Big brands, government agencies, and even the names of family members are being used as bait in text message phishing scams targeting Australians.
Kmart is the latest brand to be embroiled in a text message scam, with police warning shoppers to be on the watch for dodgy text messages.
The fraudulent SMS tells recipients they have won a prize, and asks them to pay a small fee to access it.
In a creepy development, the criminals behind the con are even including the names of recipients’ family members as a way to gain trust and increase the scam’s appearance of legitimacy.
“Attention Kmart shoppers! This is one Kmart hack you don’t want to know about,” NSW Police posted on Facebook on Tuesday.
The police described it as a “classic SMS scam that tries to trick people into giving out their personal details”.
“Some scam SMS will even contain electronic viruses that can compromise a phone’s security,” they said.
They advised recipients of the text message to delete it immediately.
Chris Dawson, a threat intelligence expert at cybersecurity firm Proofpoint, said it was “important Australians remain vigilant and aware of these types of attacks”.
“SMS phishing targeting consumers is on the rise, and cyber criminals are introducing new techniques to increase its effectiveness,” Mr Dawson said.
Text message scammers increasingly employ “sophisticated social engineering tactics to convince recipients of the message’s authenticity”, he said.
“The sophistication of this latest scam is particularly noteworthy as the hoax uses real names of family members and close friends,” Mr Dawson said.
Text message scams exploit a current vulnerability in many smartphones, which, unlike email accounts, are unable to filter spam messages.
“Because there are no commercially available, inbound filtering products for SMS like those that exist for email, attackers have discovered sending text messages can be highly effective for directing users to fraudulent websites and tricking users into handing over their banking credentials,” Mr Dawson said.
“This gap in defence is compounded by the small screens of mobile devices, which make it difficult to determine whether websites are fake, as well as the immediacy normally associated with SMS-based communications.”
Simply clicking on a link contained in a fraudulent text message can jeopardise a smartphone user’s cyber security.
“Even if recipients become suspicious when asked for their credit card details, attackers already have a phone number and access to an associated email account,” Mr Dawson said.
“For many providers, this is enough data to port the phone number away from the original provider and take control of a victim’s online identity.”
Many victims of such scams also enter credit card data, allowing the attackers to “rack up credit card charges and steal victim identities”, Mr Dawson said.
He advised smartphone users to “treat unsolicited text messages with extreme caution”.
JB Hi-Fi, ATO, Aus Post used as bait in phishing attacks
JB Hi-Fi, the Australian Tax Office (ATO), and Australia Post are just some of the high-profile brands impersonated by cyber criminals in recent text message scams.
Last week, Australia Post warned customers about a fraudulent text message purporting to be Australia Post.
“The SMS claims that we are having problems delivering an item, and asks for a payment to retrieve your package,” Australia Post said.
“This SMS has not come from Australia Post and is a phishing scam. Please do not click any links or make any payments.”
Taxpayers have also been baited with fake tax refunds from scammers pretending to be the ATO.
“To make the message appear real, scammers may use technology that makes it appear in your legitimate ATO message feed,” the ATO said.
“The ATO does not have an online ‘Tax Refund’ form or website and we will never send an email or SMS asking you to access online services via a hyperlink.”
In the lead up to Christmas last year, shoppers were targeted with text messages promising prizes.
JB Hi-Fi was forced to warn customers to ignore a text message from “JB” telling them they had won a prize in the company’s Christmas prize draw.
If you receive a text from “JB” telling you took the Xth place in our Christmas’ prize draw please ignore it, it is a SCAM & has no affiliation with JB Hi-Fi.
Do not click the link or provide any details or information to the website it may lead you to.
Stay Safe! pic.twitter.com/pWF6WHn49U
— JB Hi-Fi (@JBHiFi) December 20, 2018
Consumers who believe they have lost money to a scam can report the incident to the Australian Cybercrime Online Reporting Network.