Scam texts impersonate major retailer
HEARING the message tone on my iPhone, I'm as excited as the next guy. But upon opening the text message, I'm left disappointed.
It's from Sophie. She wants to know if I'm single and to check out her profile.
The only problem is I don't have anyone in my contact book named Sophie. Ostensibly, it's a some sort of "smishing" attack.
Like its more common e-mail counterpart known as phishing attacks, a smishing scam comes via an SMS and encourages you to click on a link to take you to a compromised site or get you to unwittingly divulge some personal information that a hacker could use against you.
A couple days later and this time it's "Woolworth" texting me to tell me to claim my free $500 voucher for the now curiously singular supermarket chain.
"With these SMS phishing scams we see a wide variety of sophistication," says Nick Savvides, a security specialist at digital security firm Symantec.
Because it's very hard for hackers to compromise Apple's closed environment mobile operating system, these are of the unsophisticated variety. They are often what's referred to as "social engineering" attack, such as romance scams or the ever-suspicious offer of free money.
"They are usually designed to get you to sign up to services ... to give them enough information to scam you," Mr Savvides said.
If you click the link, you will likely be asked to fill out some personal information that could be used to further penetrate and gain access to your online accounts such as your e-mail or bank account.
Many of these scams will often include a way to get around two-factor authentication, typically involving sending a text message to the target prompting them to reply with the necessary code.
In the past two years there has been a "huge increase" in the more dangerous variety of text message attacks that involve the subtle distribution of malware, Mr Savvides said.
Given the more open nature of Google's Android operating system, these a far more common on non Apple devices.
"What we're seeing now is SMS phishing where you get a message and it looks very convincing, because everyone gets notifications now via SMS from their bank or from parcel delivery," he said.
When these messages are targeted at a person individually in conjunction with other information they know about them, such as the name of the bank they use, these attacks can be very convincing.
"For some reason, people trust their phones a lot more than they do their PC," Mr Savvides said.
Often they will try to masquerade as originating from a trusted organisation such as your e-mail service provider or, like the one above, a major supermarket.
The Woolworths name is often used by these type of hackers but the supermarket giant says it would never send this type of message.
"Woolworths customers should always be aware of online phishing scams which imitate well-known brands to try and collect your personal information," a spokesperson said.
"(We) will never ask our customers for their personal or banking details in unsolicited communications."
When it becomes aware of these sorts of scams, the supermarket reports them to the ACCC's Scam Watch and will often post warnings to customers on its Facebook page.
Mr Savvides has worked in the personal cyber security field for 15 years and his advice to the public is simple: "Don't click the link, delete the message," and take the time to be aware, he said.
But with the ubiquity of these kinds of attacks on the rise, hackers are finding success.
"Now days we all know somebody who has had money taking form their credit card, their bank account stolen, their e-mail compromised, their Facebook account taken over," he said. "They're not dumb, they're actually victims."
He too has nearly fallen victim to a phishing attack, ironically right after giving a speech on cyber security.
"I spoke at a conference and I got an e-mail afterwards saying 'great presentation Nick, check out the coverage' and it was leading directly to a compromised site," he said. "It was very targeted. I would've fallen for that."