How Can SMiSHing Harm Legitimate Businesses?
Phishing, as we know, is a form of criminal activity. If a business name is used by a fraudster, the company or business name may become unpopular to potential customers. That is, if the company being targeted by phishers does not take action to clarify that their business is not involved and associated with recent phishing attacks, customers may lose faith or even blame the business for the phisher's actions.
Below are examples of SMiSHing attacks that I have received over the past few weeks:
The above message is from a service number. If I respond to the message with a "Yes", my account will be credited for the amount requested by the SMiSHer. Here's another example of a fake service message via SMS that contains a link to download a file which is infected:
Below is yet another example of SMiShing that I received. This one used a company name "Power Root Sdn." (Sdn is an abbreviation for Sendirian Berhad, which means "private business" in the Malaysian language) in the message. The company Power Root may or may not exist, but the message announces that I won 20K and should call the provided number to claim the prize.
People who respond to the message or call the provided number will be prompted to provide their credit card number, mother's maiden name, birthday and other personal information, allowing the phishers to gain access to their accounts.
People who have not heard of SMiSHing might fall into the trap of revealing their identity or giving out private information such as credit card numbers, social security numbers, and other personal data. If the victim realizes that they are being phished via SMS messages, they might blame the other victim—the business or company being used by the fraudsters. The customers will become unsatisfied because the company did not alert them of potential fraud or scam messages using their business name. In some cases, the unsuspecting customer might expect that something good actually happened, e.g. winning money from the company that supposedly hosted a contest. They will try to claim the amount they've won. The company will now have to deal with the customer and explain their business is not associated with the fake SMS message.