For a few months now, a series of identity theft communications via SMS has been intercepted, known as smishing. On this occasion, they send us a communication in which different banks and services that they supposedly impersonate inform us that our account with them has been deactivated.
The various scams and social engineering scams are always evolving and trying to come up with new formulas for victims to fall into their networks. They are generally based on emergency situations and alerts so that the victim acts less cautiously.
The deactivated account scam
Emergency situations are often one of the greatest assets for cybercriminals who use social engineering scams. These situations can catch the victim off guard and make them more prone to sting.
ESET Spain
@ESET_ES
🚨 #phishing alert! 🚨 Sending SMS impersonating @caixabank trying to steal access credentials and verification code to steal money from accounts. Don’t bite! https://t.co/JHfTxO5xT9
May 12, 2021 • 10:40 AM
8
3
Fraudulent SMS text messages beginning with “We are sorry to inform you that your account has been deactivated. For your safety, we ask you to complete the following verification [enlace]».
Actually, it is a phishing scam (smishing being via SMS). When you click on the link, it leads to a supposed page of the bank that it impersonates, but in reality it is a false website (web spoofing) whose sole objective is to capture your personal data.
After entering the identification code and password, clicking on “Enter” takes you to a page where the user is asked for his electronic signature. When entering the signature and clicking on “Accept”, the telephone number is requested. Once entered, it requests that you enter the SMS code that has just been supposedly sent to the telephone number provided.
At this point, the process appears to hang, but it really assumes that by then it’s too late and they have all the relevant data to be able to steal money from your accounts or buy with your money.
How to avoid falling for a smishing scam
As a general rule, you should be wary of all those alarming messages that have an urgent tone or contain misspellings or grammatical errors. If you receive them, you should never respond to these types of suspicious messages or click on the links they contain.
In general, it is advisable to carefully review any link received via SMS, see if they include strange words or characters, and when in doubt, never open them and resort to official channels such as your online banking to check if there is any type of alert. If the link is shortened and makes it difficult for you to tell whether it is legitimate or not, you can use services like Unshorten that return us the real link that is hidden behind Bitly or similar.
From INCIBE they give us a series of recommendations to avoid falling into the trap of cybercriminals:
- Do not access messages from unknown users or that you have not requested, delete them directly.
- Do not reply to these SMS at any time.
- Be careful when clicking on links, even if they are from known contacts.
- If the SMS has a link and it redirects you to download an app, do not download it in any case. Applications sent via SMS link are usually infected by any malware.
- If you have any doubts, consult directly with the entity involved through its official channels.
If unfortunately you have already fallen for a scam of this type, the steps to follow should be the following, also according to the National Institute of Cybersecurity:
- Contact your bank immediately to report what has happened and cancel any transactions that may have been made.
- If you have also provided personal data, such as your phone number or email, stay tuned and check that you are not subject to another type of fraud by these means or that they do not impersonate you.
- You can also report this situation to the State Security Forces and Bodies (FCSE).
