The Rise of SMS Phishing

April 14, 2025

The Rise of SMS Phishing

After what seems like a lifetime of technology exposure, I still become saddened but not surprised when I hear about someone falling victim to a phishing attack. Most medium to large businesses, if not all, have invested heavily in employee awareness training as a means to improve their cybersecurity posture. Unfortunately, most companies still fall victim to cybercrime because human beings remain the weakest point in an organization's security.

Many corporations have increased cybersecurity training and awareness, investing heavily into employee training over the past several years. However, even with massive training campaigns and billions of dollars spent on training and awareness, human beings and their behavior still prove to be the weakest link in a business's security.

Throughout December 2021, nearly 500 customers of OCBC Bank fell victim to a successfully executed SMS phishing attack. This attack caused a loss of $8.5 Million for bank customers. The campaign started by sending spoofed text messages impersonating OCBC Bank, informing bank customers, "they must conduct an account security check immediately. Otherwise, the account will be locked. Please Browse." The SMS included a link after the words "Please Browse," suggesting that users click that link to perform the security check required to unlock their bank account.

After the user clicks the link, the victims would be directed to a spoofed bank website login page where they would unknowingly and inadvertently hand over the keys to their financial kingdom. The customers would find out they had been scammed once they received notification of unauthorized transactions being charged to their account. The amounts stolen from each customer varied between $3,000 and $500,000. The loss the victims incurred is tragic, even more so given the magnitude and timing of the attack. Many families could not celebrate Christmas or see loved ones as a result. In addition, the local police investigating stated, "It's challenging and difficult" to recover the funds once they've been "fraudulently transferred out of the victim's bank account," which means many of the victims and their families will never see those funds again.

SMS phishing is not new, novel, or emerging. It has not been as widely used as email phishing, for example. Many bad actors will send a lower-level employee a text message from someone claiming to be their CEO. Criminals use social media sites like LinkedIn to gather information on a business to find their ideal victims within a target company. Criminals can find employee contact data through a myriad of data sources. If you've ever posted a resume online, some of your contact data is probably available publicly. Regardless of title or seniority, every employee is a target for these types of attacks.

Here is an example of a standard SMS phishing attack where a bad actor—aka cybercriminal—impersonates the company CEO to get a lower-level employee to buy gift cards:

Criminal – "Hi Claire, it's Susan Peppers (let's pretend Claire knows exactly who Susan Peppers is)."
Claire – "Hi Susan, what a surprise!"
Criminal – "Claire, I need your help with something significant. Are you able to help me?"
Claire – "Of course! Let me know what it is, and I'll make it happen for you, Susan!"
Criminal – "Perfect! I knew I could count on you, Claire!"
Criminal – "I'm already running late for an essential business dinner, and I forgot the gift cards I promised to donate."
Criminal – "So, I need you to go get me three gift cards ASAP so I can keep my word."
Claire – "Sure! I can do that. Should I use my corporate credit card?"
Criminal – "Of course, you can use your company card for this!"
Claire – "How much money do you want on each gift card?"
Criminal – "The gift cards need to be valued at $500 each."
Claire – "I'm so sorry, Susan, I'm not authorized for that much. Would one $500 card and two $100 cards work?"
Criminal – "This disappoints me, Claire, but I'm out of time already. So if that is the best you can do, then it will have to work."

Claire goes to the store and buys $700 in gift cards.
Claire – "Hi Susan, as you requested, here are the three gift cards you requested…."

Claire proceeds to send the card information to the criminal and feels she has come to her CEO's rescue. Claire just knew she was earning herself some recognition and praise. Unfortunately for Claire, she would only be aware of her misfortune after submitting her expense report. Unfortunately, she is embarrassed and has allowed herself and her company to fall victim to cybercrime.

Other standard SMS phishing attacks:

  • IRS is trying to contact you
  • You've Won something
  • Pending Refunds
  • Verify your banking info
  • You've got a delivery
  • Verify your Apple/Google Account Info
  • Coinbase/Crypto confirmation

SMS phishing has grown in popularity with cyber criminals over the last few years. However, email phishing remains the most common and most successful attack vector impacting businesses. Phishing attacks continue to rise for both email and SMS, even with improved SPAM filters, mock phishing campaigns, and employee training. Businesses continue to fall victim as a result of human error.

Soon, technology may have the ability to intervene, reducing if not preventing these types of attacks. For now and the foreseeable future, human beings will continue to be the weakest link in an organization's cybersecurity posture.

Sources:
At least S$8.5 million lost in December to phishing scams involving OCBC Bank (channelnewsasia.com)
8 Spam Text Message Examples (& How to Identify Them Quickly) (textedly.com)
KnowBe4's Top-Clicked Phishing Email Results for Q4 2021 Compare the U.S. and EMEA [INFOGRAPHIC]

Latest posts

LockBit Ransomware Group Hacked: 5 Critical Security Lessons for Dallas Businesses
May 12, 2025

LockBit Ransomware Group Hacked: 5 Critical Security Lessons for Dallas Businesses

The recent hack of the infamous LockBit ransomware group offers Dallas businesses rare insights into cybercriminal operations and reinforces critical security principles. This article explores five key takeaways from this event, including the importance of zero trust architecture, regular security assessments, and incident response planning, while providing actionable recommendations to strengthen your organization's security posture.
How the 2025 Tariffs Are Reshaping IT Investment Strategies
May 9, 2025

How the 2025 Tariffs Are Reshaping IT Investment Strategies

April 2025 tariffs have increased IT hardware costs 10-20%, pushing businesses toward cloud solutions rather than absorbing higher capital expenses. ITECS's managed cloud services offer predictable monthly costs, eliminate procurement delays, and enhance security. One client achieved 22% cost reduction with 99.99% uptime, demonstrating how businesses can mitigate tariff impacts while gaining scalability and expert support.
How to Deploy Self-Hosting DeepSeek-R1 Using Ollama Implementation Guide
April 19, 2025

How to Deploy Self-Hosting DeepSeek-R1 Using Ollama Implementation Guide

Our Self-Hosting DeepSeek-R1 Using Ollama guide provides organizations with a comprehensive technical roadmap for deploying AI models within their own infrastructure. From hardware selection and installation to performance optimization and security hardening, this guide covers the complete implementation process with expert insights at each critical phase. Learn how to select appropriate model sizes based on your hardware capabilities, implement web interfaces for user access, and properly secure your AI deployment. This guide demonstrates how organizations can leverage powerful AI capabilities while maintaining complete data privacy and control.