• Lisa Baergen, Director of Marketing at NuData Security


• 12.02.2016 10:45 am
undisclosed

“Smishing”, a twist on the “phishing” scam, is an old scam that evolves each time new technology comes along. When banks started offering telephone services, fraudsters would impersonate a bank and call customers  with criminal intent. As banks moved to providing online services and apps, fraudsters started emailing customer statements, fake websites popped up and phishing emails started to make the rounds. These SMS smishing scams are taking advantage of the consumer’s push for more mobile-friendly and innovative ways to communicate and interact with their financial institutions. With this specific wave of smishing attacks, hackers fool customers into downloading their malware by posing as a legitimate, unrelated app. The malware then takes over a legitimate SMS communication between the customer and their bank to socially engineer the customer into giving away their PII information and access their account.

Fraudsters know that it is generally easier to take over an account by phishing, spear phishing (targeting an individual) or smishing, than to open a new account using a real or stolen credentials, which is why account takeover (ATO) is alarming and, as we’ve been saying, on the rise. 

It only makes sense, that account takeover (ATO) has become a new favourite fraud tactic. So as we hear of yet another example of real customers being scammed of their hard-earned funds, it is just another blazing example underscoring the need for financial institutions to move away from PII as the relied-upon authentication method. With the overabundance of stolen data, access to full identities are prevalent and cheap, meaning it cannot be relied on for authentication purposes. Customer education can help reduce the number of times this scam is successful, but we shouldn’t rely only on placing that burden solely on customers and account holders. 

If your bank can't distinguish between legitimate users and fraudsters, even with valid credentials, it’s time to they move away from static data to protect accounts, and move to behavioural analytics for authentication.  User behaviour analytics observes and understands how the user behaves. Behavioural analytics looks beneath the surface of matching usernames, passwords and other means of authentication such as one-time SMS, to truly understand user behaviour. These behaviour patterns reveal details that fraudsters can’t fake despite their best efforts.”