The Spanish bank Caixabank and The Catalan Cybersecurity Agency have alerted the public to a new smishing and spoofing scam. The fraud involves sending SMS messages impersonating the bank, indicating that customers must verify their identity following the unauthorized linking of their accounts to another device.
Smishing is a technique in which cybercriminals send SMS messages to users, pretending to be a legitimate entity (in this case, the bank), with the aim of stealing private information or making payments without the user’s knowledge. In this case, the Catalan Cybersecurity Agency recently discovered a campaign involving SMS messages (in Spanish) that warn that a new device has been linked to the bank account and request the customer verify it through a link leading to a fraudulent website.
“In this way, the cyber-attackers try to scare users into thinking that someone has attempted to access their bank, prompting them to react quickly and share their banking details to prevent the intrusion,” Caixabank explains. The smishing scam is quite common when involved with bank and tax-related text messages; in the US, for instance, the FBI has issued a warning about an increase in SMS and text message scams reported by its Internal Revenue Service.
Combining smishing with spoofing
This scam, through which cybercriminals seek to obtain users’ banking details to access their money, is combined with the technique of spoofing or identity theft, as explained by The Catalan Cybersecurity Agency. This means malicious agents impersonate the entity to deceive victims and obtain information. Additionally, as the communication presumably comes from the bank, cyber attackers attempt to scare users into reacting quickly and sharing their banking details. The Catalan Cybersecurity Agency has reminded that banking entities never request personal or financial changes through text messages or emails. They also don’t notify people via SMS or phone calls about unauthorized access.
Caixabank suggests, “if you have received a message like this, delete it and alert your contacts about this scam.” “This is one of the strategies most used by cyber fraudsters to deceive,” Caixabank notes.
Nonetheless, smishing is only one of the common “mishing” tactics used by fraudsters. Mishing involves the targeting of mobile devices and users via email, text message, voice call, or even QR codes for malicious actions that exploit various weaknesses within mobile environments, including unsafe user behaviour as well as minimal security on most mobile devices. Other types of mishing scams are vishing (fraudulent voice calls) and quishing (malicious QR codes).
What to do if you have been scammed?
If you believe you’ve fallen victim to this scam, or a similar one, and have provided your banking details, it is suggested to act immediately. First, contact your bank and inform them so they can take measures to protect your account. Moreover, it is recommended that you change your passwords and update the access credentials for your online banking and any other accounts that may be compromised. Additionally, you can report the fraud to police authorities.
