In our last post, we analysed the clickbait in phishing emails. In this article, we look at the 2nd part of cyber safety, Vishing and Smishing.
Vishing is voice phishing, the tactics that lead to sensitive information being obtained via phone calls. And Smishing is short for SMS phishing, when an ordinary looking SMS has a hook that snares the victim and leads him to share sensitive information. The prevalence of this phenomenon led to the creation of the series Jamtara – Sabka Number Aayega which dramatised some true stories.
Often, the fraudster poses as a person with some authority – from the bank, from the government, from the police, from the workplace, etc. – and the victim is convinced that it is right to share the information. People may be wary of another person calling with such authority, but there are other occasions where greed or fear lead to an error. Let us see some examples.
Vishing – Case 1
Mani put up a car for sale on an online website. He posted a few nice pictures of his car along with the expected sale price, and his phone number. Later in the day, he got a call.
“This is Colonel Rajendran. I am a ex- army officer, now in civil service after 18 years in the army. As an army man, I like dealing with honest people, so I am happy that you have posted about the small accident you had. I am keen to purchase it”.
Mani was very happy. He asked the Colonel to come over and check out the car.
The Colonel said, “For sure, I will do so. But I want to reserve the car. Hence, I want to pay you a token amount up front. I will transfer Rs 50,000.”
On the Colonel’s request, Mani shared the bank details to transfer the money.
While still on the call, the Colonel transferred Rs. 100 to Mani. “It was a trial transaction. I will now transfer the Rs 50,000”, he said, keeping Mani engaged on the call. A little later, he told Mani, “Since the amount is a bit high, the bank wants me to share a QR code for your authorization. I will share it on your email, and you can scan it with your banking app”.
Mani shared his email, and in a moment, he received the QR Code via an email that from col_rajendrann. Following the Colonel’s instructions, Mani opened his usual mobile banking app, and scanned the QR code. “I am approving it”, he told the Colonel. As soon as he had approved it, the phone got disconnected. Mani then noticed an SMS that his account had been deducted for Rs 50,000.
Note the modus operandi of the fraudster. He builds trust posing as an ex-army officer, and appealing to Mani’s honesty. And he keeps Mani distracted with his conversation while he sends the QR code. What did Mani miss? If you have paid using QR code in shops, you will realise that it identifies the entity receiving the money, and may embed the amount in it as well. The QR code is scanned by the person who pays, and not by the person who receives the money! This small detail would have alerted Mani.
Vishing – Case 2
Payal got a call in the afternoon. “Hi, this is Surya from xxxx.com. Am I speaking to Payal Sharma?”. Payal confirmed. Surya’s voice was very enthusiastic, ”We recently held a lucky draw for our regular customers. I am happy to say you are one of the lucky winners! One amongst 10 lac! The prize is a gift coupon worth Rs 20,000! Congratulations!” Payal was very excited. She had never been so lucky before. Surya said, “I need to verify a few details to ensure that we are indeed sending it to the right Payal Sharma. Can you confirm your first name, last name, and your address?”. Payal did so.
Surya then said, “Our database says that you have used a Credit Card for your purchases. Can you confirm the card details? Your card number, expiry and CVV should match our records”. Payal went ahead and shared that as well.
Surya said, “Thank you for your patience. All the details have verified OK. I am now going to initiate the process for the dispatch of the gift card. You will receive an OTP, once you confirm the same, the delivery will be completed.”
The next second, Payal received an OTP. She opened it, her eyes registered Rs 20,000 and xxxx.com. She read out the OTP.
Surya said, “Thank you. The gift card is on its way!” and cut the call.
Immediately after that, Payal noticed that her account had been debited by Rs. 20,000.
Note the modus operandi. The fraudster has dangled the carrot of a free voucher, appealing to the basic greed. Again, the fraudster is keeping her distracted, and creating a sense of urgency to share the OTP. In the process, Payal does not pay full attention to the OTP.
Here is a typical OTP one may receive for transactions:
Note the specific mention that it is for a transaction, i.e. a Purchase! And that the purchase is on MMM merchant. Also, it explicitly ask the user not to share the OTP.
Smishing – Case 1
It was the month of March. There had been many reminders requesting PAN number to be linked with Aadhar. In the last week of March, Dinesh received an SMS
Dinesh was alert. He recognized this as a Smishing attempt. What did he see?
He checked that the SMS was sent from phone number 079854xxxxx. A bank will never send messages from a personal phone number. By regulation, such messages have to be sent using a registered identity so you will see the receiver being VM-AxisBk or AD-SBI, etc.
He noticed that the language was not refined and it had errors. Most importantly, Dinesh was sure that the bank will never solicit such KYC information on its own. KYC does not get “suspended”. He ignored the SMS as a fraud message and carried on.
Smishing – Case 2
In the same period, Paul got a SMS :
Paul was cautious, but curious. He called the customer care number listed. He heard the usual recorded message that AAA Bank played. Then the agent picked it up. “Hi, thank you for calling AAA Bank. This is Sunita. How may I help you?” When Paul asked about the message he had received, Sunita told him “Let me check.”, and after a pause, she said, “This is quite common, so the bank has created an app to help customers. I will share a link with you. You can download the program and do the KYC details yourself”. The call ended, and Paul received a link on his mobile.
At this time, Paul became suspicious, and decided to do a further check. The SMS had come from phone number 63834xxxxx, so not a genuine message from the bank. Wisely, he chose not to click on the link.
This is an example of a clever attempt (and a 2-step mechanism) to get victims to download malware onto their devices. The malware can then capture lot of sensitive information, and relay back to the fraudster.
Higher level of Security with 2FA and MFA
The two-factor authentication (2FA) in India provides a second line of defence even when certain sensitive information is compromised. 2FA brings two elements together:
* Something you know : eg. Password, PIN, Credit Card details, etc
* Something you have : a mobile device where the OTP gets delivered; a chip card in your hand
Thus, even if card details etc are shared, unless the transaction OTP is shared, the authorization is incomplete.
Stronger authentication mechanisms include “something you are” e.g. biometric, so no one else can impersonate you. Other factors include Location and Time.
Multifactor authentication (MFA) uses 2 or more factors to further strengthen the security.
Be(a)ware!
There are many other examples – impersonating your friend, fake job portals, fake tech support, fake covid testing / vaccination sites, fake loans, fake insurance offers – the list of fraudsters is long. But luckily, we have a short list of precautions!
Whether it is phishing, vishing, or smishing, remember that
* The fraudsters will play on your psychology – greed, or fear
* They will speak with authority, with practised ease that wins your confidence, and create a sense of urgency
* They will entice you to share the 2nd element of the 2FA – the OTP – that will complete the transaction.
Remember
* Scan a QR code only when you want to pay a merchant
* Check the OTP message to confirm it is triggered by your action for purchase or registration. Do not share any OTP
* If in doubt, check directly with your bank or the said authority
* Set your transaction limits to contain the loss in case of any such event
* In an unfortunate event, if you face such a situation, report it to the nearest Cyber Crime Police Station and National Cyber Crime Reporting portal at https://cybercrime.gov.in
**********************************************************************************************
Image Credits
www.whatismyipaddress.com
blog.credo.com
www.kaspersky.com
www.avatier.com
Thank you for sharing.