: "don't divulge your personal information to anyone but your trusted bank" in an email sent to a bank's client.
Then there are your typical SMS banking notifications telling you that someone has logged onto your Internet banking account. The bank's name is followed by: "Internet - confirmation of log on: Account number ending in ...5601: 26June08: 17h45: Helpline: 021 xxx xxxx". As SMS messages are plain text, it is very easy for fraudsters to imitate this message and include their own contact numbers in a message.
In addition, by sending you this message, you would suspect that someone has fraudulently logged onto your Internet bank account. You call the number displayed in the SMS thinking it's your bank's call centre, and there is someone on the line that asks you for all your relevant personal and account details and then offers to change your PIN to ensure the security of your account. At that point you have given all your account details and are now open to fraudulent activity on your account.
While it is easy to get caught up in the threat of SMS phishing scams, the most effective solution to combat this fraud is for businesses to educate their customers about the risks involved when responding to an SMS. Fraudsters rely to a large degree on the ignorance of people and the trust customers place in their bank or another reputable brand.
Tips for businesses
Only send out relevant information and never ask customers to provide sensitive information via insecure electronic channels such as e-mail or SMS.
|
When communicating with customer using SMSs, personalise the messages and include information that would not be available to phishers. This will enable customers to distinguish between legitimate and phishing messages.
|
| |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
| Make allAfrica.com your home page | RSS Feed | |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
| Top | Site Guide | Who We Are | Advertising | Search | Subscribe | |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
| Questions or Comments? Contact us. Read our Privacy Statement. | |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||
