Social messaging is the new frontier for phishing

Register now

As technology adapts, so does fraud. The rise of social media messaging and platforms is a new way for criminals to exploit customers, to gather data for fraudulent use and steal as much as possible. While phishing is nothing new, its rate of adaptation is something we should all be aware of.

Phishing is social engineering designed to steal sensitive data from an unsuspecting user. This usually takes the form of an email – the most famous of these being the “Nigerian Prince” scam, more officially known as an advance-fee scam.

The premise is the same regardless of name. The fraudster will engage and offer an enticement – usually a share of a large fortune or an amazing special offer. The fraudster will then attempt to gain sensitive data from the customer, such as a bank account number or social security number.

And the fraudster either takes over an account and starts spending the stolen money, or the fraudster will take out loans and credit cards using the victim’s details.

Via email, these scams are now incredibly recognizable, and the security functions on most major email providers ensure that these emails get sent straight into a junk folder. This means that fraudsters are adapting and using alternative methods to gain sensitive data. One such channel is social media messaging applications.

Mobile phones are one of the most important commodities in the modern world. It is often the first thing people look at in the morning, and the last thing they look at before going to sleep. The way mobile phones are now being used also show the differences in the way modern fraudsters operate.

Vishing (voice phishing) was a large threat during the rise of mobile phones, with a crackdown on auto-dialers and more advertisements warning of the risks of potential scam artists. But the number of calling minutes has drastically reduced in recent years – in fact in 2017 there were 6 billion calling minutes in the U.K., compared to 151 billion in 2016. Texting and messaging platforms are exploding in use. The WhatsApp messaging service, for example, is now on 71% of U.K. phones, which is huge for a service that only began to take off eight years ago.

This growth comes with its own issues. WhatsApp's primary users, consumers in the 16-35 age bracket, signal a potential new market for fraudsters. While most of this age group will have been warned about sharing sensitive information, such as bank account numbers, credit card numbers, social security and national insurance numbers, there has been less warning surrounding the growing threat to their mobile phone accounts.

Phishing on social media messaging services often follows the same premise as many email scams, with similar steps. The fraudster will engage and offer an enticement – “I can pay your phone bill, you just need to pay me 75% of what you normally pay, and I’ll pay the rest." The crook will then attempt to get sensitive data from the customer – “I don’t need a bank account, just your full name and phone number.”

The difference is this isn’t the typical “sensitive data” that consumers have been warned about sharing in the past. Most of us are willing to give out our phone number to friends, family, even delivery people. We might include our mobile number on social media or an email signature, so we are usually comfortable sharing this level of information with a potential stranger.

Many mobile phone billing websites often use a name and number as login details. By taking a user's full name and mobile phone number, fraudsters may be able to access a payment portal. While some portals require an additional password, they can usually be reset at a bank branch office. Many branches should request photo ID to do this, but some may not ask for it when all you are doing is requesting a new SIM card or resetting an online password, potentially creating an opening for fraudsters.

There are typically two things that happen next. The first is the most basic and is simply credit card testing. Criminals often test credit cards before using them in earnest, especially if the fraudster cannot 100% verify where the card's origin. Testing usually involves a low-value, low security transaction, enabling the fraudster to see whether the card details get declined or not. Major areas of card testing include small charitable donations, small grocery purchases and more recently, mobile phone credit top-ups.

Attitudes toward fraud in this industry are only really starting to become apparent for the ordinary consumer. Because of this, it can mean that various corporations may not have the fraud prevention strategies in place for the full spectrum of customers, so mobile phone bill payments and top-ups may have lower-security thresholds for purchases. This allows the fraudster to go through a list of stolen cards one by one, making low value transactions, and testing whether they can at least pass the basic security checks. Once they pass those checks, they will go elsewhere for high-value purchases. This can cause issues for the genuine customer, particularly if a card is rejected, which can trigger higher fees and penalties down the line.

For reprint and licensing requests for this article, click here.
Payment fraud Phishing Mobile banking Retailers ISO and agent