Text message scammers quietly prey on regional banks
IDG News Service - You get a text message from your bank telling you there's been suspicious activity on your account. You call the number on your phone to see what's going on, and before you know it, you're a victim.
Welcome to the next big thing in phishing.
Law enforcement and security experts say that for more than a year now, scammers have been using scam text messages to prey on small regional banks and their customers. And according to a report set to be released next Tuesday by Cisco Systems, the problem has only been getting worse in recent months.
"It's a serious problem," said Pat Peterson, a security researcher with Cisco.
Here's how the scam works. The criminals pick a bank -- say a credit union in Medford, Oregon -- then they bombard every phone in Medford's 541 area code with a phishing message sent by SMS (Short Message Service) telling the victims to call a fake 800 number that looks like it's from a local credit union. Because they're targeting a bank in the region, the bad guys have a pretty good chance of hitting real customers who may not have heard about the scam.
They use the open-source asterisk software to set up a fake voice-operated system and steal information when people enter their account numbers, passwords and other sensitive information to authenticate themselves on the system. When the criminals use this information to transfer money overseas, the banks take the loss.
By targeting regional banks, they scam has managed to stay somewhat under the radar and not attract a lot of attention, said Nick Newman, a computer crimes specialist with the National White Collar Crime Center. Big banks have large security teams set up to tackle this type of fraud, but with a regional institution such as a credit union, "their entire IT team for the bank might be only five people," he said.
Another problem for the banks is that the scam subverts one of the main techniques that banks and security experts have been trying to drill into their customer's heads for years now, Newman said. "We always say, 'If you have any questions, call your bank, or they'll call you.' Well SMS is pretty close to calling your bank. It gets to the point where it's like, 'What do we tell people to do now?'"
The criminals have been going through the country credit union by credit union, bank by bank, Peterson said.
"It's working pretty well for them," he added. "It's a pretty innovative technique."
Sometimes it works exceptionally well, in fact. When Medford's Bank of the Cascades was hit with the attack in May this year, the scammers got more than they bargained for, according to Detective Sergeant Kevin Walruff with the Medford Police Department. "I've spoken with people that gave their personal information and aren't even customers with Cascades bank," he said. "They actually called that number and provided information."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts