Smishing in banking: 3,50,000 frauds happen daily via SMSs

Did you realise that SMS click-through rates are a staggering 20 per cent, compared to email’s 3-5 per cent? This disparity has made SMS a prime target for smishing attacks, with an average of 350,000 incidents occurring daily. But why are these attacks so prevalent, and how can we defend against them? What tactics do cybercriminals use to lure their victims, and who are the primary targets? 

What does your SMS inbox look like? The usual flurry of texts, appointment reminders, discount codes for your favorite stores, utility bills, travel updates, and more. Amidst this, there is one message that stands out: a seemingly official notification from your bank, might prompt you to confirm recent transactions, but in actuality it hasn’t come from your bank. 

Now, that is what we call a smishing text message. 

Smishing implies phishing attacks that utilise SMS as their medium, here attackers pose as legitimate organisations and trick people into giving away confidential and sensitive information, thereby incurring financial losses, identity theft, and more. 

What do Smishing attacks look like? 

Impersonating the legitimate organisations, smishing messages can come in the form of fraudulent transaction confirmation, account lockdown alert, ATM card renewal, loan approval offers, insurance policy renewal, investment opportunities, salary/payroll updates, loan repayment assistance, and the list remains inexhaustible. 

But Why a number as high as 3,50,000 per day? 

“With the widespread adoption of mobile devices for financial transactions, attackers have shifted focus towards targeting mobile users through smishing. This shift is driven by the prevalence of smartphones and the convenience they offer for banking activities,” said Shrikrishna Dikshit, Partner- Cyber Security, Nangia & Co LLP. 

Also, individuals that do not own smartphones can also be preyed via text messages asking them to share confidential information, and hence adds to the vulnerability of a greater population. 

“Attackers may also gather personal information from publicly available sources such as social media profiles, online directories, and public records. Information can also be obtained by attackers for a modest sum from various sources which have acquired customer data for legitimate purposes but are selling that data for a fee,” remarked Shrikrishna Dikshit, Partner- Cyber Security, Nangia & Co LLP. 

And sometimes Phishing precedes Smishing 

“Phishing attacks via email or other online channels may precede smishing attempts. In phishing attacks, individuals are tricked into providing personal information through fraudulent emails or websites that impersonate legitimate entities,” added Shrikrishna Dikshit of Nangia & Co LLP. 

How do smishing attacks compare between different demographics? 

Digital literacy is the governing factor while we try to analyse which segment of population is more prone to fall prey to a smishing attack. 

“According to Google, Millennials and Gen-Z internet users (18-40 year olds) are most likely to fall victim to smishing attacks 23 per cent compared to 19 per cent of Generation X internet users (41-55 year olds). Users with supposedly high-income levels are 50% more likely to be targeted by smishing attacks,” noted Dikshit. 

How should the BFSI institutions mitigate smishing? 

• Implementing multi-factor authentication (MFA) to enhance security and verify user identity, reducing the risk of compromised accounts. 

• Conducting extensive security awareness campaigns to educate employees and customers about smishing tactics and how to recognise and report suspicious messages. 

• Deploying advanced threat detection solutions, including email and SMS filtering, anomaly detection, and behavior analysis, to detect and block smishing attempts in real-time. 

• Collaborating with telecommunications providers and industry partners to share threat intelligence and coordinate response efforts. 

• Ensuring compliance with regulatory guidelines issued by bodies such as RBI and NPCI to strengthen cybersecurity measures and protect customers from fraudulent activities. 

• Monitoring and analysing SMS traffic patterns to detect anomalies and block suspicious messages before they reach users’ devices. 

• Investing in anti-phishing and anti-spoofing technologies to identify and block fraudulent messages effectively. 

• Promoting the use of official banking apps and websites to educate customers about the risks of smishing and encourage secure banking practices. 

As Dikshit mentions, research conducted by Google suggests that enabling 2FA can block up to 99.9% of automated attacks, including those initiated through phishing attempts, which may include smishing. 

Return of Investment for BFSI Institutions 

Dikshit explains that implementing advanced smishing detection and prevention technologies in BFSI organisations yields significant returns on investment across various fronts. By reducing fraudulent transactions, improving operational efficiency, enhancing customer trust and loyalty, and ensuring compliance with regulatory standards, these technologies offer tangible benefits. Through streamlined incident response processes, increased customer satisfaction, and effective regulatory adherence, BFSI institutions can safeguard their assets, reputation, and customer relationships. 

Published in Economic Times