Data, published by trade association UK Finance for security provider Proofpoint, shows that parcel and package delivery scams are now the most common form of ‘smishing’ attempts.
What Is Smishing?
Smishing is where an attacker sends a text/SMS message purporting to be from a reputable company, in this case, the Royal Mail or a parcel delivery company/courier service. The idea is that the recipient (who may be expecting a parcel delivery) is fooled into clicking on the link in the text message and this either send sends the attacker personal information (credit card number or password) or downloads a malicious program/malware to the victim’s phone. The malware can be used for snooping on the user’s smartphone data or sending sensitive data silently to an attacker-controlled server.
March – Big Month for Royal Mail-Related Phishing
Research results released in April (by Check Point Software) showed that March was the biggest month in 2021 for Royal Mail-related cyber phishing attacks with a 645 percent increase on the previous two months, equating to an average of 150 per week.
Now, More Than half of Phishing & Smishing Attacks Are Parcel Delivery Scams
The new data shows that these kinds of parcel delivery scams now account for more than half of all reported text phishing, or ‘smishing’ attacks in the UK. For example, the new data shows that from 15 April to 14 July 2021, 53.2 percent of reported scam text messages were from attackers posing as postal delivery firms. Also, from 14 June and 14 July, parcel and package delivery scams accounted for 67.4 percent of all smishing attempts.
Driven By Pandemic
The increase in delivery-related smishing attacks has been driven by the big increase in online shopping that resulted from pandemic restrictions, bricks and mortar shop closures, and the need to stay at home.
How To Protect Yourself From ‘Smishing’ Attacks
Since smishing attacks basically rely upon human error (i.e. not being able to spot a smishing attack – or to report an attack if spotted to help warn others), so one of the best ways to protect yourself is to know the signs of a smishing attack. Information to help you to detect and avoid becoming a victim of smishing includes:
– Financial institutions never send text messages asking for credentials or transfer of money and credit card numbers, ATM PINs, or banking information should never be sent to someone in text messages.
– Many smishing scam messages offer quick money (e.g. from winning prizes or collecting cash after entering information) and they sometimes use coupon code offerings.
– A message received from a number with only a few digits is a sign that it probably came from an email address, which is a common sign of spam/scams.
– Avoid storing any banking information on a mobile device (in case of malware).
– Be wary of any delivery-related text messages other than the standard day/time of delivery messages.
– If you receive a smishing text, to protect other users, send the message to your telecom’s number so that it can be investigated. Also, report such messages to Action Fraud (https://www.actionfraud.police.uk/).
What Does This Mean For Your Business?
Driven by the pandemic-fuelled increase in online ordering by consumers, it seems that attackers are shifting their focus from impersonating financial services and banks to impersonating the Royal Mail and other delivery services and couriers. This shows that the threat ecosystem has evolved over the past year towards scams based very much on human error (e.g. smishing and phishing). Businesses have also been targeted with more (sophisticated) ransomware and business email compromise (BEC) attacks. This threat evolution indicates that businesses may want to explore a more people-centric approach to cybersecurity to reduce today’s risks and, if they haven’t done so already, adopt a ‘zero trust’ approach to their cyber security. Businesses need to realise that today’s attackers would much rather log in than hack in and are, therefore, favouring the types of attacks that fool their victims into giving-up their information, rather than going through the complicated and time-consuming process of hacking in the ‘hard way’.