Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.
The fake SMSes were believable enough, except for the link you were asked to click:
(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees
The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud:
As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…
…but with a fake server name in the URL in the address bar.
As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.
Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.
The crooks will then typically do one or more of these things:
- Try your username and password right away to see if they work. Assume that the crooks will try out the data you just entered immediately.
- Try the same password on other accounts of yours. This is called credential stuffing, and it’s the main reason why you should never use the same password on two different accounts. Even if you have different usernames on other sites, assume that the crooks already know which usernames match up.
- Sell on your password, and any other data you gave away, to other crooks. Assume that any phished data will soon be circulating widely in the cybercriminal underground. Even if the original crooks don’t have a plan to abuse it, someone else surely will.
Could this lead to “instant bank fraud”?
As you can see from the list above, it’s theoretically possible that getting your mobile phone account password hacked might give the crooks a way in (or at least a hint of a way in) to your bank account too, especially if you used the same password on your banking site as elsewhere.
However, if all you did was to click through, realise you were being tricked, and get out of the fraudulent web page right away, without typing in anything at all…
…then you are almost certainly OK.
The crooks may be able to track that you were sucked into the very first stage of the scam because you visited the link – a lot of scams include a tracking code in the link to keep tabs on who clicked and who didn’t, just like legitimate marketing companies do.
But if you just looked at the page and didn’t put in your password, then you got out in time, and there is little reason to think that you could be the victim of “instant bank fraud” as a result.
When scams become hoaxes
Sadly, you may have heard otherwise via social media.
There are people out there – often they’re well-meaning individuals, but sometimes they seem to be pranksters or troublemakers – who will take phishing scams like the one just described and exaggerate them into hoaxes that they share on social networks.
That’s what seems to have happened this week.
One of the most searched-for articles on Naked Security this week has been one we wrote about back in March 2020, entitled “Instant bank fraud” warning spread on WhatsApp is a hoax:
The bad news is that this hoax has returned, apparently on the back of the SMS scam messages we mentioned above, and it seems to be getting forwarded plentifully on WhatsApp and elsewhere, as noted by the UK government’s Action Fraud team:
We are aware of a rumour circulating via WhatsApp, SMS and social media which references @CityPoliceFraud claiming that bank customers are being targeted by the #smishing scam below.
The content of this message is false. pic.twitter.com/eLVM4tnYEi
— Action Fraud (@actionfrauduk) November 10, 2020
Straight from the City of London fraud team - Extremely sophisticated scam going about, involving all banks. You get a message saying a payment hasn't been taken. [...] As soon as you touch it your money is gone. [...] Pass this on to everyone please. [...] Thousands flying out of peoples accounts! Spread the word to your family and friends!
As you can see, there’s a thin veneer of not-entirely-impossible technical theory in the above message, namely that just viewing a scam page might somehow implant malware on your computer and that this malware might somehow target your banking password.
But malware infections merely from viewing a booby-trapped web page are very rare these days, and even if this happened to you, the chance that any malware would instantly be able not only to figure out your banking password and login to your account but also to drain your account in one go…
…well, that’s extremely unlikely.
In fact, it’s so unlikely, and would be so dramatic, that if it were to happen it’s reasonable to assume that cybersecurity websites and banks everywhere would be proclaiming it in great detail, explaining how it worked, and advising you on what to do.
Hoaxes live long lives
This time, there are some tiny alterations to the original hoax, such as adding more mobile phone providers’ names, but otherwise the new version of this hoax is almost identical to the one that we wrote about in March 2020, carrying the same fake news with the same fake “details” added.
Once again, the hoax deliberately, but untruthfully, claims legitimacy by insisting at the start that the City of London Police fraud team was the source of the information.
Even though the City Police have previously tweeted that they did not issue any such warning, the mere mention of officialdom in the first words of the text have given this hoax a long-running air of credibility that it does not deserve.
What to do?
- Don’t spread discredited stories online via any messaging app or social network. Do your homework. There’s enough fake news around at the moment without adding to it.
- Don’t be tricked by claims to authority. Anyone can write “the police announced this”, but that doesn’t tell you anything useful. In this hoax, what the police actually announced was that they didn’t announce it.
- Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, thinking that if it turns out to be true they will be glad they shared it, but if it turns out false, no harm will have been done . But you can’t make someone safer by “protecting” them from something that doesn’t exist or by giving them “advice” that offers a false sense of security.
Yes, you should pick proper passwords; yes, you should use 2FA, especially for email or banking logins; no, you should never use the same password twice; and no, you should never login on a sign-in page you reached via a link in an SMS or email.
But the real lesson here is that we all need to do our bit to stop fake news like this from getting traction it doesn’t deserve.
We owe it to our friends and family to stop them getting suckered into watching out for cybersecurity attacks that aren’t going to happen, thus saving them time to take action against attacks that are.
In this case, you need to spread the word to your family and friends NOT to spread the word to their family and friends!
John Knops
The advice to “ never login on a sign-in page you reached via a link in an SMS or email.” is sound advice but many legitimate businesses send out SMS messages that “your payment is due. Click on here to see your account”. Which then leads you to their home page to sign in. How are we to know whether it’s a fraud or should we just not use the convenience of being sent on to their site. I, personally, find 2FA quite frustrating. The phone companies in Canada won’t allow the same phone number on two cellphones, like the old fashioned extensions. My iMac is in a room upstairs and my phone is downstairs where I spend most of my time. It means running down to get the 2FA code and then hoping and praying that I can get back to input the code before it expires or I have to start all over again. The click straight through and enter my password which is stored by my browser (is it really secure?) is the convenience that computers were designed to do. Can’t the security experts devise a way of making that process secure?
Paul Ducklin
If you can manage with the downside of never using login links in SMSes – a small but not enormous hassle – then you will avoid all fraudulent SMS links together with genuine ones… it’s a question of just how much you think the inconvenience adds up to, I guess.
Many 2FA systems allow you to use a code-generating app to produce your login codes instead of SMSes (Sophos Intercept X for Android has a code generator built in).
So it is possible to seed two phones to generate the same sequence of codes. I wouldn’t recommend it (it means one more place where the seed could get stolen) but you can do it if you want to have two phones that will unlock one account. Some services also allow you to add more than one phone number and then choose which one will get the SMS at login time.
Or you could just stick your phone in your pocket whenever you go upstairs :--)
Michael
If an SMS from a business is sending you a link to account info, like a statement or a bill, just visit that business’s website directly (not through the link) and log onto your account that way. You can do this on your phone as well, and most business optimise their websites for mobile browsers. If it’s your bank or mobile provider, they usually have dedicated apps for managing your account too.
As for the inconvenience of 2FA, if it’s a little inconvenient for you, just imagine how inconvenient it is for the crooks who don’t have your cell phone sitting downstairs on their couch. For now, 2FA is the most widely accepted method for adding security to your account logon process. Most of these require your phone either for a code or for a biometric input like your fingerprint.
As for storing your password in your browser, nothing in this world is truly secure. As far as password storage goes, saving it in your browser is better than a sticky note next to your computer, but not as good as a dedicated password manager like LastPass, 1Pass, etc. Browsers offer to save, but don’t often offer to generate passwords for you (I may be wrong here as I don’t use browser built-in password managers), whereas password managers can generate a strong, unique password for every site you access. And a unique password for every site you visit plus a second factor is as secure as it gets for the general population these days. I don’t foresee security experts coming up with a better solution that would be as widely adopted as TOTP 2FA any time soon.